Does the Oracle Database Built-in Password Protections prevent pass-the-hash or replay attacks?
Reading the "What Are the Oracle Database Built-in Password Protections?" from http://docs.oracle.com/cd/B28359_01/network.111/b28531/authentication.htm#DBSEG30031 I see AES encryption is used as well as SHA-1 hashing.
I understand that data in-transit over the network is unencrypted, but the initial session setup and authentication is suppose to not send the password in the clear.
So WITHOUT using Oracle Advanced Security (for full network layer encryption) does the built-in method prevent pass-the-hash or replay attacks?
Is there some type of noonce?
I'm guessing the AES is done with the user's password or is the key exchanged some other way?