Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: [PEN-TEST] Oracle USER$ password hashes

Re: [PEN-TEST] Oracle USER$ password hashes

From: Pete Krawczyk <petek_at_BSOD.NET>
Date: Fri, 10 Nov 2000 10:45:05 -0700

Date: Thu, 9 Nov 2000 14:04:38 -0800
From: "Edwards, Steve" <sedwards_at_SEDWARDS.COM>
Subject: Re: Oracle USER$ password hashes

}Here are some example pairs. Only the name is changed, the password is
}the same -- "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ" (30 Z's.)
}
}NAME PASSWORD
}------------------------------ ------------------------------
}ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ C829CE9D9DAE5F3B

I have also done this with one Z to 30 Z's in the username. Note the 30 Z
username/password hash is the same as in the example above:

NAME PASSWORD
------------------------------ ------------------------------
Z BDA7BD93C02D9685
ZZ 9B82D0C5D7238869
ZZZ 4D249563D9CEB1DA
ZZZZ 36E5D13056E74735
ZZZZZ 7551931A3868EC4B
ZZZZZZ 9E1813B857CBC46B
ZZZZZZZ 74214B2B5710D4DB
ZZZZZZZZ 92E348C06ACDB1DF
ZZZZZZZZZ 093BD63A47C95704
ZZZZZZZZZZ 84FE29884943296F
ZZZZZZZZZZZ 6A2B1094F05FF16D
ZZZZZZZZZZZZ 778E4F7D76A6D44B
ZZZZZZZZZZZZZ DB5831A4530E8EB1
ZZZZZZZZZZZZZZ 2D07D64E854F2286
ZZZZZZZZZZZZZZZ 0986719BAFB7E58E
ZZZZZZZZZZZZZZZZ 62901F14E96D651A
ZZZZZZZZZZZZZZZZZ 509902F4498B917A
ZZZZZZZZZZZZZZZZZZ B3F8311B73473501
ZZZZZZZZZZZZZZZZZZZ 0C40E63F2E9B6C67
ZZZZZZZZZZZZZZZZZZZZ A1C5A0833056DE3A
ZZZZZZZZZZZZZZZZZZZZZ 47B97C7B1FAB25DD
ZZZZZZZZZZZZZZZZZZZZZZ 92FE731355463CED
ZZZZZZZZZZZZZZZZZZZZZZZ 99465277D42480E5
ZZZZZZZZZZZZZZZZZZZZZZZZ A13A46DEE200FC4D
ZZZZZZZZZZZZZZZZZZZZZZZZZ CFB8E1170DC38C6E
ZZZZZZZZZZZZZZZZZZZZZZZZZZ 2DE7D2C11006D90C
ZZZZZZZZZZZZZZZZZZZZZZZZZZZ E25994E69997E29D
ZZZZZZZZZZZZZZZZZZZZZZZZZZZZ 50FB00980AFFAB8C
ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ 93D1C5948CDC40FC
ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ C829CE9D9DAE5F3B

So, apparently only the username and password are used in the calculation
of the encrypted password hash. If anything else were used, the hash
would perhaps differ, since my database is different from the other one
used to create the same hashes.

I've also done some off-the-cuff calculations; if there are only the
characters 0-9A-F contained within, there are only 64 bits of
entropy. There are 30 chars username, 30 chars password. With 64 bits of
entropy max, this creates a problem. Assuming no punctuation in the
passwords (and punctuation is allowed; I'm making math easier) you have
   36^30 = 48873677980689257489322752273774603865660850176
combinations of passwords alone - just for the 30 character passwords.
And 64 bits of entropy is many orders of magnitude less than that. So
it's very possible that for a single username, many cleartext passwords
would work.

Why 36, not 62, for A-Za-z0-9? Usernames and passwords are apparently
case-insensitive. The username is always uppercased (although in a test
database, I have a lowercase username somehow and the hash is the same as
the uppercase username right next to it). Also, check this out:

create user ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ identified by zzzzzzzzzzzzzzzzzzzzzzzzzzzzzz;

NAME PASSWORD
------------------------------ ------------------------------
ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ C829CE9D9DAE5F3B

It's the same as the all-uppercase version.

-Pete K 

--
Pete Krawczyk
  petek at bsod dot net or pkrawczy at uiuc dot edu
  http://www.uiuc.edu/ph/www/pkrawczy/
Received on Nov 11 2000
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos