Penetration Testing mailing list archives
Re: [PEN-TEST] Oracle USER$ password hashes
From: Stefan Aeschbacher <stefan () AESCHBACHER COM>
Date: Thu, 9 Nov 2000 18:02:23 +0100
Hi to find out what cipher is used, some more information would help. Unfortunately I have no access to an Oracle System. (and I'm not really a criptanalyst, but we could give it a try anyway ;) So the following would be needed: - is there really a salt (just install two users with the same PW) - some more plain-text/ciphertext pairs. maybe some special sequences (e.g. aaaaaaaa, a) would also help. With this data some more research could be done. The other method would be the disassembling of the cryptocode in the Oracle program (which I'm not really eager to do). Stefan Olle Segerdahl wrote:
On Thu, Nov 09, 2000 at 03:33:03PM +0100, Nicolas Gregoire wrote:Since the hashes are always the same for the same password, it most definately isn't salted.... ... change_on_install = D4C5016086B2DC6A manager = D4DF7931AB130E37Are the first 2 characters always "D4" ? It could the fixed salt, ie. $crypted = unkown-crypt("D4", $clear);Hmm.. I think you might be right, actually... The two passwords above are default on install, so the salt (and hash) is probably the same for all installations, just checked another db and the regular users passwords DO appear to be salted.... My mistake... Ok, so ammendments to first post statements: Passwords are NOT case sensitive and there is probably one byte salt. Passwords are not limited to 7 or 8 chars, either.... Anyone have a clue as to what it might be? /olle
Current thread:
- [PEN-TEST] Oracle USER$ password hashes Olle Segerdahl (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Nicolas Gregoire (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Olle Segerdahl (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Stefan Aeschbacher (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Edwards, Steve (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Stefan Aeschbacher (Nov 11)
- Re: [PEN-TEST] Oracle USER$ password hashes Edwards, Steve (Nov 11)
- Re: [PEN-TEST] Oracle USER$ password hashes John Lauro (Nov 11)
- Re: [PEN-TEST] Oracle USER$ password hashes Pete Krawczyk (Nov 11)
- Re: [PEN-TEST] Oracle USER$ password hashes Olle Segerdahl (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Nicolas Gregoire (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes (Summary) Dragos Ruiu (Nov 16)
- Re: [PEN-TEST] Oracle USER$ password hashes (Summary) Stefan Aeschbacher (Nov 17)
- <Possible follow-ups>
- Re: [PEN-TEST] Oracle USER$ password hashes Michael Owen (Nov 10)