-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've put together a tool that can be used to build a table of Oracle password hashes from a dictionary file for a designated username. Hashes are calculated by creating a user account similar to the target account to be audited and repeatedly changing the password with "ALTER USER" for each dictionary word, storing the hash for each password in a table. Once the table of hashes is built, a simple SELECT can be issued to determine if the password hash for a target user is a simple dictionary word: SQL> select h.username, h.password, h.hash 2 from hashattack h, dba_users d 3 where d.password = h.hash and h.username = 'SYS'; USERNAME PASSWORD HASH - ---------- -------------------- -------------------- SYS KILTPLEAT 2BBDC477FFB28563 SQL> Written in PL/SQL, available at http://802.11ninja.net/code/hashattack-0.1.tgz, http://802.11ninja.net/code/hashattack-0.1.tgz.asc Comments, questions, concerns welcome. - -Josh - -- - -Joshua Wright jwright@xxxxxxxxxxx 2005-2006 pgpkey: http://802.11ninja.net/pgpkey.htm fingerprint: F00E 7A42 8375 0C55 964F E5A4 4D2F 22F6 3658 A4BF Today I stumbled across the world's largest hotspot. The SSID is "linksys". -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCwq0QTS8i9jZYpL8RApOqAKCnTqrAwCaqKT3KALl0b8CDRo9I0QCfRKnB LcY+tDFFcNAeMbsIg7YWe88= =L/x5 -----END PGP SIGNATURE-----
