From: Pieter Danhieux (pdanhieux@easynet.be)
Date: Wed Mar 16 2005 - 14:51:21 EST
Hi Jeroen,
are you aware that the hashes stored in the oracle database not really
use a salt (which is bad), but they do use the username as a
differentiating factor. This means that the hash output depends on the
password AND the username. Using pre-computed hashes will be difficult
to do an offline attack, because you need a precomputed hash of all
common passwords and all common usernames. That is why you only can
find 'online' passwords crackers for oracle. As far as I am aware,
there is no opensource offline password cracker, although there are
some commercial tools which claim to have cracked the encryption used
and can do offline cracking.
my 2 cents ...
-- Pieter Danhieux, CISSP, GSEC, GCIH On 15 Mar 2005, at 23:02, Jeroen wrote: > Hi all, > > I'm working on an Oracle auditing tool which' features include > `offline' > password cracking by means of downloading hashes of a live SID and > comparing > them to pre-calculated ones. Before spoiling a lot of CPU-cycles, I'm > interested if one of you guys already has generated a "<word>, <word's > hash>" list of let's say all 1-8 character-possibilities. Anyone? > > Thanks in advance, > > Jeroen > >
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:18 EDT