Penetration Testing mailing list archives
Re: [PEN-TEST] Oracle USER$ password hashes
From: Stefan Aeschbacher <stefan () AESCHBACHER COM>
Date: Fri, 10 Nov 2000 11:12:20 +0100
Hi "Edwards, Steve" wrote:
If anyone wants to "reverse-engineer" the Oracle password encryption method, this may help.
Due to lack of an Oracle it won't be me, but I can try to make some thoughts on the algorithm used (which may or may not help to find the algorithm). [snip]
4) The encrypted password is always 16 characters. 5) The encrypted password is only composed from the set "0123456789ABCDEF"
This seems to point to a hex representation of the data. Therefore we have a string of 64bit length as an output. As at least one byte is lost to the salt, this function generates far to short ciphertexts (<=56bit). Once the algorithm is known, this gives a good basis for a birthday attack.
6) The encrypted password is derived from both the name and the cleartext password. Changing any character in the name or cleartext password changes the encrypted password.
As we seem to have a salt, (did somone verify which bytes?) could this be the reason for the changes and not the change in the name? If the salt is really the first byte, then your table "Changing the last character:" would prove the assumption that the name is involved (there are two lines with C6 as the first byte). The function most certainely is a one way function. So either its a hash which works on the password, the salt and maybe the name. Or its a MAC-function which additionnaly adds some kind of key (not very probable as there is no gain in security unless every copy of ORACLE has another key). A symmetric cipher does not make any sense as there had to be a PW stored somwhere which could be used to decrypt the encrypted PW. Stefan
Here are some example pairs. Only the name is changed, the password is the same -- "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ" (30 Z's.)
[snip]
Current thread:
- [PEN-TEST] Oracle USER$ password hashes Olle Segerdahl (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Nicolas Gregoire (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Olle Segerdahl (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Stefan Aeschbacher (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Edwards, Steve (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Stefan Aeschbacher (Nov 11)
- Re: [PEN-TEST] Oracle USER$ password hashes Edwards, Steve (Nov 11)
- Re: [PEN-TEST] Oracle USER$ password hashes John Lauro (Nov 11)
- Re: [PEN-TEST] Oracle USER$ password hashes Pete Krawczyk (Nov 11)
- Re: [PEN-TEST] Oracle USER$ password hashes Olle Segerdahl (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Nicolas Gregoire (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes (Summary) Dragos Ruiu (Nov 16)
- Re: [PEN-TEST] Oracle USER$ password hashes (Summary) Stefan Aeschbacher (Nov 17)
- <Possible follow-ups>
- Re: [PEN-TEST] Oracle USER$ password hashes Michael Owen (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Wolfgang Zenker (Nov 11)