Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 28 Feb 2013 23:15:20 +0100
From: magnum <>
Subject: Re: Oracle Application Express / Password hashes

On 21 Feb, 2013, at 13:23 , Dhiru Kholia <> wrote:
> I was able to figure out the details of APEX 4.2.1 "default" hashing algorithm.
> In short, stored hash = hashlib.md5(password + sgid + username).hexdigest()
> I am posting a set of scripts to help in dumping APEX hashes from an
> Oracle database and then subsequently cracking them using JtR-jumbo.
> For step-by-step instructions, please see attached
> README-apex-cracking.txt file.

Things like this are good to have documented. I suppose you could commit this to bleeding (and even to unstable btw) - the README in doc/ and in run/. The dump-apex-hashes.sql I'm not sure... maybe that too in doc? Or unused? Maybe we need another directory?

If nothing else you could inline dump-apex-hashes.sql after a scissors line in the readme.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.