Oracle getting anyone’s password

I just published a blog post on how to get the oracle database link password if for some reason we have forgotten it.Brian Fitzgerald respond to me with :

Indeed this is a very good point ! And here is how we can do that using GDB :

Based on my previous work using pintools i have identified the function “r0_aes_cbc_loop_dec_x86_intel” used for decrypting the password and the offset of interest inside it.


Test ENV : oracle

Attach to the listener using GDB and after setting some parameter on it try to connect from another session (in this case user : hatem / password :  hatemmahmoud)


The password in raw format is at the last line :

0x68, 0x61, 0x74, 0x65, 0x6d, 0x6d, 0x61, 0x68, 0x6d, 0x6f, 0x75, 0x64

select utl_raw.cast_to_varchar2 ('686174656d6d61686d6f7564') from dual;
1 row selected.

This is only a very quick demo for demonstration purpose and far from being exhaustive  ,more elaborated work can be done !

UPDATE : Here is another example using systemtap in this case (It’s in the BONUS part  a simple user/password sniffer 🙂 ) systemtap probe at specific oracle function offset + BONUS

That’s it 😀

One thought on “Oracle getting anyone’s password

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s