Recent

Author Topic: Autentication Oracle [without solution]  (Read 2360 times)

CapitaoVirgulinoFerreira

  • New member
  • *
  • Posts: 8
Autentication Oracle [without solution]
« on: December 05, 2023, 08:28:20 pm »
I have an application that fetches information from a database that is not mine.
I have access to this database as an administrator (Oracle).

However, I would like to authenticate access to my application using the same LOGIN and PASSWORD for this database.
Analyzing the table, I saw that the database has 2 fields referring to the password.
Example:

SELECT * FROM USUARIOS

Code: Pascal  [Select][+][-]
  1. IDUSER  USERNAME  PASSWD01                    PASSWD02
  2. 5555     MYUSER  CC4A064DD77CA8E    lXxHd194tGeUCJvry8a5G+
  3.  

Is there any way to perform this authentication?
« Last Edit: December 07, 2023, 04:48:06 pm by CapitaoVirgulinoFerreira »

MarkMLl

  • Hero Member
  • *****
  • Posts: 8012
Re: Autentication Oracle
« Reply #1 on: December 05, 2023, 09:18:55 pm »
Please bear in mind that Oracle expertise is a relative rarity in the open/free software community, and I claim to be no better than average. However, the two strings that you have found in your database

Code: [Select]
IDUSER  USERNAME  PASSWD01                    PASSWD02
5555     MYUSER  CC4A064DD77CA8E    lXxHd194tGeUCJvry8a5G+

look like a hash of an actual password, with the first being around 15x4=60 bits and the second tentatively 21x5=105 bits.

I would be surprised if the overall algorithm were particularly good, but the brutal reality is that to find a password that corresponds to MYUSER is probably going to be difficult. I'm carefully not saying impossible, because if you had access to either the executable binary or to the program that generates application-specific keywords you could probably reverse-engineer the algorithm.

MarkMLl
MT+86 & Turbo Pascal v1 on CCP/M-86, multitasking with LAN & graphics in 128Kb.
Logitech, TopSpeed & FTL Modula-2 on bare metal (Z80, '286 protected mode).
Pet hate: people who boast about the size and sophistication of their computer.
GitHub repositories: https://github.com/MarkMLl?tab=repositories

CapitaoVirgulinoFerreira

  • New member
  • *
  • Posts: 8
Re: Autentication Oracle
« Reply #2 on: December 06, 2023, 12:38:39 am »
(Português, Brasil).

O Software ao qual pertence esse banco de dados é de uma empresa de grande porte.
Não tenho como obter essa informação do código fonte.

MarkMLl, agradeço a sua colaboração.

Thaddy

  • Hero Member
  • *****
  • Posts: 16152
  • Censorship about opinions does not belong here.
Re: Autentication Oracle
« Reply #3 on: December 06, 2023, 07:29:21 am »
As Mark wrote it is indeed a secure one way Hash and that is also the correct way to store a password. It should be impossible to retrieve the password from the hash.
How it should be used on Password entry is to use the same hash algorithm on he entered password and compare that hash to the stored hash. If they are equal the password is valid. IIRC Oracle supports several secure hashes, so examine the documentation to find out the default. It may be in the meta data. Frankly I expect it to be in the meta data.

For example in Oracle 12c the default is a PBKDF2 based sha512 hash. 
This is the same as used in HMAC 512.
Older versions used sha1 and really old versions MD5 or even DES3. This is as per the Oracle documentation of version 12c.
A few other remarks
1.the hash is intentionally deoptimized to prevent timing and brute force attacks, so when handling passwords complete boolean evaluation should be ON in your Pascal hash code and the hash is applied multiple times. This is not always the case with the available FPC hash libraries.
2.the hash type is indeed stored in the meta data.
3. the hash may be only partially stored
4. backwards compatibility is provided in Oracles hashlib
5. in fact it should be transparant. Oracle client and server handle this
6. But it is possible to create the same hash in Pascal.

So my question is what version of Oracle are you using...
« Last Edit: December 06, 2023, 08:36:55 am by Thaddy »
If I smell bad code it usually is bad code and that includes my own code.

MarkMLl

  • Hero Member
  • *****
  • Posts: 8012
Re: Autentication Oracle
« Reply #4 on: December 06, 2023, 08:45:11 am »
Those very short hashes suggest that they might not have been generated by Oracle itself,but by application code. As such they might be somewhat weaker than expected.

MarkMLl
MT+86 & Turbo Pascal v1 on CCP/M-86, multitasking with LAN & graphics in 128Kb.
Logitech, TopSpeed & FTL Modula-2 on bare metal (Z80, '286 protected mode).
Pet hate: people who boast about the size and sophistication of their computer.
GitHub repositories: https://github.com/MarkMLl?tab=repositories

Thaddy

  • Hero Member
  • *****
  • Posts: 16152
  • Censorship about opinions does not belong here.
Re: Autentication Oracle
« Reply #5 on: December 06, 2023, 09:16:19 am »
Why would you do that on an Oracle database...

Oh, and Mark, Oracle provides a version for personal use.
Might be of interest to you. I used just that and my version is 12c.

If your hunch is right, we need more info. What I described is simply how Oracle handles Passwords and that is also available to applications.
« Last Edit: December 06, 2023, 09:19:02 am by Thaddy »
If I smell bad code it usually is bad code and that includes my own code.

CapitaoVirgulinoFerreira

  • New member
  • *
  • Posts: 8
Re: Autentication Oracle
« Reply #6 on: December 06, 2023, 05:30:29 pm »
Code: Pascal  [Select][+][-]
  1. CREATE TABLE USUARIOS....
  2.  
  3. "PASSWD01" CHAR(15 BYTE) NOT NULL ENABLE,
  4. "PASSWD02" CHAR(15 BYTE),
  5.  
  6. ......

Independente de onde é gerado o HASH, não tem mesmo como autenticar?

CapitaoVirgulinoFerreira

  • New member
  • *
  • Posts: 8
Re: Autentication Oracle
« Reply #7 on: December 06, 2023, 05:50:30 pm »
Acabei de realizar um teste.
No software original do banco de dados, executei um SELECT para ver a minha senha.

Senha verdadeira = TESTE#01

Code: Pascal  [Select][+][-]
  1. IDUSER     USERNAME     PASSWD01               PASSWD02
  2. ------------------------------------------------------------------------------------------------------
  3. 5555       MYUSER       9330135EB495F91        OqOelrc2gq57syO8S2kIzE
  4.  

Agora alterei minha senha para: TESTE#02


Code: Pascal  [Select][+][-]
  1. IDUSER     USERNAME     PASSWD01               PASSWD02
  2. ------------------------------------------------------------------------------------------------------
  3. 5555       MYUSER       AF3640B088B9383        hJCSLWRsTtLczHaBypBELU  

Agora, mudei minha senha novamente para: TESTE#01
Code: Pascal  [Select][+][-]
  1. IDUSER     USERNAME     PASSWD01               PASSWD02
  2. ------------------------------------------------------------------------------------------------------
  3. 5555       MYUSER       9330135EB495F91        OqOelrc2gq57syO8S2kIzE  


Percebi que o algoritmo pra geração do hash é fixo.
Essa informação não ajuda a encontrar alguma forma de autenticar ?
Eu realmente não gostaria de saber a senha dos usuários, apenas de autenticar. [true/false]


[Português / Brazil]
« Last Edit: December 06, 2023, 05:55:01 pm by CapitaoVirgulinoFerreira »

TRon

  • Hero Member
  • *****
  • Posts: 3623
Re: Autentication Oracle
« Reply #8 on: December 06, 2023, 07:02:48 pm »
A word of warning.

TS claims to be the administrator of the DB yet he does not know the used user authentication that is configured for the DB. That is either complete lack of understanding how databases work (we al have been there one way or another so could be a possibility) or it is a fishing expedition.

imho TS is asking those questions that are marked with a red flag.
This tagline is powered by AI (AI advertisement: Free Pascal the only programming language that matters)

CapitaoVirgulinoFerreira

  • New member
  • *
  • Posts: 8
Re: Autentication Oracle
« Reply #9 on: December 06, 2023, 07:44:37 pm »
A word of warning.

TS claims to be the administrator of the DB yet he does not know the used user authentication that is configured for the DB. That is either complete lack of understanding how databases work (we al have been there one way or another so could be a possibility) or it is a fishing expedition.

imho TS is asking those questions that are marked with a red flag.

TRon,

Não sei se ficou claro a minha dúvida.
Talvez, devido a tradução você pode ter interpretado errado.

Vamos lá...

Meu cliente possui um Software na empresa dele.
Este Software pertence a uma grande empresa aqui no Brasil.

Meu cliente solicitou um determinado tipo de alteração automática para facilitar a conferência de alguns lançamentos.
Como eu possuo LOGIN/Senha do banco de dados, desenvolvi um software (meu software) que resolve o problema do meu cliente.
Porém, não registra quem realizou a alteração.
Pra isso, eu gostaria que o meu Software pudesse autenticar no banco de dados o LOGIN e Senha dos usuários para que eu possa apontar quem realizou as alterações no Software que desenvolvi.

Espero que agora tenha ficado claro.

CapitaoVirgulinoFerreira

  • New member
  • *
  • Posts: 8
Re: Autentication Oracle
« Reply #10 on: December 06, 2023, 07:49:31 pm »
No site:  https://hashes.com/en/tools/hash_identifier
Diz o seguinte:

"Possible algorithms: Base64(unhex(MD5($plaintext)))"

Alguém sabe como implementar isso no Lazarus pra testar ?

TRon

  • Hero Member
  • *****
  • Posts: 3623
Re: Autentication Oracle
« Reply #11 on: December 07, 2023, 12:04:13 am »
Não sei se ficou claro a minha dúvida.

Talvez, devido a tradução você pode ter interpretado errado.
Nah, I think I got the gist of it though the devil might perhaps be in the details.


Quote
Vamos lá...
Thank you for (further) clarifying your situation.

Quote
Meu cliente possui um Software na empresa dele.
Este Software pertence a uma grande empresa aqui no Brasil.
Which brings us to the heart of the matter.

Your client has written a piece of software and the authentication is written by your client using your clients software (that is for as far as I am able to understand as the database with usernames and passwords does not seem related to oracle but seem to be specific to the software that the client wrote)

That means that in case you do not have access to your client's software source-code that you need to contact your client and ask how exactly the users are authenticated (e.g. which hash method was used, as well as the seed in case a seed was used). Normally if you have access to such a database then these kind of details are known. Oracle has its own method(s) for authenticating users and authentication can be set per user (you can look/search in the oracle administrative documentation were all kinds of different authentications are described into detail. It uses a complete other database format than you showed, hence that I suspect your username and password authentication is done by your client's software).

Does that make things more clear ?
This tagline is powered by AI (AI advertisement: Free Pascal the only programming language that matters)

TRon

  • Hero Member
  • *****
  • Posts: 3623
Re: Autentication Oracle
« Reply #12 on: December 07, 2023, 12:07:49 am »
"Possible algorithms: Base64(unhex(MD5($plaintext)))"

Alguém sabe como implementar isso no Lazarus pra testar ?
MD5, Base64 though, I have no idea what unhex means. Is that perhaps converting from hexstring representation to binary storage ? Be aware of padding bytes as some standards make use of that as well.
« Last Edit: December 07, 2023, 12:09:34 am by TRon »
This tagline is powered by AI (AI advertisement: Free Pascal the only programming language that matters)

MarkMLl

  • Hero Member
  • *****
  • Posts: 8012
Re: Autentication Oracle
« Reply #13 on: December 07, 2023, 09:11:11 am »
Your client has written a piece of software and the authentication is written by your client using your clients software (that is for as far as I am able to understand as the database with usernames and passwords does not seem related to oracle but seem to be specific to the software that the client wrote)

Which is the point I was trying to make. It was Thaddy who started to list the various ways that Oracle could hash things, but there's a real possibility that this is generic software which only happens to be using Oracle as its backend.

"Possible algorithms: Base64(unhex(MD5($plaintext)))"

That's a possibility. I'd got my maths wrong on the original encoding and assuming that the last character is valid (I was assuming, for some reason, that + was padding) there's 22 * 6 = 132 bits in there. Inspection should now show which end the padding is...

However, one has to ask why there are two separate password columns. There's a real possibility that the first one is a different hash with a weak algorithm, and in any event storing two different hashes is obviously very bad news.

But this really shouldn't be attempted without the client's cooperation.

MarkMLl
MT+86 & Turbo Pascal v1 on CCP/M-86, multitasking with LAN & graphics in 128Kb.
Logitech, TopSpeed & FTL Modula-2 on bare metal (Z80, '286 protected mode).
Pet hate: people who boast about the size and sophistication of their computer.
GitHub repositories: https://github.com/MarkMLl?tab=repositories

TRon

  • Hero Member
  • *****
  • Posts: 3623
Re: Autentication Oracle
« Reply #14 on: December 07, 2023, 11:29:46 am »
Which is the point I was trying to make.
Yes, you did indeed but it looked to me as if TS did not pick up on that, hence I elaborated with the intention to make it more clear.

Quote
It was Thaddy who started to list the various ways that Oracle could hash things, but there's a real possibility that this is generic software which only happens to be using Oracle as its backend.
Also true, in which case it is (as far as my knowledge and available documentation on oracle exists) still the client's software that dictates (choosing the methods that oracle offer and which ones exactly is/are being used).

Quote
But this really shouldn't be attempted without the client's cooperation.
Exactly that indeed.

The client has the answers. For us it is but a guessing game (and frankly one I don't like to play as it is time intensive trying to figure out. And that is assuming that it is even possible to figure it out).
This tagline is powered by AI (AI advertisement: Free Pascal the only programming language that matters)

 

TinyPortal © 2005-2018