Two researchers from Trustwave will demonstrate how a man-in-the-middle
attack on Oracle databases can be leveraged to swipe user credentials and hijack
sessions at the upcoming Black Hat Europe security conference.
rmed with a new proof-of-concept tool, Trustwave Director of Security
Research Steve Ocepek and Security Consultant Wendel Henrique will demonstrate
how attackers can steal credentials by downgrading authentication mechanisms as
well as take over existing user sessions.
“We’re highlighting the dangers of man-in-the-middle by showing attacks that
go beyond what most people are familiar with,” Ocepek told eWEEK. “Wendel’s
downgrade attacks can fool a client into giving up weak hash values and even
Windows hashes, just by changing a few bytes of data. And the thicknet tool
completely takes over, and allows arbitrary SQL injection. These are not common
attacks, but they (creatively) exploit a known problem with plaintext data.”