Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Oracle USER$ password hashes
From: "Edwards, Steve" <sedwards () SEDWARDS COM>
Date: Fri, 10 Nov 2000 14:09:42 -0800

Multiple messages merged for efficiency :)

On Thu, 9 Nov 2000, John Lauro wrote:

One question: Does changing the name/password pair back return to the
previous value, or to a different value?

The same value.

On Fri, 10 Nov 2000, Stefan Aeschbacher wrote:

As at least one byte is lost to the salt, this function generates
far to short ciphertexts (<=56bit). Once the algorithm is known,
this gives a good basis for a birthday attack.

There is no salt.

The same name/password pair creates the same hash on Solaris/SPARC Oracle
8.1.6 and Solaris/Intel Oracle 8.0.5. Further, if you examine the output
file of the "exp" (export) utility, you will see that the hash is exported
so you can create (import) the same users with the same passwords on other

On Fri, 10 Nov 2000, Wolfgang Zenker wrote:

As we have seen in another reply the encrypted password might depend
on the name as well as the cleartext password.

Not, "might" -- "does" :)

On Fri, 10 Nov 2000, Pete Krawczyk wrote:

The username is always uppercased (although in a test database, I have
a lowercase username somehow and the hash is the same as the uppercase
username right next to it).

If the name is enclosed in double-quotes, Oracle will not "up-case" it
when creating the user. Thus, it is possible to have both user z and
user Z. Oracle always up-cases the name before creating the hash. When
user z wishes to connect, the name must be enclosed in double-quotes.

The password is always up-cased regardless of quoting.

Thanks in advance,
Steve Edwards      sedwards () sedwards com      Voice: +1-760-723-2727 PST
Newline            Pager: +1-888-478-5085           Fax: +1-760-731-3000

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]