[20171228]db_link的full_hash_value值的计算.txt
SCOTT@book> @ &r/ver1
PORT_STRING VERSION BANNER
------------------------------ -------------- --------------------------------------------------------------------------------
x86_64/Linux 2.4.xx 11.2.0.4.0 Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
grant dba to a identified by a;
connect a/a
CREATE DATABASE LINK A CONNECT TO A IDENTIFIED BY a USING '192.168.100.78/BOOK';
CREATE DATABASE LINK B CONNECT TO A IDENTIFIED BY a USING '192.168.100.78/BOOK';
A@book> select sysdate from dual@a;
SYSDATE
-------------------
2017-12-28 15:10:34
A@book> select sysdate from dual@b;
SYSDATE
-------------------
2017-12-28 15:10:35
SYS@book> SELECT KGLHDNSP ,kglnaown,dump(kglnaown,16) c20 ,kglnaobj,kglnahsv FROM x$kglob where kglhdnsd='DBLINK' and KGLHDNSP=69;
KGLHDNSP KGLNAOWN C20 KGLNAOBJ KGLNAHSV
---------- -------- -------------------- ------------------------------ --------------------------------
69 Typ=1 Len=1: 1 A 81bba48dfce8b02861466f0dcf04e262
69 b Typ=1 Len=1: 62 B 88feaa22ffa6b1db8d2314ba0941360c
69 NULL A ff10282030f73c72c9c594e2f7a54d64
69 b Typ=1 Len=1: 62 A 295be635973bc44911d9f76efb5f521b
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
69 NULL RECO.ORACLE.COM 022bfb39389939832aaa659c3b1dfeba
--//很奇怪KGLNAOWN显示的是b(小写).选择下划线那行作为crack.
$ echo 295be635973bc44911d9f76efb5f521b | xxd -r -p | od -t x4
0000000 35e65b29 49c43b97 6ef7d911 1b525ffb
0000020
--//拼接 35e65b29 49c43b97 6ef7d911 1b525ffb => 35e65b2949c43b976ef7d9111b525ffb
--//做了各种尝试,终于破解了,建立字典d.dict
R:\hashcat>cat d.dict
A.b
R:\hashcat>hashcat64 --force -a 6 -m 0 35e65b2949c43b976ef7d9111b525ffb d.dict --hex-charset -1 00 -2 45 ?b?b?b?2?1?1?1
hashcat (v3.00-1-g67a8d97) starting...
OpenCL Platform #1: Advanced Micro Devices, Inc.
================================================
- Device #1: Turks, 766/1024 MB allocatable, 6MCU
- Device #2: Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz, skipped
WARNING: ADL_Overdrive6_TargetTemperatureData_Get is missing from ADL shared library.
Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Applicable Optimizers:
* Zero-Byte
* Precompute-Init
* Precompute-Merkle-Demgard
* Meet-In-The-Middle
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash
Watchdog: Temperature abort trigger disabled
Watchdog: Temperature retain trigger disabled
Cache-hit dictionary stats d.dict: 5 bytes, 1 words, 16777216 keyspace
ATTENTION!
The wordlist or mask you are using is too small.
Therefore, hashcat is unable to utilize the full parallelization power of your device(s).
The cracking speed will drop.
Workaround: https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#how_to_create_more_work_for_full_speed
INFO: approaching final keyspace, workload adjusted
35e65b2949c43b976ef7d9111b525ffb:$HEX[412e6200000045000000]
Session.Name...: hashcat
Status.........: Cracked
Input.Left.....: File (d.dict)
Input.Right....: Mask (?b?b?b?2?1?1?1) [7]
Hash.Target....: 35e65b2949c43b976ef7d9111b525ffb
Hash.Type......: MD5
Time.Started...: 0 secs
Speed.Dev.#1...: 39792 H/s (4.03ms)
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 512/16777216 (0.00%)
Rejected.......: 0/512 (0.00%)
Restore.Point..: 0/1 (0.00%)
Started: Fri Dec 29 11:44:45 2017
Stopped: Fri Dec 29 11:44:48 2017
--//A.b后面跟000000然后才是45000000为什么?验证其它的情况
SYS@book> SELECT KGLHDNSP ,kglnaown,dump(kglnaown,16) c20 ,kglnaobj,kglnahsv FROM x$kglob where kglhdnsd='DBLINK' and KGLHDNSP=69;
KGLHDNSP KGLNAOWN C20 KGLNAOBJ KGLNAHSV
---------- -------- -------------------- ------------------------------ --------------------------------
69 b Typ=1 Len=1: 62 B 88feaa22ffa6b1db8d2314ba0941360c
69 b Typ=1 Len=1: 62 A 295be635973bc44911d9f76efb5f521b
69 NULL RECO.ORACLE.COM 022bfb39389939832aaa659c3b1dfeba
SYS@book> host echo -e -n 'B.b\0\0\0\x45\0\0\0' | md5sum |sed 's/ -//' | xxd -r -p | od -t x4 | sed -n -e 's/^0000000 //' -e 's/ //gp'
88feaa22ffa6b1db8d2314ba0941360c
--//OK,现在猜对了.
SYS@book> host echo -e -n 'RECO.ORACLE.COM.\0\0\0\0\x45\0\0\0' | md5sum |sed 's/ -//' | xxd -r -p | od -t x4 | sed -n -e 's/^0000000 //' -e 's/ //gp'
022bfb39389939832aaa659c3b1dfeba
--//另外我检查其它机器视乎每台机器都有一个RECO.ORACLE.COM的dblink,查询根本看不到.另外我在另外的机器以相同的用户a建立dblink.结果如下:
SYS@orclxx> SELECT KGLHDNSP ,kglnaown,dump(kglnaown,16) c20 ,kglnaobj,kglnahsv FROM x$kglob where kglhdnsd='DBLINK' and KGLHDNSP=69;
KGLHDNSP KGLNAOWN C20 KGLNAOBJ KGLNAHSV
-------- -------- -------------------- ------------------------------ --------------------------------
69 d Typ=1 Len=1: 64 B 262a01a31e2f3c4dd721aa85b49864b5
69 NULL B 4be7794722b7dff82d9a726430d0cc1b
69 d Typ=1 Len=1: 64 A 5c35cb76c87322d4c1dcba2539fcfdc0
69 NULL A ff10282030f73c72c9c594e2f7a54d64
69 NULL RECO.ORACLE.COM 022bfb39389939832aaa659c3b1dfeba
--//这里KGLNAOWN变成了d,不知道为什么?
SYS@orclxx> host echo -e -n 'B.d\0\0\0\x45\0\0\0' | md5sum |sed 's/ -//' | xxd -r -p | od -t x4 | sed -n -e 's/^0000000 //' -e 's/ //gp'
262a01a31e2f3c4dd721aa85b49864b5
SYS@orclxx> host echo -e -n 'B.\0\0\0\0\x45\0\0\0' | md5sum |sed 's/ -//' | xxd -r -p | od -t x4 | sed -n -e 's/^0000000 //' -e 's/ //gp'
4be7794722b7dff82d9a726430d0cc1b
SYS@orclxx> host echo -e -n 'A.d\0\0\0\x45\0\0\0' | md5sum |sed 's/ -//' | xxd -r -p | od -t x4 | sed -n -e 's/^0000000 //' -e 's/ //gp'
5c35cb76c87322d4c1dcba2539fcfdc0
SYS@orclxx> host echo -e -n 'A.\0\0\0\0\x45\0\0\0' | md5sum |sed 's/ -//' | xxd -r -p | od -t x4 | sed -n -e 's/^0000000 //' -e 's/ //gp'
ff10282030f73c72c9c594e2f7a54d64
--//都能对上了.
--//只有这样破解最快,其它我机器承受不了.最主要知道加密串的格式:
$ echo -n A.b | xxd -c 16 -g4 |xargs
0000000: 412e62 A.b
R:\hashcat>hashcat64 --potfile-disable --force -a 3 -m 0 35e65b2949c43b976ef7d9111b525ffb --hex-charset -1 45 -2 412e62 -3 00 ?2?2?2?b?b?b?1?3?3?3
hashcat (v3.00-1-g67a8d97) starting...
OpenCL Platform #1: Advanced Micro Devices, Inc.
================================================
- Device #1: Turks, 766/1024 MB allocatable, 6MCU
- Device #2: Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz, skipped
WARNING: ADL_Overdrive6_TargetTemperatureData_Get is missing from ADL shared library.
Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Applicable Optimizers:
* Zero-Byte
* Precompute-Init
* Precompute-Merkle-Demgard
* Meet-In-The-Middle
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash
Watchdog: Temperature abort trigger disabled
Watchdog: Temperature retain trigger disabled
ATTENTION!
The wordlist or mask you are using is too small.
Therefore, hashcat is unable to utilize the full parallelization power of your device(s).
The cracking speed will drop.
Workaround: https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#how_to_create_more_work_for_full_speed
INFO: approaching final keyspace, workload adjusted
35e65b2949c43b976ef7d9111b525ffb:$HEX[412e6200000045000000]
Session.Name...: hashcat
Status.........: Cracked
Input.Mode.....: Mask (?2?2?2?b?b?b?1?3?3?3) [10]
Hash.Target....: 35e65b2949c43b976ef7d9111b525ffb
Hash.Type......: MD5
Time.Started...: 0 secs
Speed.Dev.#1...: 1368.0 MH/s (8.82ms)
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 452984832/452984832 (100.00%)
Rejected.......: 0/452984832 (0.00%)
Started: Fri Dec 29 12:04:02 2017
Stopped: Fri Dec 29 12:04:04 2017
--//再其它机器做了验证ok,都是对的.
总结:
1.主要是hashcat工具不熟悉,浪费许多时间在crack.特点是使用字典+mask的方式
2.没有想到中间的?b?b?b模式.
3.没有想到在x$kglob的字段KGLNAOWN不是建立的owner.不知道oracle为什么这样设置,
这样保证每个dblink独一无二吗?
4.昨天晚上一直想,是否有必要继续crack,本来心里想不再在上面浪费时间.
5.V$DB_OBJECT_CACHE type='INDEX'的问题,链接:http://blog.itpub.net/267265/viewspace-2149479/
6.感觉最大的收获不是如何破解,而是理解namespace概念.
