Esteban Martinez Fayo

IRL Name: 
Esteban Martinez Fayo

Esteban Martinez Fayo is a security researcher from Argentina who disclosed a security issue with the O5LOGON Oracle database authentication protocol (used in 11g – 11.1 & 11.2). This problem, known as CVE-2012-3137, makes it relatively simple for attackers to get hold of passwords using a brute-force attack on the encrypted (AES -192 bit) session key that is returned by the Oracle database when connecting. This means you don’t need the password hash (SHA-1 hash as of 11g) to brute force the password anymore. The information (the encrypted session key – AUTH_SESSKEY – and the password SALT value – AUTH_VFR_DATA) returned by the server at an very early state of the authentication process if enough.


Identified more than 120 issues in major products from vendors such as Oracle and IBM.

Presented in many international Conferences like BlacHat, DefCon, EkoParty, No CON Name and WebSec.