07-15-2012, 09:25 PM
Hello,
I extracted some hashes from an oracle database with sqlmap (with --passwords parameter) And I sure got system hashes.
Looks like this (masked)
[*] ADMIN_USR [1]:
1122334455667788
etc....~50 hashes
sqlmap itself identify the hashes as old_oracle but doesn't crack anyone, the wordlist is only 500 words long.
For use in hashcat-suite I know that they are hashed with the username itself and must be assambled like this:
first 16 is the hash, the rest is the username
1122334455667788:ADMIN_USR
So I fired up cudahashcat with --hash-type 3100 and cudahashcat runs nice but not a single hash is cracked.
Usually when not a single hash isn't cracked it use to be a salt-issue, even with a small hashfile like this (~50 hashes)
So my conclusion is that either they have really strong passwords OR it's me that didn't get how to salt/assemble the hashfile for use in cudahashcat. I'm almost sure it's me that can't figure out how to assemble my hashfile with the salt, hence the really poor security and simple mistakes in their network.
I've googled and read a lots of stuffs regarding oracle old hashes and if I understand right, it is (password:salt) where salt = username
So my question is.... Am I all wrong and they have salted it with something else than username? Does upper/lower case matters in the salt? Like this: 1122334455667788:admin_usr
Or is this just a question of a good password policy? Or is it another algorithm? The system *is* Oracle with jsp so it should be password:salt = hash, right?
I extracted some hashes from an oracle database with sqlmap (with --passwords parameter) And I sure got system hashes.
Looks like this (masked)
[*] ADMIN_USR [1]:
1122334455667788
etc....~50 hashes
sqlmap itself identify the hashes as old_oracle but doesn't crack anyone, the wordlist is only 500 words long.
For use in hashcat-suite I know that they are hashed with the username itself and must be assambled like this:
first 16 is the hash, the rest is the username
1122334455667788:ADMIN_USR
So I fired up cudahashcat with --hash-type 3100 and cudahashcat runs nice but not a single hash is cracked.
Usually when not a single hash isn't cracked it use to be a salt-issue, even with a small hashfile like this (~50 hashes)
So my conclusion is that either they have really strong passwords OR it's me that didn't get how to salt/assemble the hashfile for use in cudahashcat. I'm almost sure it's me that can't figure out how to assemble my hashfile with the salt, hence the really poor security and simple mistakes in their network.
I've googled and read a lots of stuffs regarding oracle old hashes and if I understand right, it is (password:salt) where salt = username
So my question is.... Am I all wrong and they have salted it with something else than username? Does upper/lower case matters in the salt? Like this: 1122334455667788:admin_usr
Or is this just a question of a good password policy? Or is it another algorithm? The system *is* Oracle with jsp so it should be password:salt = hash, right?