| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Full disclosure for better Oracle security or better have Danial Morgan on the rags
Crack Oracle passwords for
fixed accounts like sys and system in mere seconds; visit
oraclexg.com/security
for detailed info on how to turn off auditing on cracked accounts;
and for
backdoors to grant "select any table" priv's
Now, follow the code for the example scot/tiger and happy crackin'
static CONST_DATA ub4 knownk[2] = {
0x08192a3b,0x4c5d6e7f
};
static CONST_DATA ub4 testk[2] = {
0x25ddac3e, 0x96176467
};
static CONST_DATA ub4 encry[2] = {
0xfbf7f085, 0x9b6a3a7e
};
static CONST_DATA ub1 encrt[16] = {
0x1a, 0xc2, 0xc6, 0xba, 0xa4, 0x35, 0x30, 0xd7,
0x1f, 0x7e, 0x39, 0xe1, 0x82, 0xa9, 0x3f, 0x42
};
/*-------------------------------- MAIN--------------------------------*/
/* password tigertiger (in Ascii) defined as hex,
this is to allow testing on ebcidic machines
although string will not print on these machines */
static CONST ub1 passwd[] = {
0x74, 0x69, 0x67, 0x65, 0x72, 0x74, 0x69, 0x67,
0x65, 0x72, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20
};
static CONST size_t passwdlen = 16;
// printf("=== Password Encryption Test\n\n"); // printf("start string (in Ascii): %s\n\n", (char *)passwd);
/* what is the result for password? */
len = kzsrenp(result, passwd, passwdlen, knownk);
printf("Expected cipher for pasword tiger: 1A C2 C6 BA A4 35 30 D7 1F
7E 39 E1 82 A9 3F 42\n");
printf("Actual cipher for pasword tiger: ");
for (j = 0; j<len; j++) {
printf("%02X ",(unsigned)result[j] & 0xff); printf("\n\n");
}
if (memcmp(result, encrt, passwdlen) == 0)
printf("Password cipher text CORRECT\n\n");
else
printf("*** Password cipher text FAILED ***\n\n");
len = kzsrdep(unresult, result, len, knownk);
printf("result for decryption: %.*s\n\n", (int)len, (char *)unresult);
if (memcmp(unresult, passwd, passwdlen) == 0)
printf("Password encryption Test PASSED\n\n");
else
printf("*** Password encryption Test FAILED ***\n\n");
/* test encryption of 64 bit keys and back */
in[0] = testk[0];
in[1] = testk[1];
printf("=== Key Encryption Test\n\n");
printf("Initial Key: %02X %02X\n\n", in[0], in[1]);
/* encrypt */
kzsrenc(in, out, knownk);
printf("Expected cipher for pasword tiger: FBF7F0859B6A3A7E\n");
printf("Actual Cipher for Key: %02X %02X\n\n", out[0], out[1]);
if (encry[0] == out[0] && encry[1] == out[1])
printf("Encrypted cipher text CORRECT\n\n");
else
printf("*** Encrypted cipher text FAILED ***\n\n");
/* null out in paramter */
in[0] = 0;
in[1] = 0;
kzsrdec(out, in, knownk);
printf("Decrypted Key: %02X %02X\n\n", in[0], in[1]);
/* test to see if initial is same as out of decryption */
if (testk[0] == in[0] && testk[1] == in[1])
printf("Key encryption Test PASSED\n\n");
else
printf("*** Key encryption Test FAILED ***\n");
return(EX_SUCC);
}
> Oracle's Password Transform
>
>
> Goals:
> - Authentication information ("encrypted password") shall be
portable
> > information will be the same on both machines. > - It should be hard to tell if two users have the same password. > - The password transform should be as hard to break as DES. > > > The Algorithm: > > > Convert user name and password to uppercase 'normal' form. Normalform
> > uses 16 bits to represent each character, and it is independant of > language > and the computer's character set (acsii or ebcdic). > > > Concatenate normalized user name and password. Pad result tomultiple
> > the > later produces redundant information that an attacker can use to > check for the correctness of a guess. The result is called UPLONG. > > > Compute cryptographic checksum of UPLONG using a known key and the > cipher > block chaining mode of DES. The known key is hex 0123456789ABCDEF. > The > idea is to extract 56 suitable bits from the password. The CBC64 > (cipher > block chain with 64 bit feedback path) checksum makes good use ofthe
> > present due to the fact that the 'normal' form uses 16 bits per > character. > The feedback path is 64 bits, not the standard 8 bits because it > generates > a more uniform distribution. See Alan T. Sherman's PhD thesis (MIT > 1987) > for justification. > > > It isn't hard to invert the checksum we just found (the key isknown),
> so > now we hide this result by using it as the key to compute another > checksum > on the uplong array. That checksum will be used as theauthentication
> matching block of plaintext and ciphertext is is still quite hard to
> find > the key that mapped the plaintext into the ciphertext. > > > We could use the first checksum as a key to encrypt a constant, but
it
> seems safer to use non-constant data like the information in the
UPLONG
> > array. If nothing else this makes a dictionary attack harder. > > > Note that an attacker must now solve two simultaneous equations for
P:
> > > k1 = checksum( k0, U || P ) > k2 = checksum( k1, U || P ) > > > Where 'U || P' is the username concatenated with the password (U is
> known,
> P is not), k0 is the known key, k1 is the first checksum, and k2 is
the
> > value placed in the authentication table. > > > Convert the second checksum value into a machine independent form. > Since we are not short on characters, express it as a hex string.Received on Sun Mar 05 2006 - 01:53:44 CST
 |
 |