Yes, they are salted making a reverse lookup ostensibly impossible. However, the spare4 column is simply the sha1 hash of the 40 character sha1 hash of the password concatenated with a 20 character salt. How the salt was created doesn't matter. There are dozens of scripts on the internet for brute force cracking Oracle database passwords. if sha1(sha1(password) || substr(spare4, 43, 20)) == spare4 then cracked! Seth On Thu, Jul 10, 2014 at 3:33 PM, McPeak, Matt <vxsmimmcp@xxxxxxxxxx> wrote: > How are they already cracked? I thought all hashed passwords were > salted to avoid a simple lookup against pre-built tables. > > > > Or are you saying they’ve cracked every 8 character password for every > possible salt value? > > > > > > *From:* Seth Miller [mailto:sethmiller.sm@xxxxxxxxx] > *Sent:* Thursday, July 10, 2014 3:24 PM > *To:* McPeak, Matt > *Cc:* curtisbl@xxxxxxxxx; oracle@xxxxxxxxxxx; Oracle-L > *Subject:* Re: Interesting Hack > > > > It depends on the length and complexity of the password used. Any > combination of eight characters or less is sitting in a rainbow table you > can download right now and is already cracked. Longer passwords without > sufficient complexity will be cracked as well. > > If you think you have outwitted a hacker by using l33t to come up with > "70rchw00d", you deserve to be hacked. #BrokenRecord > > Seth > > > > On Thu, Jul 10, 2014 at 2:03 PM, McPeak, Matt <vxsmimmcp@xxxxxxxxxx> > wrote: > > The article casually mentions cracking the password hash to get the system > password. I didn’t know it was that easy! > > > > > > > > *From:* oracle-l-bounce@xxxxxxxxxxxxx [mailto: > oracle-l-bounce@xxxxxxxxxxxxx] *On Behalf Of *Bobby Curtis > *Sent:* Thursday, July 10, 2014 1:17 PM > *To:* sethmiller.sm@xxxxxxxxx > *Cc:* oracle@xxxxxxxxxxx; Oracle-L > *Subject:* Re: Interesting Hack > > > > Seth, > > > > Not harsh at all. > > > > I thought it was an interesting hack as well. I think the point of this > hack example was to highlight what not to do; but we are all human and > don’t listen half the time. > > > > Bobby > > > > > > On Jul 10, 2014, at 12:36, Seth Miller <sethmiller.sm@xxxxxxxxx> wrote: > > > > That is interesting except DBSNMP does not have a default password. > > If your application is not using bind variables (which would prevent this > simple sql injection) and you are dumb enough to set your privileged DBSNMP > account password to DBSNMP, you deserve to be hacked. > > Am I being too harsh? > > Seth > > > > On Wed, Jul 9, 2014 at 7:32 PM, Dave Morgan <oracle@xxxxxxxxxxx> wrote: > > Granted the database security was crap to begin with but I did not know > the escape to shell trick. > > > http://www.notsosecure.com/blog/2014/07/08/abusing-oracles-create-database-link-privilege-for-fun-and-profit/ > > Dave > > -- > Dave Morgan > Senior Consultant, 1001111 Alberta Limited > dave.morgan@xxxxxxxxxxx > 403 399 2442 > -- > //www.freelists.org/webpage/oracle-l > > > > > > >