Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: How database passwords can tranmit via network...

Re: How database passwords can tranmit via network...

From: Maxim Demenko <mdemenko_at_arcor.de>
Date: Tue, 02 Aug 2005 18:20:51 +0200
Message-ID: <42ef9e78$0$6968$9b4e6d93@newsread2.arcor-online.net> 





Billy schrieb:


> nirav wrote:

> 

> 


>>I do not know & want to know how this happens...Say I login as system
>>using sqlplus from my pc to the server ..now how can someone get to
>>know the password?(i mean what he needs to do to get the password?)




> 

> 

> He cannot using just a sniffer. Oracle authentication is NOT done in

> clear text like other application protocols (e.g. POP3). The password

> that you supply as part of the connection string is not transmitted as

> clear text.

> 


>>From what I've traced it seems that the OCI driver encrypts the




> password and transmits it using an OCI AUTH packet. It payload looks as

> follows:

> ==

> 00 06 5b bf 00 cf 00 50  f0 29 9c 00 08 00 45 00   ..[....P .)....E.

> 00 91 9c b0 40 00 3f 06  f9 85 9b ef 2f 0d a5 94   ....@.?. ..../...

> 34 a0 05 f1 d9 6d 0d 0d  19 bd f9 66 69 05 80 18   4....m.. ...fi...

> 80 00 e1 65 00 00 01 01  08 0a 06 28 b4 ba 5f 99   ...e.... ...(.._.

> 2d 64 00 5d 00 00 06 00  00 00 00 00 08 01 01 01   -d.].... ........

> 0c 0c 41 55 54 48 5f 53  45 53 53 4b 45 59 01 20   ..AUTH_S ESSKEY.

> 20 30 39 35 46 41 30 41  34 43 46 32 41 41 46 43    095FA0A 4CF2AAFC


> 38 39 31 41 32 42 33 43  41 38 39 30 37 46 43 46   891A2B3C A8907FCF


> 33 00 04 01 01 00 00 00  00 00 00 00 00 00 00 00   3....... ........

> 00 00 00 00 00 00 00 00  02 00 00 00 00 00 00      ........ .......

> ==

> 

> This is similar to what Windows NetBIOS authentication does (which

> l0pht easily cracked in the 90's using a brute force method).

> 

> So one should assume that this authentication can be cracked - the ease

> of which is dependant on the strenght of the encryption method used.

> (hoping it is not as lightweight as the Windows NetBIOS method)

> 

> Doing this via SSL will of course provide another, and very strong,

> encryption layer to it.

> 

> --

> Billy

> 




In addition, despite the login will be encrypted per default, the sql 
itself will not, also such statements as "create user ... identified by 
..." or "alter user ... identified by ..." can be easily captured with 
tcpdump or ethereal, so Net8 over ssl maybe a simpliest but very 
effective way to secure your traffic. Another option could be ASO/ANO.



Best regards



Maxim
Received on Tue Aug 02 2005 - 11:20:51 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US