Oracle Question Slightly OT

From: Ginski, Richard J. (rginski_at_co.pinellas.fl.us)
Date: 06/29/05

  • Next message: info_at_secureit-tech.com: "Re: Weboot Window Washer Version 6.02.410 Will erase files from your PC"
    Date: Wed, 29 Jun 2005 13:34:38 -0400
    To: <bugtraq@securityfocus.com>
    
    

    Forgive me for this being slightly off topic. We've checked Oracle's
    site, including posting to their "Technology Network", and have yet to
    find a best practices document for securing Oracle databases. Am I
    missing something? ... Or should something this obvious be available on
    Oracle's site? Can anyone provide links to such information?

    -----Original Message-----
    From: Joshua Wright [mailto:jwright@hasborg.com]
    Sent: Wednesday, June 29, 2005 10:16 AM
    To: bugtraq@securityfocus.com
    Subject: Auditing Privilged Oracle Passwords - hashattack

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    I've put together a tool that can be used to build a table of Oracle
    password hashes from a dictionary file for a designated username.
    Hashes are calculated by creating a user account similar to the target
    account to be audited and repeatedly changing the password with "ALTER
    USER" for each dictionary word, storing the hash for each password in a
    table.

    Once the table of hashes is built, a simple SELECT can be issued to
    determine if the password hash for a target user is a simple dictionary
    word:

    SQL> select h.username, h.password, h.hash
      2 from hashattack h, dba_users d
      3 where d.password = h.hash and h.username = 'SYS';

    USERNAME PASSWORD HASH
    - ---------- -------------------- --------------------
    SYS KILTPLEAT 2BBDC477FFB28563

    SQL>

    Written in PL/SQL, available at
    http://802.11ninja.net/code/hashattack-0.1.tgz,
    http://802.11ninja.net/code/hashattack-0.1.tgz.asc

    Comments, questions, concerns welcome.

    - -Josh
    - --
    - -Joshua Wright
    jwright@hasborg.com

    2005-2006 pgpkey: http://802.11ninja.net/pgpkey.htm
    fingerprint: F00E 7A42 8375 0C55 964F E5A4 4D2F 22F6 3658 A4BF

    Today I stumbled across the world's largest hotspot. The SSID is
    "linksys".
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (MingW32)
    Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

    iD8DBQFCwq0QTS8i9jZYpL8RApOqAKCnTqrAwCaqKT3KALl0b8CDRo9I0QCfRKnB
    LcY+tDFFcNAeMbsIg7YWe88=
    =L/x5
    -----END PGP SIGNATURE-----


  • Next message: info_at_secureit-tech.com: "Re: Weboot Window Washer Version 6.02.410 Will erase files from your PC"

    Relevant Pages

    • Auditing Privilged Oracle Passwords - hashattack
      ... Hash: SHA1 ... password hashes from a dictionary file for a designated username. ... SQL> select h.username, h.password, h.hash ... Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org ...
      (Bugtraq)
    • Re: People ~Fing with Life
      ... That is what the charge was. ... hash values and the like'. ... this data area had no corresponding entry in the allocation tables. ... Hashes are used for the purposes of error correction ...
      (uk.legal)
    • Re: Passwords: to crypt or to hash?
      ... read recently that hashes are stored rather than crypted versions. ... Very few systems have ever stored crypted passwords. ... the hash function took over a second to compute. ...
      (comp.security.misc)
    • RE: [7.8.2002 44916] Notice of Copyright Infringement]
      ... Appending a single bit onto the end of the file makes a different hash. ... and you no longer match the hashes. ... The only way to prove you're breaking copyright is to download at ... |"real" warezed version of whatever movie. ...
      (Vuln-Dev)