4.2. Attacks Against the Crypto Aspects
Getting password hashes from the database is a trivial task, as this book will, of course, show. Brute forcing Oracle password hashes can be done, but the longer the password the longer it will take. For very long passwords, rather than brute force them there's another attack to get the clear text quickly. If an attacker, who is in possession of the hash but wants the clear text, can sniff the AUTH_SESSKEY and AUTH_PASSWORD exchange on the wire, then they can obtain the clear-text password instantly. They decrypt the AUTH_SESSKEY with the known hash to get the secret number. They then use this secret number to decrypt the AUTH_PASSWORD and out pops the clear text — no matter how long it is. Sniffing the exchange is the real problem — but this shouldn't be shrugged off with a belief such as "Well, I've got bigger problems if they've got my password hashes and can capture traffic from off the wire." In switched environments, attacks aimed at ARP can lead to traffic being broadcast on the local wire, meaning everyone can capture the traffic. Of course, on plain broadcast networks (e.g., Ethernet using plain hubs) this is not a problem, and a sniffer running in promiscuous mode can pick up the exchange. Hosts or gateways somewhere in the middle between client and server can be compromised and used as strategic sniffers. Yes, you do have big problems if someone can do this, but the point is that attackers can and do do this!
The following code ...
Get The Oracle® Hacker's Handbook: Hacking and Defending Oracle now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
