Re: Interesting Hack
Date: Thu, 10 Jul 2014 17:17:19 -0500
Message-ID: <CAEueRAWR5nQK1BDPW6imUu7zF7X88eO_jrCMgJYsAnLkXgYUHQ_at_mail.gmail.com>
Yes, they are salted making a reverse lookup ostensibly impossible. However, the spare4 column is simply the sha1 hash of the 40 character sha1 hash of the password concatenated with a 20 character salt. How the salt was created doesn't matter. There are dozens of scripts on the internet for brute force cracking Oracle database passwords.
if sha1(sha1(password) || substr(spare4, 43, 20)) == spare4
then
cracked!
Seth
On Thu, Jul 10, 2014 at 3:33 PM, McPeak, Matt <vxsmimmcp_at_subaru.com> wrote:
> How are they already cracked? I thought all hashed passwords were
> salted to avoid a simple lookup against pre-built tables.
>
>
>
> Or are you saying they’ve cracked every 8 character password for every
> possible salt value?
>
>
>
>
>
> *From:* Seth Miller [mailto:sethmiller.sm_at_gmail.com]
> *Sent:* Thursday, July 10, 2014 3:24 PM
> *To:* McPeak, Matt
> *Cc:* curtisbl_at_gmail.com; oracle_at_1001111.com; Oracle-L
> *Subject:* Re: Interesting Hack
>
>
>
> It depends on the length and complexity of the password used. Any
> combination of eight characters or less is sitting in a rainbow table you
> can download right now and is already cracked. Longer passwords without
> sufficient complexity will be cracked as well.
>
> If you think you have outwitted a hacker by using l33t to come up with
> "70rchw00d", you deserve to be hacked. #BrokenRecord
>
> Seth
>
>
>
> On Thu, Jul 10, 2014 at 2:03 PM, McPeak, Matt <vxsmimmcp_at_subaru.com>
> wrote:
>
> The article casually mentions cracking the password hash to get the system
> password. I didn’t know it was that easy!
>
>
>
>
>
>
>
> *From:* oracle-l-bounce_at_freelists.org [mailto:
> oracle-l-bounce_at_freelists.org] *On Behalf Of *Bobby Curtis
> *Sent:* Thursday, July 10, 2014 1:17 PM
> *To:* sethmiller.sm_at_gmail.com
> *Cc:* oracle_at_1001111.com; Oracle-L
> *Subject:* Re: Interesting Hack
>
>
>
> Seth,
>
>
>
> Not harsh at all.
>
>
>
> I thought it was an interesting hack as well. I think the point of this
> hack example was to highlight what not to do; but we are all human and
> don’t listen half the time.
>
>
>
> Bobby
>
>
>
>
>
> On Jul 10, 2014, at 12:36, Seth Miller <sethmiller.sm_at_gmail.com> wrote:
>
>
>
> That is interesting except DBSNMP does not have a default password.
>
> If your application is not using bind variables (which would prevent this
> simple sql injection) and you are dumb enough to set your privileged DBSNMP
> account password to DBSNMP, you deserve to be hacked.
>
> Am I being too harsh?
>
> Seth
>
>
>
> On Wed, Jul 9, 2014 at 7:32 PM, Dave Morgan <oracle_at_1001111.com> wrote:
>
> Granted the database security was crap to begin with but I did not know
> the escape to shell trick.
>
>
> http://www.notsosecure.com/blog/2014/07/08/abusing-oracles-create-database-link-privilege-for-fun-and-profit/
>
> Dave
>
> --
> Dave Morgan
> Senior Consultant, 1001111 Alberta Limited
> dave.morgan_at_1001111.com
> 403 399 2442
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>
>
>
>
>
-- http://www.freelists.org/webpage/oracle-lReceived on Fri Jul 11 2014 - 00:17:19 CEST