Restrict session to IP 
Questions  |  score: 8  |  Solved By 37 People  |  42144 views  |  since Apr 07, 2008 - 01:22:52

Agent Larry (Forensics, Crypto)

Agent Larry
One of our agents (codename Larry) was able to sniff Oracle network traffic deep in the Russian network.
First Larry obtained some traffic when users authenticated to the database, this traffic you can find

Afterwards, Larry sniffed some traffic when the database made some network backup.
When he realized how important this could be, the agent immediatly forwarded the traffic
to the headquarter, but unfortunately the transmission was stopped.
We could not make any contact to Larry anymore.

Our experts already analyzed this traffic, and were able to
restore the beginning of a database file, which you can find

Your goal is to obtain a valid username - password - connect identifier in the following form


This challenge fits in the Internet/Forensics section, so use google to find the right tool for it.
After you have found the tool, you need a lot of oracle dll's.
You can download it from Oracle official site (Oracle Database Client),
but I made a small client for this challenge, you can download it here:
Oracle DLLs

On the headquarter you found some analyzed Oracle traffic, maybe it will help you to understand
more Oracle TNS traffic. You can download it here:

And the last information for you, is that the clients were connecting to the
database via IP tunneling, but the traffic was captured after the tunneling was terminated.

You don't have too much time to solve this, so you think brute force is not the way...

If you cannot find the tool, don't worry, you will find it
Sooner or Later :)
Your solution for Agent Larry
© 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016 and 2017 by Z