February 17, 2007

Sniffing Oracle authentication : Downgrade Attack

Once again, Oracle is the case.
If you've reviewed my previous post about Oracle authentication you should have learned that eavesdropping attacks against Oracle authentication mechanisms is now a documented technique and should be considered seriously while hardening your RDBMS and network design. Following Litchfield's technical details, Laszlo Toth has just published results of his research on same case as a demonstration paper. In this paper four versions of Oracle native authentication mechanism has been tried and actual attack becomes possible by downgrading to vulnerable version of authentication mechanism. Remember recent upgrades in CAIN 4.2 & 4.3? You`re right I'm talking about new feature of CAIN, let attacker downgrade NTLM-2 S.KEY to an easy-to-crack type by injecting known ( defined by attacker ) s.key with help of MITM attack. And in both Oracle and NTLM cases client will face with a disconnect/failed-authentication. Now here's the way a hacker can own your flying Oracle authentication packets. As you'll read in paper, author did not disclosed any technical details on implementation of attack. Disappointing huh ? But if you've been my blog-reader you've already got details on how to implement such attack ;)
Although the attack described by D.Litchfield is a bit different but the idea is actually the same. I'm not sure who's the first one who have implemented this attack as a working tool but after a chat with some frineds I found that there are private implementations already available in hands of various researchers. Let's see how this new game goes on...
Finally if you've been blind while reading this new paper, I should remind you the power of Ettercap and it`s architecture let you code your own plugins. Hopefully this attack can be implemented as an Ettercap plug without going too much into details. The hard part is MITM which Ettercap will nicely handle it. TODO tasks are decoding transmitted SKEY and response hash from captured packets and finally brute-forcing . Both are already well-documented and have open-source tools released for. I'll leave this final part as and exercise for readers, to google missing puzzle parts and fix them together.

[Updated: 11:41pm ]
Seems securityFocus.com listed this topic too.


  1. Hi my friend ... weblogeto alan didam nemidonestam weblog dari ... i very enjoyed that ... kheili vaghte nadidamet che mikoni ;)?

  2. Salam !
    chetori ? khabare khasi nist, mashgoole zendegani hastam.
    ye email/msg az khodet dar kon.