Re: Finnigan's Wake

Hi Mladen,

The algorithm is listed in a paper linked on my papers page http://www.p etefinnigan.com/orasec.htm - go there and search for "oracle password decrypt", the description on the tools page of martins script has a link to the white papers page. To save you looking the link points to here :

http://www.planet-source-code.com/vb/scripts/ShowCode.asp?txtCodeId=803& lngWId=5

which describes the algorithm and also some VB to do the encryption. Martin reversed this in perl and put the script on the algorithm on the pen-test mailing list. Sorry I didn't put the text from this link on my site just a link to it.

The string in the script is not a password, its a fixed string that is appended to encrypted passwords. You are right I have not tested the script as i didn't have "Oracle toplink mapping workbench" installed but others on the pen-test mailing list did test it and told me it worked correctly - perhaps I should not have taken their word and should have got and loaded toplink and generated a password and tested it.

Sorry Mladen,

But please have a look at the algorithm in the link above and see if it makes more sense.

Just to confirm, its the encryption for toplink not for the oracle database.

kind regards

Pete

In article <20040326152209.GA5827_at_mladen.wangtrading.com>, Mladen Gogala <mladen_at_wangtrading.com> writes
>Pete, I visited your page and I downloaded Martin's password cracker.
>The script is useless and doesn't work. I'd appreciate if you told me
>which one of the papers describes Oracle's encryption algorithm.
>This script is written by using what I call "stream of consciousness
>scripting technique" and the same applies to the links to "descriptive"
>papers. That is why the post was given this title. If you don't want to
>give information about the oracle encryption algorithm, but, please,
>don't make me lose an hour trying to find something hidden.
>This particular snippet decrypts every password which has the same
>encryption as the one hardcocded in the script.
>**************************************************************************
>$string = "A7FCAA504BA7E4FC";
>
>sub usage {
> print " Usage: $0 <password to decrypt>\n";
> }
>
>if ($#ARGV != 0) {
> usage();
> }
>
>else {
> $encrypted = $ARGV[0];
> $encrypted =~ s/$string$/ / or die ("Invalid Password\n");
>*************************************************************************
>
>This brings me to the conclusion that you haven't really tested the script
>before putting the link on your website, have you?
>
>----------------------------------------------------------------
>Please see the official ORACLE-L FAQ: http://www.orafaq.com
>----------------------------------------------------------------
>To unsubscribe send email to: oracle-l-request_at_freelists.org
>put 'unsubscribe' in the subject line.
>--
>Archives are at http://www.freelists.org/archives/oracle-l/
>FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html
>-----------------------------------------------------------------

-- 
Pete Finnigan
email:pete_at_petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.

----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to:  oracle-l-request_at_freelists.org
put 'unsubscribe' in the subject line.
--
Archives are at http://www.freelists.org/archives/oracle-l/
FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------