Penetration Testing mailing list archives
Re: Oracle hash-list?
From: Pieter Danhieux <pdanhieux () easynet be>
Date: Wed, 16 Mar 2005 20:51:21 +0100
Hi Jeroen,are you aware that the hashes stored in the oracle database not really use a salt (which is bad), but they do use the username as a differentiating factor. This means that the hash output depends on the password AND the username. Using pre-computed hashes will be difficult to do an offline attack, because you need a precomputed hash of all common passwords and all common usernames. That is why you only can find 'online' passwords crackers for oracle. As far as I am aware, there is no opensource offline password cracker, although there are some commercial tools which claim to have cracked the encryption used and can do offline cracking.
my 2 cents ... -- Pieter Danhieux, CISSP, GSEC, GCIH On 15 Mar 2005, at 23:02, Jeroen wrote:
Hi all,I'm working on an Oracle auditing tool which' features include `offline' password cracking by means of downloading hashes of a live SID and comparingthem to pre-calculated ones. Before spoiling a lot of CPU-cycles, I'm interested if one of you guys already has generated a "<word>, <word's hash>" list of let's say all 1-8 character-possibilities. Anyone? Thanks in advance, Jeroen
Current thread:
- Oracle hash-list? Jeroen (Mar 15)
- Re: Oracle hash-list? Pieter Danhieux (Mar 16)
- Re: Oracle hash-list? Steven DeFord (Mar 16)
- Re: Oracle hash-list? Joshua Wright (Mar 21)
- Re: Oracle hash-list? Steven DeFord (Mar 16)
- <Possible follow-ups>
- Re: Oracle hash-list? Jeroen (Mar 16)
- Re: Oracle hash-list? Nexus (Mar 21)
- RE: Oracle hash-list? McAllister, Andrew (Mar 21)
- Re: Oracle hash-list? James Hackett (Mar 21)
- Re: Oracle hash-list? Pieter Danhieux (Mar 16)