New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Oracle 18c hash_dump, JTR format not supported #11624
Comments
I was unaware Oracle had a free version of the database. Also, I don't like Oracledb and never looked. Downloading 18c xe now, will spin up a vm after the 2.4gig download finishes, and start to take a look. I think the I see oracle has 11.2 xe, but no v12? any ideas where that is (legally) |
Free for students, I believe (1/1 perk of college debt).
Totally agree. With each version's changes, it seems like it's getting more difficult to keep As per https://community.oracle.com/thread/4170956,
:( |
Oracle is surprisingly friendly on licensing requirements for development. They want money as soon as you move to something used in testing however. See Development Environment:
|
Hi! This issue has been left open with no activity for a while now. We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request. |
18c not supported yet
Oracle 18c (successor of 12c) hashing is not supported by
oracle_hashdump
. The root cause is the different hashing of 18c (a new format, but reusing 160-bit T part).Currently, hash formats up to Oracle 12c is supported by
lib/msf/core/auxiliary/jtr.rb
(modulejtr_oracle_fast
makes use of itshash_to_jtr
function)Explanation of 12c hashing:
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/changes-in-oracle-database-12c-password-hashes/
12c hashes look like this (full S, H, and T parts):
S:BF6D4E3791075A348BA76EF533E38F7211513CCE2A3513EE3E3D4A5A4DE0;H:3814C74599475EB73043A1211742EE59;T:0911BAC55EEF63F0C1769E816355BE29492C9D01980DC36C95A86C9CE47F93790631DE3D9A60C90451CFF152E25D9E94F612A1493EC82AF8E3C4D0432B06BA4C2C693B932332BC14D2D66CEF098A4699
To my understanding (I've tested a similar query that
oracle_hashdump
runs on my own 18c database) 18c hashes look like this (only S and T part -- no H part whatsoever, in all user pw hashes):S:C9E559319D4098C71B572773853B0B4A66621AF43FDA792306BE3E3C84B4;T:8C989A3B100233F409A2BAE89C58D444B39AFFD9636354B64C5BE82ACB58B0A9507B5B3BBA8D58D824DE95CD6C1A39E
Confusing results when querying
As mentioned above, I ran a similar query, not the same one as
oracle_hashdump
, because the same one doesn't work, even though the 18c hashes are still stored in the samespare4
column.On my 18c DB, trying the same query of
SELECT name, spare4 FROM sys.user$ where password is not null and name <> 'ANONYMOUS';
results in:Weird, I thought. So I ran this:
SELECT name, spare4, password FROM sys.user$ where name <> 'ANONYMOUS' and password is null;
and got over 120 entries. Some empty, some with full S and T parts, and some with a bunch of zeroes in their S and T parts. To sum it up, here's what a few of them look like:With these results (after querying for a null password and getting many entries with full hashes), I'm a bit confused as to what
password
actually means in the original query that works for 12c. Nonetheless, it seems that the H part is gone with 18c, and the meaning ofpassword
possibly also changed. I'm also confused because these changes were not documented anywhere that I can find.(ping @h00die any ideas?)
The text was updated successfully, but these errors were encountered: