Penetration Testing mailing list archives
Re: [PEN-TEST] Oracle USER$ password hashes (Summary)
From: Stefan Aeschbacher <stefan () AESCHBACHER COM>
Date: Thu, 16 Nov 2000 12:05:58 +0100
Dragos Ruiu wrote: [snip]
Ok, I have to ask.... Why has no-one disassembled oracle's hash program itself?
This most certainly will be the easier way to get the algorithm than criptanalyzing some cleartex/ciphertext pairs. Still the discussion led to some results, e.g. we found out, that a birthday attack could be possible, this means, it is pretty probable to find a (wrong) password which still hashes to the same value as the original password as we have something like 36^60 input and 2^64 output-values. Knowing the structure of the algorithm used can help disassembling the code regarding the form of input, output, salts used,.... As far as I'm concerned, I don't have access to an Oracle nor have I the time to do it.
The above effort seems like trying to reverse engineer a paper shredder by analyzing shredded paper instead of taking the device apart.
True, but some shredders in history have been analyzed this way without even knowing whether they used fire, acid or mechanics to destroy the paper ;) (see The Cryptonomicon by Donaldson or the books by D.Kahn for some interesting reading on the subject) Stefan
Current thread:
- Re: [PEN-TEST] Oracle USER$ password hashes, (continued)
- Re: [PEN-TEST] Oracle USER$ password hashes Olle Segerdahl (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Stefan Aeschbacher (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Edwards, Steve (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Stefan Aeschbacher (Nov 11)
- Re: [PEN-TEST] Oracle USER$ password hashes Edwards, Steve (Nov 11)
- Re: [PEN-TEST] Oracle USER$ password hashes John Lauro (Nov 11)
- Re: [PEN-TEST] Oracle USER$ password hashes Pete Krawczyk (Nov 11)
- Re: [PEN-TEST] Oracle USER$ password hashes Olle Segerdahl (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes (Summary) Dragos Ruiu (Nov 16)
- Re: [PEN-TEST] Oracle USER$ password hashes (Summary) Stefan Aeschbacher (Nov 17)
- Re: [PEN-TEST] Oracle USER$ password hashes Wolfgang Zenker (Nov 11)