If you don't know neither the enemy nor yourself, you will sucumb in every battle.
If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.
But if you know the enemy and know yourself you need not fear the result of a hundred battles.
The art of war (Sun Tzu)
Oracle Windows authentication

Introduction

I gave a presentation at the Hacktivity 2009 which details the following problems regarding the Windows authentication in Oracle databases:
  • The Windows authentication support is part of the default configuration.
  • If the client and the server are configured to support the Windows authentication, they always conduct the Windows authentication even if the native Oracle authentication is used.
  • The Windows Kerberos authentication can be downgraded with a MITM (man in the middle) attack to NTLM based authentication.
Additionally it describes the following:
  • The 11g JDBC thin driver supports the 11g authentication method. This can be downgraded to 8i version with flipping 1 bit.
  • I developed a  proxy application in python that  is able to hijack  an Oracle connection (the supported platforms are limited)
  • I developed a module for squirtle. The module can be used against an Oracle database where Windows authentication is used
All of the codes should be considered as a proof of concept code and use them for own responsibility.

Links:

Presentation
Flash demo how to hijack an Oracle connection
Flash demo how to downgrade 11g authentication when JDBC thin driver is used
Flash demo how to use the module for squirtle
The module for squirtle, a pyhton script for ImmunityDebugger
pytnsproxy
Disclaimer
The views, opinions and thoughts in this homepage are the views, opinions and thoughts of the writer of this homepage and do not represent the views, opinions or thoughts of any past or current employer of the writer or any other third person. The content is provided 'as is' without warranty of any kind. Use at your own responsibility.  Laszlo may be contacted on donctl@gmail.com.