Penetration Testing mailing list archives
Re: [PEN-TEST] Oracle USER$ password hashes (Summary)
From: Dragos Ruiu <dr () KYX NET>
Date: Tue, 14 Nov 2000 23:01:45 -0800
On Mon, 13 Nov 2000, Olle Segerdahl wrote:
Ok, what I can understand from the answers in this thread: The password and username are case insensitive by default (double quote exeption exists) Both password and username can be 1 to 30 characters long The password hash is a 8 byte string in hex notation (ie. 8 bytes large) The password hash is salted with the uppercased username So, anybody have any idea of what algorithms might be used to generate 8 bytes output from two 1-30 byte strings? /olle
Ok, I have to ask.... Why has no-one disassembled oracle's hash program itself? The above effort seems like trying to reverse engineer a paper shredder by analyzing shredded paper instead of taking the device apart. cheers --dr
Current thread:
- Re: [PEN-TEST] Oracle USER$ password hashes, (continued)
- Re: [PEN-TEST] Oracle USER$ password hashes Nicolas Gregoire (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Olle Segerdahl (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Stefan Aeschbacher (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Edwards, Steve (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Stefan Aeschbacher (Nov 11)
- Re: [PEN-TEST] Oracle USER$ password hashes Edwards, Steve (Nov 11)
- Re: [PEN-TEST] Oracle USER$ password hashes John Lauro (Nov 11)
- Re: [PEN-TEST] Oracle USER$ password hashes Pete Krawczyk (Nov 11)
- Re: [PEN-TEST] Oracle USER$ password hashes Olle Segerdahl (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Nicolas Gregoire (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes (Summary) Dragos Ruiu (Nov 16)
- Re: [PEN-TEST] Oracle USER$ password hashes (Summary) Stefan Aeschbacher (Nov 17)
- Re: [PEN-TEST] Oracle USER$ password hashes Wolfgang Zenker (Nov 11)