| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: How database passwords can tranmit via network...
nirav wrote:
> I do not know & want to know how this happens...Say I login as system
> using sqlplus from my pc to the server ..now how can someone get to
> know the password?(i mean what he needs to do to get the password?)
He cannot using just a sniffer. Oracle authentication is NOT done in clear text like other application protocols (e.g. POP3). The password that you supply as part of the connection string is not transmitted as clear text.
>From what I've traced it seems that the OCI driver encrypts the
password and transmits it using an OCI AUTH packet. It payload looks as
follows:
==
00 06 5b bf 00 cf 00 50 f0 29 9c 00 08 00 45 00 ..[....P .)....E. 00 91 9c b0 40 00 3f 06 f9 85 9b ef 2f 0d a5 94 ....@.?. ..../... 34 a0 05 f1 d9 6d 0d 0d 19 bd f9 66 69 05 80 18 4....m.. ...fi... 80 00 e1 65 00 00 01 01 08 0a 06 28 b4 ba 5f 99 ...e.... ...(.._.2d 64 00 5d 00 00 06 00 00 00 00 00 08 01 01 01 -d.].... ........ 0c 0c 41 55 54 48 5f 53 45 53 53 4b 45 59 01 20 ..AUTH_S ESSKEY. 20 30 39 35 46 41 30 41 34 43 46 32 41 41 46 43 095FA0A 4CF2AAFC 38 39 31 41 32 42 33 43 41 38 39 30 37 46 43 46 891A2B3C A8907FCF 33 00 04 01 01 00 00 00 00 00 00 00 00 00 00 00 3....... ........ 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 ........ ....... ==
This is similar to what Windows NetBIOS authentication does (which l0pht easily cracked in the 90's using a brute force method).
So one should assume that this authentication can be cracked - the ease of which is dependant on the strenght of the encryption method used. (hoping it is not as lightweight as the Windows NetBIOS method)
Doing this via SSL will of course provide another, and very strong, encryption layer to it.
-- BillyReceived on Tue Aug 02 2005 - 07:26:11 CDT
 |
 |