RE: Oracle hash-list?

Our external PWC auditors had such a tool and ran brute force attacks
against our database. They came up with several hits. They took a copy
of our oracle user table off-site.

The easy way to build your own brute force tool or "rainbow crack" type
tool would be to simply create a stored procedure inside a test
database. Since we know that the password is stalted with the username
(and apparently nothing else) you could simply have Oracle do all the
work for you inside a database of your choosing. Write a proc in your
own copy of Oracle that iterates through your dictionary, sequencer,
whatever, each time changing the password of your target ID, selecting
the hash from the data dictionary, save it to a table, repeat.

Since Oracle's password namespace is case insensitive and has only
limited special symbols, it shouldn't be too hard to use Oracle's own
procedures as your primary cracking tool. You could probably set the
whole thing up on a small box with 512mb of ram and a little disk. You
wouldn't need a whole bunch of IO bandwidth since all the work would
probably be cached in RAM (you would be writing a steady stream out to
disk, but it would be small). Then all you would need is time.

Andy

> -----Original Message-----
> From: Nexus [mailto:nexus@patrol.i-way.co.uk] 
snip
> Adding to that, it's also aggressively defended by Oracle - I know of 
> two occasions in which a legal Cease & Desist has been fired off...
>
> If there are such hash related tools out there, don't expect 
> anyone to 
> advertise the fact.
>
> Cheers.