Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Oracle USER$ password hashes
From: Pawel Krawczyk <kravietz () CETI PL>
Date: Fri, 10 Nov 2000 12:56:52 +0100

On Thu, Nov 09, 2000 at 03:33:03PM +0100, Nicolas Gregoire wrote:

Since the hashes are always the same for the same password, it most
definately isn't salted....
...
change_on_install       = D4C5016086B2DC6A
manager                 = D4DF7931AB130E37
Are the first 2 characters always "D4" ?
It could the fixed salt, ie. $crypted  = unkown-crypt("D4", $clear);

(...) Oracle  encrypts  passwords  using  a  modified  DES  (Data
Encryption   Standards)  algorithm  before  sending  them  across  the
network.

http://oradoc.photo.net/ora81/DOC/server.815/a67784/toc.htm

However, the given examples seems to be too long for DES output, but
maybe that's the mentioned modification.

--
PaweĊ‚ Krawczyk <http://ceti.pl/~kravietz/>


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault