Penetration Testing mailing list archives
Re: [PEN-TEST] Oracle USER$ password hashes
From: Pete Krawczyk <petek () BSOD NET>
Date: Fri, 10 Nov 2000 10:45:05 -0700
Date: Thu, 9 Nov 2000 14:04:38 -0800 From: "Edwards, Steve" <sedwards () SEDWARDS COM> Subject: Re: Oracle USER$ password hashes }Here are some example pairs. Only the name is changed, the password is }the same -- "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ" (30 Z's.) } }NAME PASSWORD }------------------------------ ------------------------------ }ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ C829CE9D9DAE5F3B I have also done this with one Z to 30 Z's in the username. Note the 30 Z username/password hash is the same as in the example above: NAME PASSWORD ------------------------------ ------------------------------ Z BDA7BD93C02D9685 ZZ 9B82D0C5D7238869 ZZZ 4D249563D9CEB1DA ZZZZ 36E5D13056E74735 ZZZZZ 7551931A3868EC4B ZZZZZZ 9E1813B857CBC46B ZZZZZZZ 74214B2B5710D4DB ZZZZZZZZ 92E348C06ACDB1DF ZZZZZZZZZ 093BD63A47C95704 ZZZZZZZZZZ 84FE29884943296F ZZZZZZZZZZZ 6A2B1094F05FF16D ZZZZZZZZZZZZ 778E4F7D76A6D44B ZZZZZZZZZZZZZ DB5831A4530E8EB1 ZZZZZZZZZZZZZZ 2D07D64E854F2286 ZZZZZZZZZZZZZZZ 0986719BAFB7E58E ZZZZZZZZZZZZZZZZ 62901F14E96D651A ZZZZZZZZZZZZZZZZZ 509902F4498B917A ZZZZZZZZZZZZZZZZZZ B3F8311B73473501 ZZZZZZZZZZZZZZZZZZZ 0C40E63F2E9B6C67 ZZZZZZZZZZZZZZZZZZZZ A1C5A0833056DE3A ZZZZZZZZZZZZZZZZZZZZZ 47B97C7B1FAB25DD ZZZZZZZZZZZZZZZZZZZZZZ 92FE731355463CED ZZZZZZZZZZZZZZZZZZZZZZZ 99465277D42480E5 ZZZZZZZZZZZZZZZZZZZZZZZZ A13A46DEE200FC4D ZZZZZZZZZZZZZZZZZZZZZZZZZ CFB8E1170DC38C6E ZZZZZZZZZZZZZZZZZZZZZZZZZZ 2DE7D2C11006D90C ZZZZZZZZZZZZZZZZZZZZZZZZZZZ E25994E69997E29D ZZZZZZZZZZZZZZZZZZZZZZZZZZZZ 50FB00980AFFAB8C ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ 93D1C5948CDC40FC ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ C829CE9D9DAE5F3B So, apparently only the username and password are used in the calculation of the encrypted password hash. If anything else were used, the hash would perhaps differ, since my database is different from the other one used to create the same hashes. I've also done some off-the-cuff calculations; if there are only the characters 0-9A-F contained within, there are only 64 bits of entropy. There are 30 chars username, 30 chars password. With 64 bits of entropy max, this creates a problem. Assuming no punctuation in the passwords (and punctuation is allowed; I'm making math easier) you have 36^30 = 48873677980689257489322752273774603865660850176 combinations of passwords alone - just for the 30 character passwords. And 64 bits of entropy is many orders of magnitude less than that. So it's very possible that for a single username, many cleartext passwords would work. Why 36, not 62, for A-Za-z0-9? Usernames and passwords are apparently case-insensitive. The username is always uppercased (although in a test database, I have a lowercase username somehow and the hash is the same as the uppercase username right next to it). Also, check this out: create user ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ identified by zzzzzzzzzzzzzzzzzzzzzzzzzzzzzz; NAME PASSWORD ------------------------------ ------------------------------ ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ C829CE9D9DAE5F3B It's the same as the all-uppercase version. -Pete K -- Pete Krawczyk petek at bsod dot net or pkrawczy at uiuc dot edu http://www.uiuc.edu/ph/www/pkrawczy/
Current thread:
- [PEN-TEST] Oracle USER$ password hashes Olle Segerdahl (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Nicolas Gregoire (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Olle Segerdahl (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Stefan Aeschbacher (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Edwards, Steve (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Stefan Aeschbacher (Nov 11)
- Re: [PEN-TEST] Oracle USER$ password hashes Edwards, Steve (Nov 11)
- Re: [PEN-TEST] Oracle USER$ password hashes John Lauro (Nov 11)
- Re: [PEN-TEST] Oracle USER$ password hashes Pete Krawczyk (Nov 11)
- Re: [PEN-TEST] Oracle USER$ password hashes Olle Segerdahl (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Nicolas Gregoire (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes (Summary) Dragos Ruiu (Nov 16)
- Re: [PEN-TEST] Oracle USER$ password hashes (Summary) Stefan Aeschbacher (Nov 17)
- <Possible follow-ups>
- Re: [PEN-TEST] Oracle USER$ password hashes Michael Owen (Nov 10)
- Re: [PEN-TEST] Oracle USER$ password hashes Wolfgang Zenker (Nov 11)