THE

SPRAWL

  •  
  •  
  •  
  • TNS (Transparent Network Substrate) protocol is used for client's interaction with Oracle's RDBMS. It can communicate using a number of other protocols such as TCP/IP, IPX/SPX, IPC, Named Pipes, etc.

    TNS packet consists of a fixed size header and a payload.

    Header

    0      8       16            31 
    +--------------+--------------+ 
    | Packet Length| Packet Chksm |  
    +------+-------+--------------+   8 byte header
    | Type | Rsrvd | Header Chksm |  
    +------+-------+--------------+ 
    |        P A Y L O A D        |
    +-----------------------------+
    

    Packet and Header checksums are not generated by default and left as 0s.

    Below is the listing of different TNS packet types:

    Type Description
    1 Connect
    2 Accept
    3 ACK
    4 Refuse
    5 Redirect
    6 Data
    7 NULL
    8 ----
    9 ABORT
    10 ----
    11 Resend
    12 Marker
    13 Attention
    14 Control

    Payload

    Connect

    Transparent Network Substrate Protocol
        Packet Length: 254
        Packet Checksum: 0x0000
        Packet Type: Connect (1)
        Reserved Byte: 00
        Header Checksum: 0x0000
        Connect
            Version: 313
            Version (Compatible): 300
            Service Options: 0x0000
            Session Data Unit Size: 2048
            Maximum Transmission Data Unit Size: 32767
            NT Protocol Characteristics: 0xc60e
            Line Turnaround Value: 0
            Value of 1 in Hardware: 0100
            Length of Connect Data: 196
            Offset to Connect Data: 58
            Maximum Receivable Connect Data: 512
            Connect Flags 0: 0x61
            Connect Flags 1: 0x61
            Trace Cross Facility Item 1: 0x00000000
            Trace Cross Facility Item 2: 0x00000000
            Trace Unique Connection ID: 0x0000000000000000
            Connect Data: (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=ORCL)(CID=(PROGRAM=
                           C:\oracle\product\10.2.0\client_1\bin\sqlplus.exe)
                           (HOST=WINXPSP2)(USER=vmware)))(ADDRESS=(PROTOCOL=TCP)
                           (HOST=192.168.1.102)(PORT=1521)))
    
     0.018134   192.168.1.108   192.168.1.102   TNS Request, Connect (1), Connect
     0000   00 0c 29 0c 9a c7 00 0c 29 fd 07 3d 08 00 45 00  ..).....)..=..E.
     0010   01 26 05 0b 40 00 80 06 70 a4 c0 a8 01 6c c0 a8  .&..@...p....l..
     0020   01 66 04 66 05 f1 ac 94 a7 3e 66 d2 7e ee 50 18  .f.f.....>f.~.P.
     0030   ff ff 15 91 00 00 00 fe 00 00 01 00 00 00 01 39  ...............9
     0040   01 2c 00 00 08 00 7f ff c6 0e 00 00 01 00 00 c4  .,..............
     0050   00 3a 00 00 02 00 61 61 00 00 00 00 00 00 00 00  .:....aa........
     0060   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
     0070   28 44 45 53 43 52 49 50 54 49 4f 4e 3d 28 43 4f  (DESCRIPTION=(CO
     0080   4e 4e 45 43 54 5f 44 41 54 41 3d 28 53 45 52 56  NNECT_DATA=(SERV
     0090   49 43 45 5f 4e 41 4d 45 3d 4f 52 43 4c 29 28 43  ICE_NAME=ORCL)(C
     00a0   49 44 3d 28 50 52 4f 47 52 41 4d 3d 43 3a 5c 6f  ID=(PROGRAM=C:\o
     00b0   72 61 63 6c 65 5c 70 72 6f 64 75 63 74 5c 31 30  racle\product\10
     00c0   2e 32 2e 30 5c 63 6c 69 65 6e 74 5f 31 5c 62 69  .2.0\client_1\bi
     00d0   6e 5c 73 71 6c 70 6c 75 73 2e 65 78 65 29 28 48  n\sqlplus.exe)(H
     00e0   4f 53 54 3d 57 49 4e 58 50 53 50 32 29 28 55 53  OST=WINXPSP2)(US
     00f0   45 52 3d 76 6d 77 61 72 65 29 29 29 28 41 44 44  ER=vmware)))(ADD
     0100   52 45 53 53 3d 28 50 52 4f 54 4f 43 4f 4c 3d 54  RESS=(PROTOCOL=T
     0110   43 50 29 28 48 4f 53 54 3d 31 39 32 2e 31 36 38  CP)(HOST=192.168
     0120   2e 31 2e 31 30 32 29 28 50 4f 52 54 3d 31 35 32  .1.102)(PORT=152
     0130   31 29 29 29                                      1)))
    

    Accept

    Transparent Network Substrate Protocol
        Packet Length: 32
        Packet Checksum: 0x0000
        Packet Type: Accept (2)
        Reserved Byte: 04
        Header Checksum: 0x0000
        Accept
            Version: 312
            Service Options: 0x0000
            Session Data Unit Size: 2048
            Maximum Transmission Data Unit Size: 32767
            Value of 1 in Hardware: 0100
            Accept Data Length: 0
            Offset to Accept Data: 32
            Connect Flags 0: 0x61
            Connect Flags 1: 0x61
    
     0000  00 0c 29 fd 07 3d 00 0c 29 0c 9a c7 08 00 45 00   ..)..=..).....E.
     0010  00 48 7c cf 40 00 80 06 f9 bd c0 a8 01 66 c0 a8   .H|.@........f..
     0020  01 6c 11 d9 04 67 b6 88 7a 22 0e a7 cb 81 50 18   .l...g..z"....P.
     0030  ff 01 1d 97 00 00 00 20 00 00 02 04 00 00 01 38   ....... .......8
     0040  00 00 08 00 7f ff 01 00 00 00 00 20 61 61 00 00   ........... aa..
     0050  00 00 00 00 00 00                                 ......
    

    Refuse

     0.047753   192.168.1.102   192.168.1.108   TNS Response, Refuse (4), Refuse
     0000   00 0c 29 fd 07 3d 00 0c 29 0c 9a c7 08 00 45 00  ..)..=..).....E.
     0010   00 8f 53 e2 40 00 80 06 22 64 c0 a8 01 66 c0 a8  ..S.@..."d...f..
     0020   01 6c 05 f1 04 0d e8 a0 2d 2b 67 0d 99 85 50 18  .l......-+g...P.
     0030   fe ff 59 03 00 00 00 67 00 00 04 00 00 00 22 00  ..Y....g......".
     0040   00 5b 28 44 45 53 43 52 49 50 54 49 4f 4e 3d 28  .[(DESCRIPTION=(
     0050   54 4d 50 3d 29 28 56 53 4e 4e 55 4d 3d 31 35 33  TMP=)(VSNNUM=153
     0060   30 39 32 33 35 32 29 28 45 52 52 3d 31 32 35 31  092352)(ERR=1251
     0070   34 29 28 45 52 52 4f 52 5f 53 54 41 43 4b 3d 28  4)(ERROR_STACK=(
     0080   45 52 52 4f 52 3d 28 43 4f 44 45 3d 31 32 35 31  ERROR=(CODE=1251
     0090   34 29 28 45 4d 46 49 3d 34 29 29 29 29           4)(EMFI=4))))
    

    Error returned in this Refuse packet is TNS-12514 - TNS:listener could not resolve SERVICE_NAME given in connect descriptor caused by invalid SID string provided in the connect string.

    Data Packet

    Payload of DATA packets (type 6) consists of a two byte flag, data packet id, optional TTI id, and data itself:

    0           16   24    31
    +-----------+----+-----+
    | Data Flag | ID |<TTI>|
    +----------------------+
    |        D A T A       |
    +----------------------+
    

    Data Flag is usually 0x0000 and changes to 0x0040 when all data was sent to indicate end of file.

    Following the data flag is data packet ID. Below is a listing of valid data packet IDs:

    ID Description Sample Packet
    0x01 Protocol Negotiation. Following this flag are accepted protocol versions 0x06 0x05 0x04 0x03 0x02 0x01 0x00 and client platform string like IBMPC/WIN_NT-8.1.0
     0.277372   192.168.1.108   192.168.1.102   TCP kwdb-commn > iax 
     [PSH, ACK] Seq=786 Ack=425 Win=65111 Len=37
     0000   00 0c 29 0c 9a c7 00 0c 29 fd 07 3d 08 00 45 00  ..).....)..=..E.
     0010   00 4d 05 14 40 00 80 06 71 74 c0 a8 01 6c c0 a8  .M..@...qt...l..
     0020   01 66 04 67 11 d9 0e a7 cd 94 b6 88 7b ca 50 18  .f.g........{.P.
     0030   fe 57 a0 d0 00 00 00 25 00 00 06 04 00 00 00 00  .W.....%........
     0040   01 06 05 04 03 02 01 00 49 42 4d 50 43 2f 57 49  ........IBMPC/WI
     0050   4e 5f 4e 54 2d 38 2e 31 2e 30 00                 N_NT-8.1.0.
    
    0x02 Exchange of Data type representations.
     0.437308   192.168.1.108   192.168.1.102   TCP kwdb-commn > iax 
     [PSH, ACK] Seq=823 Ack=589 Win=64947 Len=67
     0000   00 0c 29 0c 9a c7 00 0c 29 fd 07 3d 08 00 45 00  ..).....)..=..E.
     0010   00 6b 05 15 40 00 80 06 71 55 c0 a8 01 6c c0 a8  .k..@...qU...l..
     0020   01 66 04 67 11 d9 0e a7 cd b9 b6 88 7c 6e 50 18  .f.g........|nP.
     0030   fd b3 81 e2 00 00 00 43 00 00 06 04 00 00 00 00  .......C........
     0040   02 b2 00 b2 00 52 21 06 01 01 01 0d 01 01 04 01  .....R!.........
     0050   01 01 01 01 01 01 ff ff 03 08 03 00 01 00 3f 01  ..............?.
     0060   07 3f 01 01 01 01 03 01 05 02 01 00 00 18 80 00  .?..............
     0070   00 00 3c 3c 3c 80 00 00 00                       ..<<<....
    
    0x03 TTI (Two-Task Interface) Function call. The exact function id comes immediately after data packet id. Below is a table of different TTI IDs:
    • 0x02 Open
    • 0x03 Query
    • 0x04 Execute
    • 0x05 Fetch
    • 0x08 Close
    • 0x09 Disconnect/logoff
    • 0x0C AutoCommit ON
    • 0x0D AutoCommit OFF
    • 0x0E Commit
    • 0x0F Rollback
    • 0x14 Cancel
    • 0x2B Describe
    • 0x30 Startup
    • 0x31 Shutdown
    • 0x3B Version
    • 0x43 K2 Transactions
    • 0x47 Query
    • 0x4A OSQL7
    • 0x5C OKOD
    • 0x5E Query
    • 0x60 LOB Operations
    • 0x62 ODNY
    • 0x67 Transaction - end
    • 0x68 Transaction - begin
    • 0x69 OCCA
    • 0x6D Startup
    • 0x51 Logon (present password)
    • 0x52 Logon (present username)
    • 0x73 Logon (present password - send AUTH_PASSWORD)
    • 0x76 Logon (present username - request AUTH_SESSKEY)
    • 0x77 Describe
    • 0x7F OOTCM
    • 0x8B OKPFC
     0.475183   192.168.1.108   192.168.1.102   TCP kwdb-commn > iax 
     [PSH, ACK] Seq=890 Ack=611 Win=64925 Len=224
     0000   00 0c 29 0c 9a c7 00 0c 29 fd 07 3d 08 00 45 00  ..).....)..=..E.
     0010   01 08 05 16 40 00 80 06 70 b7 c0 a8 01 6c c0 a8  ....@...p....l..
     0020   01 66 04 67 11 d9 0e a7 cd fc b6 88 7c 84 50 18  .f.g........|.P.
     0030   fd 9d 8a 2d 00 00 00 e0 00 00 06 04 00 00 00 00  ...-............
     0040   03 76 02 6c c8 d5 00 06 00 00 00 01 00 00 00 38  .v.l...........8
     0050   c3 12 00 05 00 00 00 e0 bf 12 00 08 c5 12 00 06  ................
     0060   53 59 53 54 45 4d 0d 00 00 00 0d 41 55 54 48 5f  SYSTEM.....AUTH_
     0070   54 45 52 4d 49 4e 41 4c 08 00 00 00 08 57 49 4e  TERMINAL.....WIN
     0080   58 50 53 50 32 00 00 00 00 0f 00 00 00 0f 41 55  XPSP2.........AU
     0090   54 48 5f 50 52 4f 47 52 41 4d 5f 4e 4d 0b 00 00  TH_PROGRAM_NM...
     00a0   00 0b 73 71 6c 70 6c 75 73 2e 65 78 65 00 00 00  ..sqlplus.exe...
     00b0   00 0c 00 00 00 0c 41 55 54 48 5f 4d 41 43 48 49  ......AUTH_MACHI
     00c0   4e 45 12 00 00 00 12 57 4f 52 4b 47 52 4f 55 50  NE.....WORKGROUP
     00d0   5c 57 49 4e 58 50 53 50 32 00 00 00 00 08 00 00  \WINXPSP2.......
     00e0   00 08 41 55 54 48 5f 50 49 44 07 00 00 00 07 36  ..AUTH_PID.....6
     00f0   36 38 3a 39 33 32 00 00 00 00 08 00 00 00 08 41  68:932.........A
     0100   55 54 48 5f 53 49 44 06 00 00 00 06 76 6d 77 61  UTH_SID.....vmwa
     0110   72 65 00 00 00 00                                re....
    
    0x08 "OK" server to client response
     0.568852   192.168.1.102   192.168.1.108   TCP iax > kwdb-commn
     [PSH, ACK] Seq=611 Ack=1114 Win=64422 Len=165
     0000   00 0c 29 fd 07 3d 00 0c 29 0c 9a c7 08 00 45 00  ..)..=..).....E.
     0010   00 cd 7c d5 40 00 80 06 f9 32 c0 a8 01 66 c0 a8  ..|.@....2...f..
     0020   01 6c 11 d9 04 67 b6 88 7c 84 0e a7 ce dc 50 18  .l...g..|.....P.
     0030   fb a6 21 cf 00 00 00 a5 00 00 06 04 00 00 00 00  ..!.............
     0040   08 01 00 0c 00 00 00 0c 41 55 54 48 5f 53 45 53  ........AUTH_SES
     0050   53 4b 45 59 20 00 00 00 20 32 33 42 37 31 36 30  SKEY ... 23B7160
     0060   34 42 42 42 38 44 39 43 37 31 32 44 43 35 35 44  4BBB8D9C712DC55D
     0070   34 30 38 36 43 32 32 42 32 00 00 00 00 04 01 00  4086C22B2.......
     0080   00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
     0090   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
     00a0   00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00  ................
     00b0   00 00 00 36 01 00 00 00 00 00 00 0c 41 21 00 00  ...6........A!..
     00c0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
     00d0   00 00 00 00 00 00 00 00 00 00 00                 ...........
    
    0x11 Extended TTI (Two-Task Interface) Function call. Below are some additional codes:
    • 0x6b Switch or Detach session
    • 0x78 Close
    • 0x87 OSCID
    • 0x9A OKEYVAL
     0.972469   192.168.1.108   192.168.1.102   TCP kwdb-commn > iax 
     [PSH, ACK] Seq=2104 Ack=1162 Win=64374 Len=44
     0000   00 0c 29 0c 9a c7 00 0c 29 fd 07 3d 08 00 45 00  ..).....)..=..E.
     0010   00 54 05 19 40 00 80 06 71 68 c0 a8 01 6c c0 a8  .T..@...qh...l..
     0020   01 66 04 67 11 d9 0e a7 d2 ba b6 88 7e ab 50 18  .f.g........~.P.
     0030   fb 76 0e be 00 00 00 2c 00 00 06 04 00 00 00 00  .v.....,........
     0040   11 6b 04 09 00 00 00 d3 00 00 00 01 00 00 00 03  .k..............
     0050   3b 05 94 fb 12 00 f4 01 00 00 70 fa 12 00 6c fa  ;.........p...l.
     0060   12 00                                            ..
    
    0x20 Used by external procedures and service registrations
    0x44 Used by external procedures and service registrations
    0xdeadbeef Additional Network Options. Client may negotiate additional connection attributes such as authentication, encryption, data integrity, and supervisor. NOTE: Wireshark calls this packet Secure Network Services
     0.094489   192.168.1.108   192.168.1.102   TNS Response, Data (6), SNS
     0000   00 0c 29 0c 9a c7 00 0c 29 fd 07 3d 08 00 45 00  ..).....)..=..E.
     0010   00 d0 05 11 40 00 80 06 70 f4 c0 a8 01 6c c0 a8  ....@...p....l..
     0020   01 66 04 67 11 d9 0e a7 cb 81 b6 88 7a 42 50 18  .f.g........zBP.
     0030   ff df 98 ef 00 00 00 a8 00 00 06 04 00 00 00 00  ................
     0040   dead beef 00 9e 0a 20 01 00 00 04 00 00 04 00  ....... ........
     0050   03 00 00 00 00 00 04 00 05 0a 20 01 00 00 08 00  .......... .....
     0060   01 00 00 02 9c 00 c7 c7 f3 00 12 00 01 de ad be  ................
     0070   ef 00 03 00 00 00 04 00 04 00 01 00 01 00 02 00  ................
     0080   01 00 05 00 00 00 00 00 04 00 05 0a 20 01 00 00  ............ ...
     0090   02 00 03 e0 e1 00 02 00 06 fc ff 00 01 00 02 01  ................
     00a0   00 03 00 00 4e 54 53 00 02 00 02 00 00 00 00 00  ....NTS.........
     00b0   04 00 05 0a 20 01 00 00 0c 00 01 00 11 06 10 0c  .... ...........
     00c0   0f 0a 0b 08 02 01 03 00 03 00 02 00 00 00 00 00  ................
     00d0   04 00 05 0a 20 01 00 00 03 00 01 00 03 01        .... .........
    

    According to "Oracle Hacker's Handbook" there is a bug in all versions of Oracle when a server processes a Data packet (type 6) that has the second bit of the Data Flags set but the first (least significant) bit unset (e.g., numbers 2, 6, 10, 14, and so on). When the server receives such a packet it winds up in an endless loop, hogging all available CPU processing time. Obviously, this negatively impacts server performance.

    Published on July 1st, 2008 by iphelix

    sprawlsimilar

    oracle default ports

    Oracle Database is a complex system requiring a large number of services running on a single system. This article attempts to enumerate common Oracle services and associated network ports found on live systems. Read more.

    oracle rdbms

    Oracle Database or RDBMS (Object-Relational Database Management System) is a complex system for storage and retrieval of relational data. In this article you will learn the basic architecture of the Oracle Databases as well as common attacks against it. Read more.

    orapass des

    Download orapass-des.py
    Size 1.6 KB
    DateFebruary 21st, 2009
    Version0.1

    Orapass implements Oracle's older DES-based password hashing algorithm. This script can be used for password strength audit and recovery. Uses Python Crypto library. Read more.

    oracle tns listener

    Oracle Listener serves as a main communication point for the database. It provides necessary abstraction to host's transport protocols in order to allow Oracle's higher level session protocols to function across multiple platforms. This article covers different commands used to interact with the TNS Listener as well as common attacks against it. Read more.


    sprawlcomments

    All original content on this site is copyright protected and licensed under Creative Commons - Attribution, NonCommercial, ShareAlike 4.0 International.

    π
    ///\oo/\\\