Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Oracle USER$ password hashes
From: Wolfgang Zenker <wolfgang () JPAVES DE>
Date: Fri, 10 Nov 2000 13:38:03 +0100

Michael Owen wrote:
- is there really a salt (just install two users with the same PW)

Yes. I created 10 users with the same PW, and all had different hashes.

As we have seen in another reply the encrypted password might depend on the
name as well as the cleartext password. So to see if a salt is used in
password encryption you should create the same user/password-combination
on two different systems and check if you get the same encrypted password
on both systems. If this is the case, no salt is used.

Wolfgang Zenker

Wolfgang Zenker                                  Mail: W.Zenker () jpaves de
JPAVES Unix Online GmbH                          Fon:  (+49) 721 / 955 40 60
Kaiserallee 87                                   Fax:  (+49) 721 / 955 40 62
D-76185 Karlsruhe                                Web:  www.jpaves.de

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]