Re: Oracle hash-list?

From: Pieter Danhieux (pdanhieux_at_easynet.be)
Date: 03/16/05

  • Next message: sf_at_securax.dk: "Sap proxy"
    Date: Wed, 16 Mar 2005 20:51:21 +0100
    To: "Jeroen" <jeroen@isvet.nl>
    
    

    Hi Jeroen,

    are you aware that the hashes stored in the oracle database not really
    use a salt (which is bad), but they do use the username as a
    differentiating factor. This means that the hash output depends on the
    password AND the username. Using pre-computed hashes will be difficult
    to do an offline attack, because you need a precomputed hash of all
    common passwords and all common usernames. That is why you only can
    find 'online' passwords crackers for oracle. As far as I am aware,
    there is no opensource offline password cracker, although there are
    some commercial tools which claim to have cracked the encryption used
    and can do offline cracking.

    my 2 cents ...

    --
    Pieter Danhieux, CISSP, GSEC, GCIH
    On 15 Mar 2005, at 23:02, Jeroen wrote:
    > Hi all,
    >
    > I'm working on an Oracle auditing tool which' features include 
    > `offline'
    > password cracking by means of downloading hashes of a live SID and 
    > comparing
    > them to pre-calculated ones. Before spoiling a lot of CPU-cycles, I'm
    > interested if one of you guys already has generated a "<word>, <word's
    > hash>" list of let's say all 1-8 character-possibilities. Anyone?
    >
    > Thanks in advance,
    >
    > Jeroen
    >
    >
    

  • Next message: sf_at_securax.dk: "Sap proxy"

    Relevant Pages

    • Oracle Question Slightly OT
      ... find a best practices document for securing Oracle databases. ... Hash: SHA1 ... Hashes are calculated by creating a user account similar to the target ... Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org ...
      (Bugtraq)
    • Re: Connecting to an Oracle database
      ... the username and the password. ... The Server name is the name of the computer hosting Oracle. ... > computer where the database is. ...
      (borland.public.delphi.database.ado)
    • Re: Possible variation on "Invalid name pattern" exception
      ... and the Oracle JDBC driver cheerfully assists ... Oracle allows me to log in with this username without complaint, ... > ArrayDescriptor when I qualify the NAME_LIST with the User name, ...
      (comp.lang.java.databases)
    • Re: How to invoke access application through command promt
      ... multiple users are going to use the application with different usernames and ... I have not created any access username and password. ... >> providing oracle username and password. ... > You cannot do this via startup switches. ...
      (microsoft.public.access.forms)
    • Re: database password
      ... You can also use "Oracle Wallet". ... BATCH JOBS: PROTECTION OF USERNAME AND PASSWORD ... Oracle Database 10g Release 2 introduces new functionality to ...
      (comp.databases.oracle.server)