Oracle-L: RE: password

From: <Jared.Still_at_radisys.com>
Date: Tue, 17 Dec 2002 13:12:32 -0800
Message-ID: <F001.0051BE1A.20021217131232@fatcity.com>

> Does "CHANGE_ON_INSTALL" have the same hash value for every
> version and every instance?

Yes, it does.

Check: http://www.pentest-limited.com/default-user.htm

This is a pentest list of default Oracle passwords.

I've used this to create a perl script that checks for default passwords.

It doesn't matter which version of Oracle.

Jared

"Jesse, Rich" <Rich.Jesse_at_qtiworld.com>
Sent by: root_at_fatcity.com
12/17/2002 11:03 AM
Please respond to ORACLE-L

        To:     Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>
        cc: 
        Subject:        RE: password

Interesting. Does "CHANGE_ON_INSTALL" have the same hash value for every version and every instance?

Not being much of a hacker (anymore) I would think that with only one algorithm and several known passwords (you can generate them yourself), this
wouldn't be much of a challenge to real hackers. Hell, the client encrypts
it to send to the server, right? That code could be reverse engineered, too. BTW, VMS has many algorithms in play to help prevent such an attack on
it's passwords. <plug plug>

Oh to have the spare time of a 15-year old again... :)

Rich

Rich Jesse                           System/Database Administrator
Rich.Jesse_at_qtiworld.com              Quad/Tech International, Sussex, WI

USA
> -----Original Message-----
> From: Ruth Gramolini [mailto:rgramolini_at_tax.state.vt.us]
> Sent: Tuesday, December 17, 2002 12:39 PM
> To: Multiple recipients of list ORACLE-L
> Subject: Re: password
>
>
> Wrong, I took my first Oracle class with a woman who had cracked the
> algorithm. At the time, I didn't know enough to ask her for it.
>
> Ruth
> ----- Original Message -----
> To: "Multiple recipients of list ORACLE-L" <ORACLE-L_at_fatcity.com>
> Sent: Tuesday, December 17, 2002 12:04 PM
>
>
> How, Oracle does not publish the password encryption algorithm,
> and I don't believe anyone has cracked it.
>
> Jared
>
>
>
>
>
>
> Paulo Gomes <PGomes_at_Datinfor.pt>
> Sent by: root_at_fatcity.com
> 12/17/2002 04:38 AM
> Please respond to ORACLE-L
>
>
> To: Multiple recipients of list ORACLE-L
> <ORACLE-L_at_fatcity.com>
> cc:
> Subject: RE: password
>
>
> nope u can get the encripted password from the oracle dictionáry
> -----Original Message-----
> Sent: terça-feira, 17 de Dezembro de 2002 11:34
> To: Multiple recipients of list ORACLE-L
>
> Check the post-it note on their monitor?
>
> :)
> -----Original Message-----
> Sent: 17 December 2002 10:55
> To: Multiple recipients of list ORACLE-L
>
> he can't but he can change it to a new one and then put the
> old back on
> -----Original Message-----
> Sent: terça-feira, 17 de Dezembro de 2002 4:09
> To: Multiple recipients of list ORACLE-L
>
> how can a dba see the password of a user.

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Jesse, Rich
  INET: Rich.Jesse_at_qtiworld.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).




-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: 
  INET: Jared.Still_at_radisys.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

Received on Tue Dec 17 2002 - 15:12:32 CST