Re: Be an ontruder: Intrude on Oracle panties the OMLETiclios way, the front door!
hpuxrac
> Oracle's Password Transform
>
>
> Goals:
> - Authentication information ("encrypted password") shall be portable
> between machines with different character sets (ebcdic and ascii).
> - It should handle non-enlish languages including those that require
> 16 bits per character.
> - If a user has the same password on two databases, the authentication
>
> information will be the same on both machines.
> - It should be hard to tell if two users have the same password.
> - The password transform should be as hard to break as DES.
>
>
> The Algorithm:
>
>
> Convert user name and password to uppercase 'normal' form. Normal form
>
> uses 16 bits to represent each character, and it is independant of
> language
> and the computer's character set (acsii or ebcdic).
>
>
> Concatenate normalized user name and password. Pad result to multiple
> of
> 64 bits. Zero padding is better than some rolling xor algorithm, since
>
> the
> later produces redundant information that an attacker can use to
> check for the correctness of a guess. The result is called UPLONG.
>
>
> Compute cryptographic checksum of UPLONG using a known key and the
> cipher
> block chaining mode of DES. The known key is hex 0123456789ABCDEF.
> The
> idea is to extract 56 suitable bits from the password. The CBC64
> (cipher
> block chain with 64 bit feedback path) checksum makes good use of the
> bits
> in a long password, and it speads out the redundant information that is
>
> present due to the fact that the 'normal' form uses 16 bits per
> character.
> The feedback path is 64 bits, not the standard 8 bits because it
> generates
> a more uniform distribution. See Alan T. Sherman's PhD thesis (MIT
> 1987)
> for justification.
>
>
> It isn't hard to invert the checksum we just found (the key is known),
> so
> now we hide this result by using it as the key to compute another
> checksum
> on the uplong array. That checksum will be used as the authentication
> parameter for the user. Note that DES has the property that given a
> matching block of plaintext and ciphertext is is still quite hard to
> find
> the key that mapped the plaintext into the ciphertext.
>
>
> We could use the first checksum as a key to encrypt a constant, but it
> seems safer to use non-constant data like the information in the UPLONG
>
> array. If nothing else this makes a dictionary attack harder.
>
>
> Note that an attacker must now solve two simultaneous equations for P:
>
>
> k1 = checksum( k0, U || P )
> k2 = checksum( k1, U || P )
>
>
> Where 'U || P' is the username concatenated with the password (U is
> known,
> P is not), k0 is the known key, k1 is the first checksum, and k2 is the
>
> value placed in the authentication table.
>
>
> Convert the second checksum value into a machine independent form.
> Since we are not short on characters, express it as a hex string.
I may be wrong but didn't we think omelet had passed away?
HansF
> I may be wrong but didn't we think omelet had passed away?
PLEASE trim.
Mladen Gogala
> I may be wrong but didn't we think omelet had passed away?
Unfortunately not.
hpuxrac
> > I may be wrong but didn't we think omelet had passed away?
>
> PLEASE trim.
Sorry what do you mean exactly?
fitzj...@cox.net
Snip the posted material from 'omlet' so it isn't propagated throughout
the thread. He doesn't need additional Google hits for his 'product'
or his antics.
David Fitzjarrell
hpuxrac
Fine thanks David it's been a long week and my brain cell battery must
be on low.
Noons
> Ontruder PartII: The code:
>
and he doesn't know much about "C" either...
--
Nuno Souto
in sunny Sydney, Australia
wizo...@yahoo.com.au.nospam
Noons
OracleKernelZecurityBuster wrote:
>
> Now, follow the code for the example scot/tiger and
> happy crackin'
>
You really don't know much about C, do you? The code you posted
a number of times already is NOT a cracker routine. Trying to
impress the plebes, are we?
DA Morgan
Worse than that. It was published by someone else back around
Oracle 8. He's trying to impress them with someone else's work
and doesn't even have the technical skill required to try it
and realize what it is.
--
Daniel A. Morgan
http://www.psoug.org
damo...@x.washington.edu
(replace x with u to respond)
fitzj...@cox.net
And he claims to have worked for Oracle writing code for the server
releases. This simply proves he has lied about his past and his
knowledge. Of course we knew that almost a year ago.
David Fitzjarrell
DA Morgan
> And he claims to have worked for Oracle writing code for the server
> releases. This simply proves he has lied about his past and his
> knowledge. Of course we knew that almost a year ago.
>
>
> David Fitzjarrell
Oh he may have worked for Oracle. There are lot of people in Redwood
Shores whose job it is to keep the grounds clean and the waste baskets
emptied.
Omletv6
How to link the code to Oracle libraries:
all the routines that start with kz* (ex kzsrdec)
are Oracle routines that are available with Oracle installations. For
example kzsrdec is the kernel zecurity decryption routine. Of course the
code is heavily dependent on the Oracle libraries.
Check the listings. Now for the first 100 visitors
to the omlet.org site; the jar file would contain a working copy of the
code along with about 10 millions of encrypted passwords!