RE: password question

hemantchitale Thu, 21 Feb 2002 23:38:36 -0800

But where do you get the "known" or "captured" hash ?  Only a DBA can
query DBA_USERS for PASSWORD.  A regular user cannot query DBA_USERS
and cannot see PASSWORD in ALL_USERS.
If you are already a DBA on the target database .... you really don't need
to
find out the password for another user.


Supposing you grab a site's FULL Export dump.  I guess you can then
do a FULL Import and  get the "captured" hash.  But why do you need it now
that you have the FULL Database with you anyway ?

Hemant K Chitale
Principal DBA
Chartered Semiconductor Manufacturing Ltd


Jon Baker <[EMAIL PROTECTED]>    22/02/2002 02:08 PM
Sent by: [EMAIL PROTECTED]

Please respond to ORACLE-L
                                                                                       
                        
             To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]>           
                        
             cc: (bcc: CHITALE Hemant Krishnarao/IT/CHRT/ST Group)                     
                        
             Subject: RE: password question                                            
                        
                                                                                       
                        
                                                                                       
                        
                                                                                       
                        





One way hash, yes, but can use username to forceably crack the password
(same idea as unix CRACK password cracking program).  Hash is consistent
which is why you can pick up the password string and drop it to another
database (same username) and have the password work on the new machine.


A non Oracle example would be to perform the following at the unix prompt:


  echo 'some test string' | md5


With the hash, you could create several variations and test against the
known or 'captured' hash.  Again, brute force method.






Jon Baker
Database Architect
<[EMAIL PROTECTED]>
www.netsec.net





-----Original Message-----
[mailto:[EMAIL PROTECTED]]
Sent: Friday, February 22, 2002 12:18 AM
To: Multiple recipients of list ORACLE-L





Sameer,


The obvious answer "you can't decrypt the password".  Else a number of
people would think harder about buying Oracle.
It's a one-way hash -- you can't get the original value back.


It is possible to temporarily reset a user's password to something else,
become the user with your own password and reset the password back
to the original value, without knowing what the original password was.


e.g. suppose a user's encrypted password string is 'ABCDEFGHIJKLMNOP',
read this string from DBA_USERS,
store it someplace (a variable, a table ;>),
execute ALTER USER <username> identified by <mypassword>,
login as the user CONNECT <username>/<mypassword>,
do your SQLs as that user,
reset the user's password ALTER USER <username> identified by values
'ABCDEFGHIJKLMNOP'






Hemant K Chitale
Principal DBA
Chartered Semiconductor Manufacturing Ltd





"Ghadge,Sameer" <[EMAIL PROTECTED]>      22/02/2002 11:38 AM
Sent by: [EMAIL PROTECTED]


Please respond to ORACLE-L

             To: Multiple recipients of list ORACLE-L
<[EMAIL PROTECTED]>
             cc: (bcc: CHITALE Hemant Krishnarao/IT/CHRT/ST Group)

             Subject: password question











Hi,
Oracle stores password in encrypted format,
is it possible (suppose i have access to dba_users table)
to retrieve and descrypt the password.





thx
Sameer
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Ghadge,Sameer
  INET: [EMAIL PROTECTED]


Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).








--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author:
  INET: [EMAIL PROTECTED]


Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).








-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: 
  INET: [EMAIL PROTECTED]

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

RE: password question

Reply via email to