mailing list archives
Re: [PEN-TEST] Oracle USER$ password hashes
From: Olle Segerdahl <olle () NXS SE>
Date: Thu, 9 Nov 2000 17:07:06 +0100
On Thu, Nov 09, 2000 at 03:33:03PM +0100, Nicolas Gregoire wrote:
Since the hashes are always the same for the same password, it most
definately isn't salted....
change_on_install = D4C5016086B2DC6A
manager = D4DF7931AB130E37
Are the first 2 characters always "D4" ?
It could the fixed salt, ie. $crypted = unkown-crypt("D4", $clear);
Hmm.. I think you might be right, actually...
The two passwords above are default on install, so the salt (and hash) is
probably the same for all installations, just checked another db and the
regular users passwords DO appear to be salted.... My mistake...
Ok, so ammendments to first post statements:
Passwords are NOT case sensitive and there is probably one byte salt.
Passwords are not limited to 7 or 8 chars, either....
Anyone have a clue as to what it might be?
Re: [PEN-TEST] Oracle USER$ password hashes Pawel Krawczyk (Nov 11)
[PEN-TEST] Oracle USER$ password hashes (Summary) Olle Segerdahl (Nov 14)