Back to our subject , we see that sniffing RDBMS authentications and dumping user/passwords from network traffic , in most of cases is just about identifying clear-text or hash value of passwords . In Oracle however , this process is a bit more complex due to mechanism used . While playing with Oracle and trying to figure out how it transmit passwords over network , I noticed that Oracle strangely switch connections to a high-port and continue the process there . again nothing was in clear-text nor in a usual manner . checking public resources & Oracle documentations could not help since Oracle seems decided not to release any information about it . After multiple tries to query public lists for answer nothing leaked out , until DBSec mailing list have been founded y NGSoftware researchers lead by D.Litchfield again . I shoot my old spam to this new list again , and wow , after a while I had finally the answer . David`s answer is clear enough so I`m not going to rewrite it here ,but any questions are welcome . What he replayed me is actually part of his upcoming book which will be available at end of this month . This post to mailing list later have been mentioned in NGSSoftware`s new paper about Oracle Passwords and now seems it`s the only FAQ about the topic over net , so I decided to mention it here again .
Of course this is not the ultimate answer ( while solving the mystery ) but provided information and PoC , is enough for developing first brand new Oracle password sniffer which is my plan to do in future. Referring to my past blog post , Oracle servers are considered as heart of most of targets we may face with in a assessment or penetration-test . While playing with a server running any version of Oracle , you can be sure that even a strictly limited user will lead to full compromise of server and informations , and that`s because we`ve called Oracle "Enteprise-Bug" before this ;)
Btw , Litchfield`s new book on Oracle security will be out in few days . have you pre-ordered it ? :)
[updated 01 February 2007]
I noticed that this topic has been covered some where else , before D.Litchfield discuss it in details. Pete Finnigan has updated his blog and there you can find more about the first real discussion about this topic. how ever in the old paper mentioned by Finnigan there are no details focused on password stealing . seems this has been an old known flaw in oracle protocol which was researched more in depth by Litchfield.