RE: Interesting Hack

From: McPeak, Matt <vxsmimmcp_at_subaru.com>
Date: Thu, 10 Jul 2014 20:33:29 +0000
Message-ID: <D7864FA3E7830B428CB2A5A5301B63EE01A3FA5AD5_at_S7041VA005.soa.soaad.com>

How are they already cracked? I thought all hashed passwords were salted to avoid a simple lookup against pre-built tables.

Or are you saying they’ve cracked every 8 character password for every possible salt value?

From: Seth Miller [mailto:sethmiller.sm_at_gmail.com] Sent: Thursday, July 10, 2014 3:24 PM
To: McPeak, Matt
Cc: curtisbl_at_gmail.com; oracle_at_1001111.com; Oracle-L Subject: Re: Interesting Hack

It depends on the length and complexity of the password used. Any combination of eight characters or less is sitting in a rainbow table you can download right now and is already cracked. Longer passwords without sufficient complexity will be cracked as well. If you think you have outwitted a hacker by using l33t to come up with "70rchw00d", you deserve to be hacked. #BrokenRecord Seth

On Thu, Jul 10, 2014 at 2:03 PM, McPeak, Matt <vxsmimmcp_at_subaru.com<mailto:vxsmimmcp_at_subaru.com>> wrote: The article casually mentions cracking the password hash to get the system password. I didn’t know it was that easy!

From: oracle-l-bounce_at_freelists.org<mailto:oracle-l-bounce_at_freelists.org> [mailto:oracle-l-bounce_at_freelists.org<mailto:oracle-l-bounce_at_freelists.org>] On Behalf Of Bobby Curtis Sent: Thursday, July 10, 2014 1:17 PM
To: sethmiller.sm_at_gmail.com<mailto:sethmiller.sm_at_gmail.com> Cc: oracle_at_1001111.com<mailto:oracle_at_1001111.com>; Oracle-L Subject: Re: Interesting Hack

Seth,

Not harsh at all.

I thought it was an interesting hack as well. I think the point of this hack example was to highlight what not to do; but we are all human and don’t listen half the time.

Bobby

On Jul 10, 2014, at 12:36, Seth Miller <sethmiller.sm_at_gmail.com<mailto:sethmiller.sm_at_gmail.com>> wrote:

That is interesting except DBSNMP does not have a default password. If your application is not using bind variables (which would prevent this simple sql injection) and you are dumb enough to set your privileged DBSNMP account password to DBSNMP, you deserve to be hacked. Am I being too harsh?
Seth

On Wed, Jul 9, 2014 at 7:32 PM, Dave Morgan <oracle_at_1001111.com<mailto:oracle_at_1001111.com>> wrote: Granted the database security was crap to begin with but I did not know the escape to shell trick.

http://www.notsosecure.com/blog/2014/07/08/abusing-oracles-create-database-link-privilege-for-fun-and-profit/

Dave

--

Dave Morgan
Senior Consultant, 1001111 Alberta Limited dave.morgan_at_1001111.com<mailto:dave.morgan_at_1001111.com> 403 399 2442
--

http://www.freelists.org/webpage/oracle-l

--

http://www.freelists.org/webpage/oracle-l Received on Thu Jul 10 2014 - 22:33:29 CEST

This message: [ Message body ]
Next message: David Fitzjarrell: "Re: OT: Linux df question"
Previous message: Seth Miller: "Re: Interesting Hack"
In reply to: Seth Miller: "Re: Interesting Hack"
Next in thread: Seth Miller: "Re: Interesting Hack"
Reply: Seth Miller: "Re: Interesting Hack"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message