Security Basics mailing list archives
Any security issue on DB2 client/server auth. over TCP 450 ?
From: "Hamid . K" <elite_netbios () yahoo com>
Date: Mon, 28 Mar 2005 12:20:28 -0800 (PST)
Hello list members , To ensure about some security parametrs I was looking for , I desiced to assess the DB2 server I`m taking care of . what I coudn`t find a good answer after some search was authentication staff. I wonder if it is possible to reveal authentication info ( user , pass or maybe both ? ) by capture authentication between a DB2 server and a DB-manager client such as DB2 universal client of IBM on win32 which comunicates to TCP 450 of DB2 server . of course authentication happens overe a crypted session ,but what kind of encryption and how much secure ? any known attack over this ? if it`s something to be analyzed , I`ve captured four unsuccessfull authentications like ( user:pass ~~ A:A B:B C:C D:D E:E 1:1 2:2 3:3 ) and one successfull authentication (last try) which I wont reveal directly untill some one do it :) or it`s needed to analyse packets to see how much secure is the prosess . it maybe usefull to know that I use normal/default authentication mechanism provided by client and didn`t changed anything related to auth. I just used "connect to {db-name} user {user-name}" in my client to connect to db.and normal try over visual interface by selecting DB and opening it after auth. ( here I captured packets) DB is running on linux and client , as mentioned win32. different auth mechanism based on client/server platform ? here is captured packets IF it`s needed. finally , any other port/auth. mechanism for DB2 I should take care of ? thank you in advance. Hamid.k __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Attachment:
auth-dump
Description: auth-dump
Current thread:
- Any security issue on DB2 client/server auth. over TCP 450 ? Hamid . K (Mar 29)