Re: Oracle hash-list?

From: Pieter Danhieux (
Date: 03/16/05

  • Next message: "Sap proxy"
    Date: Wed, 16 Mar 2005 20:51:21 +0100
    To: "Jeroen" <>

    Hi Jeroen,

    are you aware that the hashes stored in the oracle database not really
    use a salt (which is bad), but they do use the username as a
    differentiating factor. This means that the hash output depends on the
    password AND the username. Using pre-computed hashes will be difficult
    to do an offline attack, because you need a precomputed hash of all
    common passwords and all common usernames. That is why you only can
    find 'online' passwords crackers for oracle. As far as I am aware,
    there is no opensource offline password cracker, although there are
    some commercial tools which claim to have cracked the encryption used
    and can do offline cracking.

    my 2 cents ...

    Pieter Danhieux, CISSP, GSEC, GCIH
    On 15 Mar 2005, at 23:02, Jeroen wrote:
    > Hi all,
    > I'm working on an Oracle auditing tool which' features include 
    > `offline'
    > password cracking by means of downloading hashes of a live SID and 
    > comparing
    > them to pre-calculated ones. Before spoiling a lot of CPU-cycles, I'm
    > interested if one of you guys already has generated a "<word>, <word's
    > hash>" list of let's say all 1-8 character-possibilities. Anyone?
    > Thanks in advance,
    > Jeroen

  • Next message: "Sap proxy"