o5logon dissector overhaul. #742
Conversation
|
Here are some .pcap files for testing these changes, https://raw.githubusercontent.com/kholia/ctf/master/ggyy-99b3ed3ed5e2a293c697784ac94ee8c6.pcap http://openwall.info/wiki/_media/john/Oracle-O5LOGON.tar.gz And pcap files from hashcat/hashcat#371 |
|
@koeppea @LocutusOfBorg Ping, it would be great if you could review, and possibly merge this PR. |
|
I would like to see a fix for #741 before merging this one... isn''t it better? |
|
I'd also like to add some annotations for this one. Could yet manage to afford the time.
|
src/dissectors/ec_o5logon.c
Outdated
| /* PKCS#7 padding used? */ | ||
| #define MAYBE 0 | ||
| #define YES 1 | ||
| #define NO 2 |
There was a problem hiding this comment.
pre-processor directives and variables should be unique.
please add somwhat like EC_O5LOGON_ to the pre-processor variables.
src/dissectors/ec_o5logon.c
Outdated
| @@ -46,6 +65,24 @@ void o5logon_init(void); | |||
|
|
|||
| /************************************************/ | |||
|
|
|||
| #undef memrchr | |||
| #define memrchr my_memrchr | |||
There was a problem hiding this comment.
What is the purpose of this renaming? You shouldn't replace standard function names.
Why do you implement your own version of this standard function?
There was a problem hiding this comment.
That function is not present in eg. OSX so I implemented it. The define saves us on eg. Linux where it is present.
I don't understand cmake but I presume this could be dealt with in some more clever way (ie. use system version if present) - but this works fine as-is on Linux and OSX.
There was a problem hiding this comment.
So we'd should only use it when being on a BSD or DARWIN a.k.a. MacOS operating system. The pre-processor variables are set by cmake.
I'd even recommend putting it into a "common" file like ec_utils.c that make it easier to be reused by other functions in future.
Or we could put it into a dedicated source / header file and include it into compilation processes depending on Cmake tests.
I could also help you with the Cmake part if you want.
There was a problem hiding this comment.
Just checked FreeBSD. There the memrchr() function exists. MacOSX apparently is the only OS lacking memrchr() .
There was a problem hiding this comment.
Added 40979f2 which moves it to ec_utils.c and wraps with #if OS_DARWIN. Tested on OSX, "should work" on others (famous last words).
src/dissectors/ec_o5logon.c
Outdated
| return NULL; | ||
| } | ||
|
|
||
| u_char *ano; |
There was a problem hiding this comment.
Please declare variables only at the beginning of a block, otherwise this will generate a warning.
src/dissectors/ec_o5logon.c
Outdated
|
|
||
| #include <ec.h> | ||
| #include <ec_decode.h> | ||
| #include <ec_dissect.h> | ||
| #include <ec_session.h> | ||
|
|
||
| //#define O5DEBUG |
There was a problem hiding this comment.
I'd rather recommend defining this (prefixed with EC_) with the value 0 for off and 1 for on.
to include such a block you the do #if EC_O5DEBUG instead of #ifdef ....
But this is really somewhat cosmetic and flavor.
src/dissectors/ec_o5logon.c
Outdated
| u_char user[129]; | ||
| u_char srv_addr[22]; |
There was a problem hiding this comment.
What is the purpose of srv_addr[22]? Holding the string representation of a IP address?
- it won't fit an IPv6 address
- managing IP addresses string or human representrationwise is somewhat painful.
I rather recommend using the type struct ip_addr * instead and use the ip_addr_* functions to initialize, handle and represent the IP address.
AUTH_SESSKEY in case we can no longer exploit known padding (version 12).
|
Thank you for reviewing. Requested changes are now implemented and it's also rebased onto current tree. Tested on OSX (prior to last commit it was also tested on Linux). |
|
@magnumripper may I request contribution / write permissions to your fork? |
|
@koeppea you are now a collaborator. |
|
Thanks. |
There was a problem hiding this comment.
I've tested the dissector with some of the PCAP files referenced.
I'm not a Oracle expert, but I'd expected some less "verbose" information. In contrast some information is only be printed with DEBUG enabled which I'd expected the other way round.
Just a comment, but I'm afraid that the messages pane gets flooded so that other potentially important information is getting lost when one or more Oracle sessions are going over the wire.
What do you think?
src/dissectors/ec_o5logon.c
Outdated
| #if EC_O5LOGON_DEBUG | ||
| DISSECT_MSG("O5LOGON: client ver %u.%u.%u.%u.%u (PKCS)\n", | ||
| ano[0], ano[1] >> 4, ano[1] & 15 , ano[2], ano[3]); | ||
| #endif |
There was a problem hiding this comment.
Wouldn't this being worth to be print w/o DEBUG?
| ntohs(PACKET->L4.dst), | ||
| conn_status->user, | ||
| conn_status->flags.c_ano == 1 ? "" : "(no ANO seen)"); | ||
| #endif |
src/dissectors/ec_o5logon.c
Outdated
| #if EC_O5LOGON_DEBUG | ||
| DISSECT_MSG("O5LOGON: server ver %u.%u.%u.%u.%u\n", ano[0], | ||
| ano[1] >> 4, ano[1] & 15 , ano[2], ano[3]); | ||
| #endif |
There was a problem hiding this comment.
I personally had no need for either of them except while debugging / trying to understand the protocol), but I'm fine with including them w/o debug.
There was a problem hiding this comment.
What do you think about the amount of information in the messages pane:
$ ettercap -Tqr ~/Downloads/ggyy-99b3ed3ed5e2a293c697784ac94ee8c6.pcap
ettercap 0.8.2 copyright 2001-2015 Ettercap Development Team
Reading from /home/koeppea/Downloads/ggyy-99b3ed3ed5e2a293c697784ac94ee8c6.pcap
Libnet failed IPv4 initialization. Don't send IPv4 packets.
Libnet failed IPv6 initialization. Don't send IPv6 packets.
34 plugins
42 protocol dissectors
57 ports monitored
20530 mac vendor fingerprint
1766 tcp OS fingerprint
2182 known services
Starting Unified sniffing...
O5LOGON: AASH@192.168.131.1:$o5logon$209C317916169AEFD4ACA354CBA5588902933CBB2C31909898F1B4A7B1B4612A423FE59958FB8E07400FC69577B7BE34*ED3BE8DDEBF2FE6FB36F
O5LOGON: AASH@192.168.131.1:$o5logon$209C317916169AEFD4ACA354CBA5588902933CBB2C31909898F1B4A7B1B4612A423FE59958FB8E07400FC69577B7BE34*ED3BE8DDEBF2FE6FB36F
O5LOGON: AASH@192.168.131.1:$o5logon$209C317916169AEFD4ACA354CBA5588902933CBB2C31909898F1B4A7B1B4612A423FE59958FB8E07400FC69577B7BE34*ED3BE8DDEBF2FE6FB36F
O5LOGON: AASH@192.168.131.1:$o5logon$209C317916169AEFD4ACA354CBA5588902933CBB2C31909898F1B4A7B1B4612A423FE59958FB8E07400FC69577B7BE34*ED3BE8DDEBF2FE6FB36F
O5LOGON: AASH@192.168.131.1:$o5logon$209C317916169AEFD4ACA354CBA5588902933CBB2C31909898F1B4A7B1B4612A423FE59958FB8E07400FC69577B7BE34*ED3BE8DDEBF2FE6FB36F
....
What can be done with this information?
There was a problem hiding this comment.
Like I wrote below it's password hashes. I could try to reject dupes tho, but I'm not sure it's worth the effort. It shouldn't be a problem IRL.
There was a problem hiding this comment.
@LocutusOfBorg what do you think about the deduplication? I have no feeling about the real world occurrence.
On the other hand, we don't have such mechanisms on other dissectors and omitting it keeps the processing lightweight.
There was a problem hiding this comment.
I don't think it is worth the effort...
There was a problem hiding this comment.
somebody might want to sort and count how many people have the same password hash maybe?
|
Tested on Linux, MacOSX and FreeBSD. |
The output is password hashes, ready to crack in JtR or Hashcat. |
|
Oh, and thanks a lot for reviewing and fixing the last issues. |
src/dissectors/ec_o5logon.c
Outdated
|
|
||
| #include <ec.h> | ||
| #include <ec_decode.h> | ||
| #include <ec_dissect.h> | ||
| #include <ec_session.h> | ||
| #include <ec_utils.h> | ||
|
|
||
| #define EC_O5LOGON_DEBUG 0 |
There was a problem hiding this comment.
@koeppea what about "if not defined then define it to 0?" this way people might be able to feed this value from the environment, without having to change the source code.
it looks good to me, even if I didn't test it. Feel free to merge whenever you want :)
|
merged thanks you all :) |
|
@magnumripper This is awesome work. Thanks! To document the observed traffic, is it possible to summarize e.g. in a table the byte format observed on the wire versus the Oracle client and Oracle server versions actually in use? |
|
I wouldn't mind that, but unfortunately I don't have any time to invest. |
This is needed for newer versions of Oracle. It also fixes various problems in the original code but ultimately I need a fix for #741 to do it good.