Penetration Testing mailing list archives
RE: Oracle hash-list?
From: "McAllister, Andrew" <McAllisterA () umsystem edu>
Date: Mon, 21 Mar 2005 09:29:27 -0600
Our external PWC auditors had such a tool and ran brute force attacks against our database. They came up with several hits. They took a copy of our oracle user table off-site. The easy way to build your own brute force tool or "rainbow crack" type tool would be to simply create a stored procedure inside a test database. Since we know that the password is stalted with the username (and apparently nothing else) you could simply have Oracle do all the work for you inside a database of your choosing. Write a proc in your own copy of Oracle that iterates through your dictionary, sequencer, whatever, each time changing the password of your target ID, selecting the hash from the data dictionary, save it to a table, repeat. Since Oracle's password namespace is case insensitive and has only limited special symbols, it shouldn't be too hard to use Oracle's own procedures as your primary cracking tool. You could probably set the whole thing up on a small box with 512mb of ram and a little disk. You wouldn't need a whole bunch of IO bandwidth since all the work would probably be cached in RAM (you would be writing a steady stream out to disk, but it would be small). Then all you would need is time. Andy
-----Original Message----- From: Nexus [mailto:nexus () patrol i-way co uk]
snip
Adding to that, it's also aggressively defended by Oracle - I know of two occasions in which a legal Cease & Desist has been fired off... If there are such hash related tools out there, don't expect anyone to advertise the fact. Cheers.
Current thread:
- Oracle hash-list? Jeroen (Mar 15)
- Re: Oracle hash-list? Pieter Danhieux (Mar 16)
- Re: Oracle hash-list? Steven DeFord (Mar 16)
- Re: Oracle hash-list? Joshua Wright (Mar 21)
- Re: Oracle hash-list? Steven DeFord (Mar 16)
- <Possible follow-ups>
- Re: Oracle hash-list? Jeroen (Mar 16)
- Re: Oracle hash-list? Nexus (Mar 21)
- RE: Oracle hash-list? McAllister, Andrew (Mar 21)
- Re: Oracle hash-list? James Hackett (Mar 21)
- Re: Oracle hash-list? Pieter Danhieux (Mar 16)