Database Authentication
When a client authenticates to the server, rather than sending a password across the wire in clear text like most other RDBMSes Oracle chooses to encrypt it. Here's how the authentication process works. First, the client connects to the TNS Listener and requests access to the RDBMS, specifying its SID. Provided the SID is valid the Listener responds with a TCP port and redirects the client to this port. On connecting to this port, to an Oracle shadow process, the client presents their username:
CLIENT to SERVER 00 c4 00 00 06 00 00 00 00 00 03 76 02 e0 91 d3 ( v ) 00 06 00 00 00 01 00 00 00 cc a2 12 00 04 00 00 ( ) 00 9c a0 12 00 8c a4 12 00 06 73 79 73 74 65 6d ( system) 0d 00 00 00 0d 41 55 54 48 5f 54 45 52 4d 49 4e ( AUTH_TERMIN) 41 4c 07 00 00 00 07 47 4c 41 44 49 55 53 00 00 (AL GLADIUS ) 00 00 0f 00 00 00 0f 41 55 54 48 5f 50 52 4f 47 ( AUTH_PROG) 52 41 4d 5f 4e 4d 0b 00 00 00 0b 73 71 6c 70 6c (RAM_NM sqlpl) 75 73 2e 65 78 65 00 00 00 00 0c 00 00 00 0c 41 (us.exe A) 55 54 48 5f 4d 41 43 48 49 4e 45 12 00 00 00 12 (UTH_MACHINE ) 57 4f 52 4b 47 52 4f 55 50 5c 47 4c 41 44 49 55 (WORKGROUP\GLADIU) 53 00 00 00 00 00 08 00 00 00 08 41 55 54 48 5f (S AUTH_) 50 49 44 08 00 00 00 08 38 37 32 3a 32 34 33 36 (PID 872:2436) 00 00 00 00 ( )
Here you can see the client is attempting to authenticate as the “SYSTEM” user. If the user exists on the remote system, the server responds with a session key:
SERVER TO CLIENT 00 87 00 00 06 00 00 00 00 00 08 01 00 0c ...
Get The Database Hacker's Handbook: Defending Database Servers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
