Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 52 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Pete Finnigan's Oracle security weblog


Home » Archives » February 2010 » The Oracle listener password algorithm

[Previous entry: "Two new Oracle root kits"] [Next entry: "Turkey, Germany, York, Holland and the Oak Table book"]

The Oracle listener password algorithm

February 1st, 2010 by Pete


There has been a thread on my forum for a couple of years discussing the Oracle listener password algorithm. The thread is titled "Key and algo for encrypting the listener password". This thread discussed the issue of being able in some versions of Oracle to pass the hash to log in. This is a technique used by security people to discover weaknesses in authentication mechanisms and was evident in the listener because the listener in 9i and lower supported two authentication mechanisms where one was to test the password that was added in clear text to the listener.ora file. This had a flaw as the hashed password could also be used. The listener password algorithm in 9i and lower was the same as the database password algorithm except that the listener doesnt use a username so an arbitrary user was used instead. The listener is authenticated via local authentication in 10g and 11g but its still possible to enable a password for remote authentication although not recommended. The password authentication mechanism is different in 10g and 11g. I was aware of how it worked but usefully now Marcell Major has now released a short paper describing the algorithm. This is in a paper titled "Oracle listener password encryption". There is also a demo program written in python available to download.

February 2010
SMTWTFS
 123456
78910111213
14151617181920
21222324252627
28      

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Weblog Home
Weblog Archives


Home
Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Web Development
SQL Server Security

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.0


Valid XHTML 1.0!