| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: password encryption during password change
Hi
Interesting thought. If you use SQL net trace level SUPPORT and do an alter user from a SQL*Plus client you can see the password being sent in clear text.
First set trace by adding these lines to %ORACLE_HOME/network/admin/sqln et.ora
TRACE_FILE_SERVER=pf_trace.trc TRACE_DIRECTORY_SERVER=c:\backups TRACE_LEVEL_SERVER=SUPPORT
change the directory and name to suit yourself. Then i ran this in a SQL*Plus session:
Personal Oracle9i Release 9.2.0.1.0 - Production With the Partitioning, OLAP and Oracle Data Mining opti JServer Release 9.2.0.1.0 - Production
SQL>
SQL> alter user dbsnmp identified by dbsnmp;
User altered.
SQL> This gave me the following in the trace file:
[03-FEB-2004 19:04:33:652] nsprecv: 00 B4 00 00 06 04 00 00 |........|
[03-FEB-2004 19:04:33:652] nsprecv: 00 00 03 5E 19 21 80 00 |...^.!..|
[03-FEB-2004 19:04:33:652] nsprecv: 00 00 00 00 00 54 89 DE |.....T..|
[03-FEB-2004 19:04:33:652] nsprecv: 00 26 00 00 00 38 CE DD |.&...8..|
[03-FEB-2004 19:04:33:652] nsprecv: 00 0C 00 00 00 00 00 00 |........|
[03-FEB-2004 19:04:33:652] nsprecv: 00 68 CE DD 00 00 00 00 |.h......|
[03-FEB-2004 19:04:33:652] nsprecv: 00 01 00 00 00 00 00 00 |........|
[03-FEB-2004 19:04:33:652] nsprecv: 00 00 00 00 00 00 00 00 |........|
[03-FEB-2004 19:04:33:652] nsprecv: 00 00 00 00 00 00 00 00 |........|
[03-FEB-2004 19:04:33:652] nsprecv: 00 00 00 00 00 00 00 00 |........|
[03-FEB-2004 19:04:33:652] nsprecv: 00 6A CE DD 00 2C 8D DE |.j...,..|
[03-FEB-2004 19:04:33:652] nsprecv: 00 00 00 00 00 26 61 6C |.....&al|
[03-FEB-2004 19:04:33:652] nsprecv: 74 65 72 20 75 73 65 72 |ter.user|
[03-FEB-2004 19:04:33:652] nsprecv: 20 64 62 73 6E 6D 70 20 |.dbsnmp.|
[03-FEB-2004 19:04:33:652] nsprecv: 69 64 65 6E 74 69 66 69 |identifi|
[03-FEB-2004 19:04:33:652] nsprecv: 65 64 20 62 79 20 64 62 |ed.by.db|
[03-FEB-2004 19:04:33:652] nsprecv: 73 6E 6D 70 01 00 00 00 |snmp....|
[03-FEB-2004 19:04:33:652] nsprecv: 01 00 00 00 00 00 00 00 |........|
[03-FEB-2004 19:04:33:652] nsprecv: 00 00 00 00 00 00 00 00 |........|
[03-FEB-2004 19:04:33:652] nsprecv: 00 00 00 00 00 00 00 00 |........|
[03-FEB-2004 19:04:33:652] nsprecv: 07 00 00 00 00 00 00 00 |........|
[03-FEB-2004 19:04:33:652] nsprecv: 00 00 00 00 00 00 00 00 |........|
[03-FEB-2004 19:04:33:652] nsprecv: 00 00 00 00 |.... |
If i used the password function as follows:
Connected to:
Personal Oracle9i Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
SQL> password dbsnmp
Changing password for dbsnmp
New password: ******
Retype new password: ******
Password changed
SQL>
then i search the trace file i only find:
[03-FEB-2004 19:15:01:005] nsprecv: 03 15 00 00 06 04 00 00 |........|
[03-FEB-2004 19:15:01:005] nsprecv: 00 00 11 6B 19 09 00 00 |...k....|
[03-FEB-2004 19:15:01:005] nsprecv: 00 48 03 00 00 01 00 00 |.H......|
[03-FEB-2004 19:15:01:005] nsprecv: 00 03 73 1A AC B4 12 00 |..s.....|
[03-FEB-2004 19:15:01:005] nsprecv: 06 00 00 00 12 01 00 00 |........|
[03-FEB-2004 19:15:01:005] nsprecv: 20 B1 12 00 06 00 00 00 |........|
[03-FEB-2004 19:15:01:005] nsprecv: F0 AE 12 00 20 B3 12 00 |........|
[03-FEB-2004 19:15:01:005] nsprecv: 06 64 62 73 6E 6D 70 10 |.dbsnmp.|
[03-FEB-2004 19:15:01:005] nsprecv: 00 00 00 10 41 55 54 48 |....AUTH|
[03-FEB-2004 19:15:01:005] nsprecv: 5F 4E 45 57 50 41 53 53 |_NEWPASS|
[03-FEB-2004 19:15:01:005] nsprecv: 57 4F 52 44 20 00 00 00 |WORD....|
[03-FEB-2004 19:15:01:005] nsprecv: 20 34 41 43 36 35 36 34 |.4AC6564|
[03-FEB-2004 19:15:01:005] nsprecv: 33 30 39 44 36 34 44 37 |309D64D7|
[03-FEB-2004 19:15:01:005] nsprecv: 37 42 33 33 32 34 41 36 |7B3324A6|
[03-FEB-2004 19:15:01:005] nsprecv: 44 44 30 44 31 30 30 41 |DD0D100A|
[03-FEB-2004 19:15:01:005] nsprecv: 31 00 00 00 00 0D 00 00 |1.......|
[03-FEB-2004 19:15:01:005] nsprecv: 00 0D 41 55 54 48 5F 54 |..AUTH_T|
[03-FEB-2004 19:15:01:005] nsprecv: 45 52 4D 49 4E 41 4C 05 |ERMINAL.|
[03-FEB-2004 19:15:01:005] nsprecv: 00 00 00 05 5A 55 4C 49 |....ZULI|
[03-FEB-2004 19:15:01:005] nsprecv: 41 00 00 00 00 0F 00 00 |A.......|
[03-FEB-2004 19:15:01:005] nsprecv: 00 0F 41 55 54 48 5F 50 |..AUTH_P|
[03-FEB-2004 19:15:01:005] nsprecv: 52 4F 47 52 41 4D 5F 4E |ROGRAM_N|
[03-FEB-2004 19:15:01:005] nsprecv: 4D 0C 00 00 00 0C 73 71 |M.....sq|
[03-FEB-2004 19:15:01:005] nsprecv: 6C 70 6C 75 73 77 2E 65 |lplusw.e|
[03-FEB-2004 19:15:01:005] nsprecv: 78 65 00 00 00 00 0C 00 |xe......|
The number shown is also not the hash, its probably some session key. So using the password function protects you from clear text password transmission from SQL*Plus.
Don't forget to remove trace!. Also if you are interested i wrote a paper recently called "Detecting SQL Injection in Oracle" available from http://www.petefinnigan.com/orasec.htm that shows how to do the above and also a few other techniques to see what is being sent to the database.
kind regards
Pete
-- Pete Finnigan email:pete_at_petefinnigan.com Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details.Received on Tue Feb 03 2004 - 13:23:35 CST
 |
 |