Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Oracle 11g Password algorithm revealed

from [pete] Network Security [Permanent Link]
Subject: Oracle 11g Password algorithm revealed
Date: 22 Sep 2007 19:45:03 -0000 
Hi All,

I have been posting a few entries to my blog over the last few weeks on Oracle 
11g Security and have been looking at the new SHA-1 password algorithm used in 
Oracle 11g. 

The password algorithm is simple and very easy to guess once you realise that 
the sha1 verifier stored in the database is 80 bits too long. Its also obvious 
from other testing I documented on my blog that a salt is indeed used. Once 
these facts are known the algoritm can be guessed. The algorithm is simply 
SHA1(pwd||salt) = 160 bit verifier||salt (stored in sys.user$spare4. 

To create a simple function to test a verifier you simply need to do:

SYS.USER$.SPARE4 = SHA1("pwd guess" || substr(sys.user$.spare4,43,10)) || 
substr(sys.user$.spare4,43,10)

I have created a simple PL/SQL test program that can be used to verify 
passwords hashed with the new SHA1 verifier. The code is:

SQL> get c:\11g_notes\sha1.sql
1 set feed on
2 set head on
3 set arraysize 1
4 set space 1
5 set verify off
6 set pages 25
7 set lines 80
8 set termout on
9 set serveroutput on size 1000000
10 undefine user_to_find
11 undefine pwd_guess
12 accept user_to_find char prompt 'NAME OF USER TO CHECK [system]: ' default 
system
13 accept pwd_guess char prompt 'PWD to test [manager]: ' default manager
14 DECLARE
15 lv_pwd_raw RAW(128);
16 lv_enc_raw RAW(2048);
17 lv_hash_found varchar2(300);
18 cursor c_main(cp_user in varchar2) is
19 select substr(spare4,3,40) hash,
20 substr(spare4,43,20) salt,
21 spare4
22 from sys.user$
23 where name=cp_user;
24 lv_user c_main%rowtype;
25 BEGIN
26 open c_main(upper('&&user_to_find'));
27 fetch c_main into lv_user;
28 close c_main;
29 lv_pwd_raw:= utl_raw.cast_to_raw('&&pwd_guess')||hextoraw(lv_user.salt);
30 lv_enc_raw := sys.dbms_crypto.hash(lv_pwd_raw, 3);
31 lv_hash_found:=utl_raw.cast_to_varchar2(lv_enc_raw);
32 if lv_enc_raw = lv_user.hash then
33 dbms_output.put_line('PWD found');
34 else
35 dbms_output.put_line('PWD not found');
36 end if; 
37* END;
38 

More details can be found on my blog 
http://www.petefinnigan.com/weblog/archives/00001097.htm

cheers

Pete
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] COSEINC Linux Advisory #2: IA32 System Call Emulation Vulnerability, Wojciech Purczynski
Next by Date:  Re: [Full-disclosure] Oracle 11g Password algorithm revealed, Thierry Zoller
Previous by Thread:  [Full-disclosure] COSEINC Linux Advisory #2: IA32 System Call Emulation Vulnerability, Wojciech Purczynski
Next by Thread:  Re: [Full-disclosure] Oracle 11g Password algorithm revealed, Thierry Zoller
Indexes:  [Date] [Thread] [Top] [All Lists]