Re: [PEN-TEST] Oracle USER$ password hashes

[John Lauro <jlauro () UMICH EDU>]

> 2) The maximum length of the name is 30 characters.
>
> 3) The maximum length of the cleartext password is 30 characters.
>
> 4) The encrypted password is always 16 characters.
>
> 5) The encrypted password is only composed from the set "0123456789ABCDEF"
>
> 6) The encrypted password is derived from both the name and the cleartext
> password. Changing any character in the name or cleartext password changes
> the encrypted password.

One question:
Does changing the name/password pair back return to the previous value, or to a
different value?


Stores it in 16 nibbles....  or just 8 bytes...
Obviously not one to one, but probably simply many -> one...
so if you could get the encoding routing (or somehow call orcale to do it fast
enough), I bet you could probably brute force a usable (but different) passwords
out if they are not salted, or if the salt is easy to determine....

Well, assuming the distribution is even that is....  if somehow each different
length of password map to different results instead of overlaping between them it
might not be as easy to brute force long passwords, but I doubt it....


Hmmm....   I forget the orginal posting, but are you sure you would need to go
after the password at all, and not just the data?  Data can sometimes be just as
good as passwords...  by default most oracle installs don't store the data
encrypted (for performance reasons)....  If you have direct write access to the
files you could problably zap an id and password in.  Obviously that's not very
interesting as root...  but sometimes people don't realize that simply doing a
strings dump will get out a lot of data, or if you have access to the backup
tapes, etc...  and simply want to pull out the data on another machine and mount
it....