Auditing an Oracle database for security issues is very important. provides all of the information and tools that you will need Click here for details of Limited's detailed Oracle database security audit service Click here for details of Limited's Oracle Security Training Courses
There are 63 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Pete Finnigan's Oracle security weblog

Home » Archives » February 2010 » The Oracle listener password algorithm

[Previous entry: "Two new Oracle root kits"] [Next entry: "Turkey, Germany, York, Holland and the Oak Table book"]

The Oracle listener password algorithm

February 1st, 2010 by Pete

There has been a thread on my forum for a couple of years discussing the Oracle listener password algorithm. The thread is titled "Key and algo for encrypting the listener password". This thread discussed the issue of being able in some versions of Oracle to pass the hash to log in. This is a technique used by security people to discover weaknesses in authentication mechanisms and was evident in the listener because the listener in 9i and lower supported two authentication mechanisms where one was to test the password that was added in clear text to the listener.ora file. This had a flaw as the hashed password could also be used. The listener password algorithm in 9i and lower was the same as the database password algorithm except that the listener doesnt use a username so an arbitrary user was used instead. The listener is authenticated via local authentication in 10g and 11g but its still possible to enable a password for remote authentication although not recommended. The password authentication mechanism is different in 10g and 11g. I was aware of how it worked but usefully now Marcell Major has now released a short paper describing the algorithm. This is in a paper titled "Oracle listener password encryption". There is also a demo program written in python available to download.

February 2010

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Weblog Home
Weblog Archives

Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Web Development
SQL Server Security

Atom 0.3 FEED
Powered by gm-rss 2.0.0

Valid XHTML 1.0!