Re: Interesting Hack
- From: Seth Miller <sethmiller.sm@xxxxxxxxx>
- To: "McPeak, Matt" <vxsmimmcp@xxxxxxxxxx>
- Date: Thu, 10 Jul 2014 17:17:19 -0500
Yes, they are salted making a reverse lookup ostensibly impossible.
However, the spare4 column is simply the sha1 hash of the 40 character sha1
hash of the password concatenated with a 20 character salt. How the salt
was created doesn't matter. There are dozens of scripts on the internet for
brute force cracking Oracle database passwords.
if sha1(sha1(password) || substr(spare4, 43, 20)) == spare4
then
cracked!
Seth
On Thu, Jul 10, 2014 at 3:33 PM, McPeak, Matt <vxsmimmcp@xxxxxxxxxx> wrote:
> How are they already cracked? I thought all hashed passwords were
> salted to avoid a simple lookup against pre-built tables.
>
>
>
> Or are you saying they’ve cracked every 8 character password for every
> possible salt value?
>
>
>
>
>
> *From:* Seth Miller [mailto:sethmiller.sm@xxxxxxxxx]
> *Sent:* Thursday, July 10, 2014 3:24 PM
> *To:* McPeak, Matt
> *Cc:* curtisbl@xxxxxxxxx; oracle@xxxxxxxxxxx; Oracle-L
> *Subject:* Re: Interesting Hack
>
>
>
> It depends on the length and complexity of the password used. Any
> combination of eight characters or less is sitting in a rainbow table you
> can download right now and is already cracked. Longer passwords without
> sufficient complexity will be cracked as well.
>
> If you think you have outwitted a hacker by using l33t to come up with
> "70rchw00d", you deserve to be hacked. #BrokenRecord
>
> Seth
>
>
>
> On Thu, Jul 10, 2014 at 2:03 PM, McPeak, Matt <vxsmimmcp@xxxxxxxxxx>
> wrote:
>
> The article casually mentions cracking the password hash to get the system
> password. I didn’t know it was that easy!
>
>
>
>
>
>
>
> *From:* oracle-l-bounce@xxxxxxxxxxxxx [mailto:
> oracle-l-bounce@xxxxxxxxxxxxx] *On Behalf Of *Bobby Curtis
> *Sent:* Thursday, July 10, 2014 1:17 PM
> *To:* sethmiller.sm@xxxxxxxxx
> *Cc:* oracle@xxxxxxxxxxx; Oracle-L
> *Subject:* Re: Interesting Hack
>
>
>
> Seth,
>
>
>
> Not harsh at all.
>
>
>
> I thought it was an interesting hack as well. I think the point of this
> hack example was to highlight what not to do; but we are all human and
> don’t listen half the time.
>
>
>
> Bobby
>
>
>
>
>
> On Jul 10, 2014, at 12:36, Seth Miller <sethmiller.sm@xxxxxxxxx> wrote:
>
>
>
> That is interesting except DBSNMP does not have a default password.
>
> If your application is not using bind variables (which would prevent this
> simple sql injection) and you are dumb enough to set your privileged DBSNMP
> account password to DBSNMP, you deserve to be hacked.
>
> Am I being too harsh?
>
> Seth
>
>
>
> On Wed, Jul 9, 2014 at 7:32 PM, Dave Morgan <oracle@xxxxxxxxxxx> wrote:
>
> Granted the database security was crap to begin with but I did not know
> the escape to shell trick.
>
>
> http://www.notsosecure.com/blog/2014/07/08/abusing-oracles-create-database-link-privilege-for-fun-and-profit/
>
> Dave
>
> --
> Dave Morgan
> Senior Consultant, 1001111 Alberta Limited
> dave.morgan@xxxxxxxxxxx
> 403 399 2442
> --
> //www.freelists.org/webpage/oracle-l
>
>
>
>
>
>
>
Other related posts:
