Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Hacking An Oracle Session : Is It Possible?

Re: Hacking An Oracle Session : Is It Possible?

From: Frank van Bortel <fvanbortel_at_netscape.net>
Date: Sat, 15 May 2004 20:53:18 +0200
Message-ID: <c85oog$4q5$1@news4.tilbu1.nb.home.nl> 





Daniel Morgan wrote:



> Frank van Bortel wrote:


>> It is extremely easy to make sqlnet connections encrypted.
>> Merely requires one or two entries in the network configuration
>> files on client and server, and you're done.
>> uid/password are then encrypted as well.
> 
> 
> Can you, or anyone else, think of a quick demo that could be used to
> show the change to students?
> 
> Run it in default configuration ... show the connection stream ...
> modify ... view the connection stream?





Something like:



change the client side sqlnet.ora to include these lines:

#sqlnet.encryption_client = "accepted"
#sqlnet.encryption_types_client = "3DES168"
#sqlnet.crypto_seed ="IUH&*^#(@RHJJHUIOYOQ#JIbawdggy"


trace_level_client=support



Connect; e.g. sqlplus scott/tiger_at_o920  <<<< Bad habit, password
will show!



exit the session.


Examine trace files, the actual data sent is in binary, as
well as in readable form:


[15-MAY-2004 19:51:29:515] nspsend: 56 49 43 45 5F 4E 41 4D  |VICE_NAM|

[15-MAY-2004 19:51:29:515] nspsend: 45 3D 6F 39 32 30 2E 63  |E=o920.c|

[15-MAY-2004 19:51:29:515] nspsend: 73 64 62 30 31 2E 63 73  |sdb01.cs|

[15-MAY-2004 19:51:29:515] nspsend: 2E 6E 6C 29 28 43 49 44  |.nl)(CID|

[15-MAY-2004 19:51:29:515] nspsend: 3D 28 50 52 4F 47 52 41  |=(PROGRA|

[15-MAY-2004 19:51:29:515] nspsend: 4D 3D 44 3A 5C 6F 72 61  |M=D:\ora|

[15-MAY-2004 19:51:29:515] nspsend: 63 6C 65 5C 6F 72 61 39  |cle\ora9|

[15-MAY-2004 19:51:29:515] nspsend: 32 5C 62 69 6E 5C 73 71  |2\bin\sq|

[15-MAY-2004 19:51:29:515] nspsend: 6C 70 6C 75 73 2E 65 78  |lplus.ex|

[15-MAY-2004 19:51:29:515] nspsend: 65 29 28 48 4F 53 54 3D  |e)(HOST=|




If you do nothing (connect and exit), about half way in the trace file,
that will be about 200kB anyway!), you'll find:


[15-MAY-2004 19:51:29:578] nspsend: 00 40 D3 12 00 30 D7 12  |.@...0..|

[15-MAY-2004 19:51:29:578] nspsend: 00 05 73 63 6F 74 74 0F  |..scott.|

[15-MAY-2004 19:51:29:578] nspsend: 00 00 00 0F 41 55 54 48  |....AUTH|

[15-MAY-2004 19:51:29:578] nspsend: 5F 50 52 4F 47 52 41 4D  |_PROGRAM|

[15-MAY-2004 19:51:29:578] nspsend: 5F 4E 4D 0B 00 00 00 0B  |_NM.....|

[15-MAY-2004 19:51:29:578] nspsend: 73 71 6C 70 6C 75 73 2E  |sqlplus.|

[15-MAY-2004 19:51:29:578] nspsend: 65 78 65 00 00 00 00 0C  |exe.....|

[15-MAY-2004 19:51:29:578] nspsend: 00 00 00 0C 41 55 54 48  |....AUTH|

[15-MAY-2004 19:51:29:578] nspsend: 5F 4D 41 43 48 49 4E 45  |_MACHINE|




So there is the userid in clear text. Passwords are never sent
in clear text, unless that has to do with the Advanced Security Option
installed here.



Now - uncomment the client sqlnet lines:
sqlnet.encryption_client = "accepted"


# If encryption is requested, or required, accept it
sqlnet.encryption_types_client = "3DES168"
# use triple DES, 168bit key encryption


sqlnet.crypto_seed ="IUH&*^#(@RHJJHUIOYOQ#JIbawdggy"
# anyting in double quotes ("") 10 - 70 characters
trace_level_client=support



Make sure the server side requires encryption, alter the sqlnet.ora
file:

sqlnet.encryption_types_server="3DES168"
sqlnet.encryption_server="required"
sqlnet.crypto_seed = "KJHQ&DTY)@YHKjausgd18`89"


# I used a different one on the server...



On the client, connect, and exit again.


Examine trace files


About one third:


[15-MAY-2004 20:31:07:828] na_tns: 	encryption is active, using 3DES168




Further down, about half way:



[15-MAY-2004 20:31:07:843] nspsend: packet dump

[15-MAY-2004 20:31:07:843] nspsend: 00 A4 00 00 06 00 00 00  |........|

[15-MAY-2004 20:31:07:843] nspsend: 00 00 7C A8 D6 B9 06 73  |..|....s|

[15-MAY-2004 20:31:07:843] nspsend: D3 F9 C7 14 6C B9 57 64  |....l.Wd|

[15-MAY-2004 20:31:07:843] nspsend: 8D 3D 4D 1F D0 83 68 4F  |.=M...hO|

[15-MAY-2004 20:31:07:843] nspsend: 83 BA 87 B0 1A 83 1E F3  |........|

[15-MAY-2004 20:31:07:843] nspsend: CB DC D8 77 50 27 0A AE  |...wP'..|

[15-MAY-2004 20:31:07:843] nspsend: 5F C2 54 CE 87 87 BC 7D  |_.T....}|

[15-MAY-2004 20:31:07:843] nspsend: 7C A9 F4 94 E2 3B A6 84  ||....;..|

[15-MAY-2004 20:31:07:843] nspsend: D4 DE B9 09 FE 19 C4 96  |........|

[15-MAY-2004 20:31:07:843] nspsend: 80 6B A2 05 88 64 A3 0D  |.k...d..|




When done - don't forgt to set trace_level_client to NONE
(or 0 - zero) again!



Will that do?


BTW ethereal shows the same (tracing TNS) as sqlnet trace

-- 

Regards,
Frank van Bortel


Received on Sat May 15 2004 - 13:53:18 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US