Penetration Testing mailing list archives

Re: [PEN-TEST] Oracle USER$ password hashes

From: Wolfgang Zenker <wolfgang () JPAVES DE>
Date: Fri, 10 Nov 2000 13:38:03 +0100

Michael Owen wrote:

- is there really a salt (just install two users with the same PW)

Yes. I created 10 users with the same PW, and all had different hashes.


As we have seen in another reply the encrypted password might depend on the
name as well as the cleartext password. So to see if a salt is used in
password encryption you should create the same user/password-combination
on two different systems and check if you get the same encrypted password
on both systems. If this is the case, no salt is used.

Wolfgang Zenker

--
Wolfgang Zenker                                  Mail: W.Zenker () jpaves de
JPAVES Unix Online GmbH                          Fon:  (+49) 721 / 955 40 60
Kaiserallee 87                                   Fax:  (+49) 721 / 955 40 62
D-76185 Karlsruhe                                Web:  www.jpaves.de

Current thread:

Re: [PEN-TEST] Oracle USER$ password hashes, (continued)
- - - Re: [PEN-TEST] Oracle USER$ password hashes Edwards, Steve (Nov 10)
    - Re: [PEN-TEST] Oracle USER$ password hashes Stefan Aeschbacher (Nov 11)
    - Re: [PEN-TEST] Oracle USER$ password hashes Edwards, Steve (Nov 11)
    - Re: [PEN-TEST] Oracle USER$ password hashes John Lauro (Nov 11)
    - Re: [PEN-TEST] Oracle USER$ password hashes Pete Krawczyk (Nov 11)
  - Re: [PEN-TEST] Oracle USER$ password hashes Pawel Krawczyk (Nov 11)
  - [PEN-TEST] Oracle USER$ password hashes (Summary) Olle Segerdahl (Nov 14)
    - Re: [PEN-TEST] Oracle USER$ password hashes (Summary) Dragos Ruiu (Nov 16)
    - Re: [PEN-TEST] Oracle USER$ password hashes (Summary) Stefan Aeschbacher (Nov 17)
- Re: [PEN-TEST] Oracle USER$ password hashes Michael Owen (Nov 10)
  - Re: [PEN-TEST] Oracle USER$ password hashes Wolfgang Zenker (Nov 11)