20171228db_link的full_hash_value值的計算

lfree發表於2017-12-29

[20171228]db_link的full_hash_value值的計算.txt

SCOTT@book> @ &r/ver1
PORT_STRING                    VERSION        BANNER
------------------------------ -------------- --------------------------------------------------------------------------------
x86_64/Linux 2.4.xx            11.2.0.4.0     Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production

grant dba to a identified by a;

connect a/a
CREATE DATABASE LINK A CONNECT TO A IDENTIFIED BY a USING '192.168.100.78/BOOK';
CREATE DATABASE LINK B CONNECT TO A IDENTIFIED BY a USING '192.168.100.78/BOOK';

A@book> select sysdate from dual@a;

SYSDATE
-------------------
2017-12-28 15:10:34

A@book> select sysdate from dual@b;
SYSDATE
-------------------
2017-12-28 15:10:35

SYS@book> SELECT KGLHDNSP ,kglnaown,dump(kglnaown,16) c20 ,kglnaobj,kglnahsv FROM x$kglob where  kglhdnsd='DBLINK' and KGLHDNSP=69;
  KGLHDNSP KGLNAOWN  C20                  KGLNAOBJ                       KGLNAHSV
---------- -------- -------------------- ------------------------------ --------------------------------
        69          Typ=1 Len=1: 1       A                              81bba48dfce8b02861466f0dcf04e262
        69 b        Typ=1 Len=1: 62      B                              88feaa22ffa6b1db8d2314ba0941360c
        69          NULL                 A                              ff10282030f73c72c9c594e2f7a54d64
        69 b        Typ=1 Len=1: 62      A                              295be635973bc44911d9f76efb5f521b
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~       
        69          NULL                 RECO.ORACLE.COM                022bfb39389939832aaa659c3b1dfeba

--//很奇怪KGLNAOWN顯示的是b(小寫).選擇下劃線那行作為crack.

$ echo 295be635973bc44911d9f76efb5f521b | xxd -r -p | od -t x4
0000000 35e65b29 49c43b97 6ef7d911 1b525ffb
0000020

--//拼接 35e65b29 49c43b97 6ef7d911 1b525ffb => 35e65b2949c43b976ef7d9111b525ffb
--//做了各種嘗試,終於破解了,建立字典d.dict

R:\hashcat>cat d.dict
A.b

R:\hashcat>hashcat64 --force -a 6 -m 0 35e65b2949c43b976ef7d9111b525ffb d.dict --hex-charset -1 00 -2 45  ?b?b?b?2?1?1?1
hashcat (v3.00-1-g67a8d97) starting...

OpenCL Platform #1: Advanced Micro Devices, Inc.
================================================
- Device #1: Turks, 766/1024 MB allocatable, 6MCU
- Device #2:         Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz, skipped

WARNING: ADL_Overdrive6_TargetTemperatureData_Get is missing from ADL shared library.
Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Applicable Optimizers:
* Zero-Byte
* Precompute-Init
* Precompute-Merkle-Demgard
* Meet-In-The-Middle
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash
Watchdog: Temperature abort trigger disabled
Watchdog: Temperature retain trigger disabled

Cache-hit dictionary stats d.dict: 5 bytes, 1 words, 16777216 keyspace

ATTENTION!
  The wordlist or mask you are using is too small.
  Therefore, hashcat is unable to utilize the full parallelization power of your device(s).
  The cracking speed will drop.
  Workaround:

INFO: approaching final keyspace, workload adjusted

35e65b2949c43b976ef7d9111b525ffb:$HEX[412e6200000045000000]

Session.Name...: hashcat
Status.........: Cracked
Input.Left.....: File (d.dict)
Input.Right....: Mask (?b?b?b?2?1?1?1) [7]
Hash.Target....: 35e65b2949c43b976ef7d9111b525ffb
Hash.Type......: MD5
Time.Started...: 0 secs
Speed.Dev.#1...:    39792 H/s (4.03ms)
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 512/16777216 (0.00%)
Rejected.......: 0/512 (0.00%)
Restore.Point..: 0/1 (0.00%)

Started: Fri Dec 29 11:44:45 2017
Stopped: Fri Dec 29 11:44:48 2017

--//A.b後面跟000000然後才是45000000為什麼?驗證其它的情況
SYS@book> SELECT KGLHDNSP ,kglnaown,dump(kglnaown,16) c20 ,kglnaobj,kglnahsv FROM x$kglob where  kglhdnsd='DBLINK' and KGLHDNSP=69;
  KGLHDNSP KGLNAOWN C20                  KGLNAOBJ                       KGLNAHSV
---------- -------- -------------------- ------------------------------ --------------------------------
        69 b        Typ=1 Len=1: 62      B                              88feaa22ffa6b1db8d2314ba0941360c
        69 b        Typ=1 Len=1: 62      A                              295be635973bc44911d9f76efb5f521b
        69          NULL                 RECO.ORACLE.COM                022bfb39389939832aaa659c3b1dfeba

SYS@book> host echo -e -n 'B.b\0\0\0\x45\0\0\0' |  md5sum |sed 's/  -//' | xxd -r -p | od -t x4 | sed  -n  -e 's/^0000000 //' -e 's/ //gp'
88feaa22ffa6b1db8d2314ba0941360c

--//OK,現在猜對了.

SYS@book> host echo -e -n 'RECO.ORACLE.COM.\0\0\0\0\x45\0\0\0' |  md5sum |sed 's/  -//' | xxd -r -p | od -t x4 | sed  -n  -e 's/^0000000 //' -e 's/ //gp'
022bfb39389939832aaa659c3b1dfeba

--//另外我檢查其它機器視乎每臺機器都有一個RECO.ORACLE.COM的dblink,查詢根本看不到.另外我在另外的機器以相同的使用者a建立dblink.結果如下:

SYS@orclxx> SELECT KGLHDNSP ,kglnaown,dump(kglnaown,16) c20 ,kglnaobj,kglnahsv FROM x$kglob where  kglhdnsd='DBLINK' and KGLHDNSP=69;

KGLHDNSP KGLNAOWN C20                  KGLNAOBJ                       KGLNAHSV
-------- -------- -------------------- ------------------------------ --------------------------------
      69 d        Typ=1 Len=1: 64      B                              262a01a31e2f3c4dd721aa85b49864b5
      69          NULL                 B                              4be7794722b7dff82d9a726430d0cc1b
      69 d        Typ=1 Len=1: 64      A                              5c35cb76c87322d4c1dcba2539fcfdc0
      69          NULL                 A                              ff10282030f73c72c9c594e2f7a54d64
      69          NULL                 RECO.ORACLE.COM                022bfb39389939832aaa659c3b1dfeba
--//這裡KGLNAOWN變成了d,不知道為什麼?

SYS@orclxx> host echo -e -n 'B.d\0\0\0\x45\0\0\0' |  md5sum |sed 's/  -//' | xxd -r -p | od -t x4 | sed  -n  -e 's/^0000000 //' -e 's/ //gp'
262a01a31e2f3c4dd721aa85b49864b5

SYS@orclxx> host echo -e -n 'B.\0\0\0\0\x45\0\0\0' |  md5sum |sed 's/  -//' | xxd -r -p | od -t x4 | sed  -n  -e 's/^0000000 //' -e 's/ //gp'
4be7794722b7dff82d9a726430d0cc1b

SYS@orclxx> host echo -e -n 'A.d\0\0\0\x45\0\0\0' |  md5sum |sed 's/  -//' | xxd -r -p | od -t x4 | sed  -n  -e 's/^0000000 //' -e 's/ //gp'
5c35cb76c87322d4c1dcba2539fcfdc0

SYS@orclxx> host echo -e -n 'A.\0\0\0\0\x45\0\0\0' |  md5sum |sed 's/  -//' | xxd -r -p | od -t x4 | sed  -n  -e 's/^0000000 //' -e 's/ //gp'
ff10282030f73c72c9c594e2f7a54d64

--//都能對上了.
--//只有這樣破解最快,其它我機器承受不了.最主要知道加密串的格式:

$ echo -n A.b | xxd -c 16 -g4 |xargs
0000000: 412e62 A.b

R:\hashcat>hashcat64 --potfile-disable --force -a 3 -m 0 35e65b2949c43b976ef7d9111b525ffb  --hex-charset -1 45  -2 412e62 -3 00 ?2?2?2?b?b?b?1?3?3?3
hashcat (v3.00-1-g67a8d97) starting...

OpenCL Platform #1: Advanced Micro Devices, Inc.
================================================
- Device #1: Turks, 766/1024 MB allocatable, 6MCU
- Device #2:         Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz, skipped

WARNING: ADL_Overdrive6_TargetTemperatureData_Get is missing from ADL shared library.
Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Applicable Optimizers:
* Zero-Byte
* Precompute-Init
* Precompute-Merkle-Demgard
* Meet-In-The-Middle
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash
Watchdog: Temperature abort trigger disabled
Watchdog: Temperature retain trigger disabled

ATTENTION!
  The wordlist or mask you are using is too small.
  Therefore, hashcat is unable to utilize the full parallelization power of your device(s).
  The cracking speed will drop.
  Workaround:

INFO: approaching final keyspace, workload adjusted

35e65b2949c43b976ef7d9111b525ffb:$HEX[412e6200000045000000]

Session.Name...: hashcat
Status.........: Cracked
Input.Mode.....: Mask (?2?2?2?b?b?b?1?3?3?3) [10]
Hash.Target....: 35e65b2949c43b976ef7d9111b525ffb
Hash.Type......: MD5
Time.Started...: 0 secs
Speed.Dev.#1...:  1368.0 MH/s (8.82ms)
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 452984832/452984832 (100.00%)
Rejected.......: 0/452984832 (0.00%)

Started: Fri Dec 29 12:04:02 2017
Stopped: Fri Dec 29 12:04:04 2017

--//再其它機器做了驗證ok,都是對的.

總結:
1.主要是hashcat工具不熟悉,浪費許多時間在crack.特點是使用字典+mask的方式
2.沒有想到中間的?b?b?b模式.
3.沒有想到在x$kglob的欄位KGLNAOWN不是建立的owner.不知道oracle為什麼這樣設定,
  這樣保證每個dblink獨一無二嗎?
4.昨天晚上一直想,是否有必要繼續crack,本來心裡想不再在上面浪費時間.
5.V$DB_OBJECT_CACHE type='INDEX'的問題,連結:http://blog.itpub.net/267265/viewspace-2149479/
6.感覺最大的收穫不是如何破解,而是理解namespace概念.

來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/267265/viewspace-2149494/,如需轉載,請註明出處,否則將追究法律責任。

相關文章