Re: [PEN-TEST] Oracle USER$ password hashes

["Edwards, Steve" <sedwards () SEDWARDS COM>]

Multiple messages merged for efficiency :)

On Thu, 9 Nov 2000, John Lauro wrote:

> One question: Does changing the name/password pair back return to the
> previous value, or to a different value?

The same value.

On Fri, 10 Nov 2000, Stefan Aeschbacher wrote:

> As at least one byte is lost to the salt, this function generates
> far to short ciphertexts (<=56bit). Once the algorithm is known,
> this gives a good basis for a birthday attack.

There is no salt.

The same name/password pair creates the same hash on Solaris/SPARC Oracle
8.1.6 and Solaris/Intel Oracle 8.0.5. Further, if you examine the output
file of the "exp" (export) utility, you will see that the hash is exported
so you can create (import) the same users with the same passwords on other
databases.

On Fri, 10 Nov 2000, Wolfgang Zenker wrote:

> As we have seen in another reply the encrypted password might depend
> on the name as well as the cleartext password.

Not, "might" -- "does" :)

On Fri, 10 Nov 2000, Pete Krawczyk wrote:

> The username is always uppercased (although in a test database, I have
> a lowercase username somehow and the hash is the same as the uppercase
> username right next to it).

If the name is enclosed in double-quotes, Oracle will not "up-case" it
when creating the user. Thus, it is possible to have both user z and
user Z. Oracle always up-cases the name before creating the hash. When
user z wishes to connect, the name must be enclosed in double-quotes.

The password is always up-cased regardless of quoting.

Thanks in advance,
------------------------------------------------------------------------
Steve Edwards      sedwards () sedwards com      Voice: +1-760-723-2727 PST
Newline            Pager: +1-888-478-5085           Fax: +1-760-731-3000