From: David Cravshaw (david.cravshaw@gmail.com)
Date: Thu Dec 01 2005 - 10:24:25 EST
The Oracle Security Handbook by Oracle Press has a good section on the
TNS protocol, including a step-by-step overview of the logon process.
Basically, to answer your question, AUTH_PASSWORD is DES encrypted
using a random number that is sent by the database to the client in
the AUTH_SESSKEY string. AUTH_SESSKEY is also DES encrypted with the
user's password hash. What this means is that you won't be able to
determine the password simply by sniffing the traffic.
Here's a basic dataflow:
User passes a username to the database
Database response by sending a challenge created by DES encrypting a
random number with the user's password hash.
(Decrypt the challenge with the password hash to determine the random
number...)
The client then sends the password, which has been DES encrypted using
the random number as the key.
dpc
On 12/1/05, P. Entester <pentest__@hotmail.com> wrote:
>
> Hello gentlemen,
>
> I am looking for pointers on information showing me how to decypher
> AUTH_PASSWORD strings, which look like some kind of hash to me. The rest of
> the traffic is clear text however, including the SQL queries and answers.
>
> I captured a few megs of Oracle traffic and want to be able to show the
> customer the importance of encrypting Oracle traffic on their network.
>
> Since i am new to pentesting Oracle databases and analyzing Oracle traffic,
> i guess some basic guide on Oracle dialog interpretatino would best fit the
> purpose.
>
> Thanks in advance,
>
> Peter.
>
> _________________________________________________________________
> FREE pop-up blocking with the new MSN Toolbar - get it now!
> http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
>
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
> futile against web application hacking. Check your website for vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------
>
>
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:12 EDT