I just published a blog post on how to get the oracle database link password if for some reason we have forgotten it.Brian Fitzgerald respond to me with :
@Hatem__Mahmoud if you can trace listener across fork, you can get anyone’s password
— Brian Fitzgerald (@ExaGridDba) November 16, 2016
Indeed this is a very good point ! And here is how we can do that using GDB :
Based on my previous work using pintools i have identified the function “r0_aes_cbc_loop_dec_x86_intel” used for decrypting the password and the offset of interest inside it.
DEMO :
Test ENV : oracle 12.1.0.2.6/OEL6/UEK4
Attach to the listener using GDB and after setting some parameter on it try to connect from another session (in this case user : hatem / password : hatemmahmoud)
The password in raw format is at the last line :
0x68, 0x61, 0x74, 0x65, 0x6d, 0x6d, 0x61, 0x68, 0x6d, 0x6f, 0x75, 0x64
select utl_raw.cast_to_varchar2 ('686174656d6d61686d6f7564') from dual;
UTL_RAW.CAST_TO_VARCHAR2('686174656D6D61686D6F7564')
--------------------------------------------------------------------------------
hatemmahmoud
1 row selected.
This is only a very quick demo for demonstration purpose and far from being exhaustive ,more elaborated work can be done !
UPDATE : Here is another example using systemtap in this case (It’s in the BONUS part a simple user/password sniffer 🙂 ) systemtap probe at specific oracle function offset + BONUS
That’s it 😀
Hatem Mahmoud's blog 
[…] investigate/debug the initial phases of an oracle process creation such as the authentication step (Oracle getting anyone’s password) , how to processed ? We will have to attach to the process just after it’s creation ! Here […]