Penetration Testing mailing list archives
Re: [PEN-TEST] Oracle USER$ password hashes
From: "Edwards, Steve" <sedwards () SEDWARDS COM>
Date: Fri, 10 Nov 2000 14:09:42 -0800
Multiple messages merged for efficiency :) On Thu, 9 Nov 2000, John Lauro wrote:
One question: Does changing the name/password pair back return to the previous value, or to a different value?
The same value. On Fri, 10 Nov 2000, Stefan Aeschbacher wrote:
As at least one byte is lost to the salt, this function generates far to short ciphertexts (<=56bit). Once the algorithm is known, this gives a good basis for a birthday attack.
There is no salt. The same name/password pair creates the same hash on Solaris/SPARC Oracle 8.1.6 and Solaris/Intel Oracle 8.0.5. Further, if you examine the output file of the "exp" (export) utility, you will see that the hash is exported so you can create (import) the same users with the same passwords on other databases. On Fri, 10 Nov 2000, Wolfgang Zenker wrote:
As we have seen in another reply the encrypted password might depend on the name as well as the cleartext password.
Not, "might" -- "does" :) On Fri, 10 Nov 2000, Pete Krawczyk wrote:
The username is always uppercased (although in a test database, I have a lowercase username somehow and the hash is the same as the uppercase username right next to it).
If the name is enclosed in double-quotes, Oracle will not "up-case" it when creating the user. Thus, it is possible to have both user z and user Z. Oracle always up-cases the name before creating the hash. When user z wishes to connect, the name must be enclosed in double-quotes. The password is always up-cased regardless of quoting. Thanks in advance, ------------------------------------------------------------------------ Steve Edwards sedwards () sedwards com Voice: +1-760-723-2727 PST Newline Pager: +1-888-478-5085 Fax: +1-760-731-3000
Current thread:
- [PEN-TEST] Oracle USER$ password hashes Olle Segerdahl (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Nicolas Gregoire (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Olle Segerdahl (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Stefan Aeschbacher (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Edwards, Steve (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Stefan Aeschbacher (Nov 11)
- Re: [PEN-TEST] Oracle USER$ password hashes Edwards, Steve (Nov 11)
- Re: [PEN-TEST] Oracle USER$ password hashes John Lauro (Nov 11)
- Re: [PEN-TEST] Oracle USER$ password hashes Pete Krawczyk (Nov 11)
- Re: [PEN-TEST] Oracle USER$ password hashes Olle Segerdahl (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Nicolas Gregoire (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes (Summary) Dragos Ruiu (Nov 16)
- Re: [PEN-TEST] Oracle USER$ password hashes (Summary) Stefan Aeschbacher (Nov 17)
- <Possible follow-ups>
- Re: [PEN-TEST] Oracle USER$ password hashes Michael Owen (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Wolfgang Zenker (Nov 11)