Penetration Testing mailing list archives
Re: [PEN-TEST] Oracle USER$ password hashes
From: John Lauro <jlauro () UMICH EDU>
Date: Thu, 9 Nov 2000 23:22:02 -0800
2) The maximum length of the name is 30 characters. 3) The maximum length of the cleartext password is 30 characters. 4) The encrypted password is always 16 characters. 5) The encrypted password is only composed from the set "0123456789ABCDEF" 6) The encrypted password is derived from both the name and the cleartext password. Changing any character in the name or cleartext password changes the encrypted password.
One question: Does changing the name/password pair back return to the previous value, or to a different value? Stores it in 16 nibbles.... or just 8 bytes... Obviously not one to one, but probably simply many -> one... so if you could get the encoding routing (or somehow call orcale to do it fast enough), I bet you could probably brute force a usable (but different) passwords out if they are not salted, or if the salt is easy to determine.... Well, assuming the distribution is even that is.... if somehow each different length of password map to different results instead of overlaping between them it might not be as easy to brute force long passwords, but I doubt it.... Hmmm.... I forget the orginal posting, but are you sure you would need to go after the password at all, and not just the data? Data can sometimes be just as good as passwords... by default most oracle installs don't store the data encrypted (for performance reasons).... If you have direct write access to the files you could problably zap an id and password in. Obviously that's not very interesting as root... but sometimes people don't realize that simply doing a strings dump will get out a lot of data, or if you have access to the backup tapes, etc... and simply want to pull out the data on another machine and mount it....
Current thread:
- [PEN-TEST] Oracle USER$ password hashes Olle Segerdahl (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Nicolas Gregoire (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Olle Segerdahl (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Stefan Aeschbacher (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Edwards, Steve (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Stefan Aeschbacher (Nov 11)
- Re: [PEN-TEST] Oracle USER$ password hashes Edwards, Steve (Nov 11)
- Re: [PEN-TEST] Oracle USER$ password hashes John Lauro (Nov 11)
- Re: [PEN-TEST] Oracle USER$ password hashes Pete Krawczyk (Nov 11)
- Re: [PEN-TEST] Oracle USER$ password hashes Olle Segerdahl (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Nicolas Gregoire (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes (Summary) Dragos Ruiu (Nov 16)
- Re: [PEN-TEST] Oracle USER$ password hashes (Summary) Stefan Aeschbacher (Nov 17)
- <Possible follow-ups>
- Re: [PEN-TEST] Oracle USER$ password hashes Michael Owen (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Wolfgang Zenker (Nov 11)