[20171227]表的FULL_HASH_VALUE值的計算.txt

[20171227]表的FULL_HASH_VALUE值的計算.txt

--//sql_id的計算是使用MD5演算法進行哈希，生成一個128位的Hash Value，其中低32位作為HASH VALUE顯示，SQL_ID則取了後64位。
--//實際上sql_id使用32進位表示，hash_value使用10進位表示。

--//我在鏈接提到http://blog.itpub.net/267265/viewspace-2142512/內容:
--//如果使用md5sum計算的結果,按照4位一組,大小頭對調.就一致了.

--//實際上表的hash值是如何計算的呢?自己一直想知道oracle如何計算的,前一段時間探究一些crack password工具.做一些簡單的探究.

1.環境:
SCOTT@book> @ &r/ver1

PORT_STRING                    VERSION        BANNER
------------------------------ -------------- --------------------------------------------------------------------------------
x86_64/Linux 2.4.xx            11.2.0.4.0     Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production

SCOTT@book> grant dba to a identified by a;
Grant succeeded.

A@book> create table b(c number);
Table created.

A@book> select owner,name,namespace,type,hash_value,full_hash_value from V$DB_OBJECT_CACHE where owner='A' and name='B';
OWNER  NAME NAMESPACE       TYPE   HASH_VALUE FULL_HASH_VALUE
------ ---- --------------- ------ ---------- --------------------------------
A      B    TABLE/PROCEDURE TABLE  3720244077 b6bab9fa1d1610f90401e083ddbe6b6d

--//這樣做的目的很好理解減少破解難度.
--//按照4位一組,大小頭對調.

$ echo b6bab9fa1d1610f90401e083ddbe6b6d |xxd -r -p | od -t x4
0000000 fab9bab6 f910161d 83e00104 6d6bbedd
0000020

--//拼接 fab9bab6f910161d83e001046d6bbedd.我開始想使用john,不知道如何生成破解字典.先放棄,使用hashcat倒是比較靈活先嘗試hashcat.

2.開始嘗試破解:

R:\hashcat>hashcat --help
....
- [ Built-in Charsets ] -

  ? | Charset
 ===+=========
  l | abcdefghijklmnopqrstuvwxyz
  u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
  d | 0123456789
  s |  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
  a | ?l?u?d?s
  b | 0x00 - 0xff

--//我實際上以前也猜測開頭應該是owner.table這樣的模式,後面補0.根據這個規則生成破解碼表.
--//這樣規則前面4個字元應該是?u?s?u?b,然後開始不斷嘗試,終於破解:

R:\hashcat>cat hashcat.pot
fab9bab6f910161d83e001046d6bbedd:$HEX[422e4101000000]

--//422e4101000000,想都想不到這個使用7位來計算的.而且oracle計算表的hash值竟然是表的owner在前,表名在後.中間使用點分開.後面補01000000.
--//應該可以猜測到owner都是一樣的,放在後面是有道理的.

R:\hashcat>hashcat64 -a 3 -m 0 fab9bab6f910161d83e001046d6bbedd ?u?s?u?b?b?b?b --force
hashcat (v3.00-1-g67a8d97) starting...

OpenCL Platform #1: Advanced Micro Devices, Inc.
================================================
- Device #1: Turks, 766/1024 MB allocatable, 6MCU
- Device #2:         Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz, skipped

WARNING: ADL_Overdrive6_TargetTemperatureData_Get is missing from ADL shared library.
Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Applicable Optimizers:
* Zero-Byte
* Precompute-Init
* Precompute-Merkle-Demgard
* Meet-In-The-Middle
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash
Watchdog: Temperature abort trigger disabled
Watchdog: Temperature retain trigger disabled

fab9bab6f910161d83e001046d6bbedd:$HEX[422e4101000000]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Session.Name...: hashcat
Status.........: Cracked
Input.Mode.....: Mask (?u?s?u?b?b?b?b) [7]
Hash.Target....: fab9bab6f910161d83e001046d6bbedd
Hash.Type......: MD5
Time.Started...: 0 secs
Speed.Dev.#1...:  1238.5 MH/s (11.94ms)
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 90869760/95812130439168 (0.00%)
Rejected.......: 0/90869760 (0.00%)
Restore.Point..: 0/4294967296 (0.00%)

Started: Wed Dec 27 10:22:40 2017
Stopped: Wed Dec 27 10:22:42 2017

--//反過來驗證scott.dept表是否正確.應該是這樣"DEPT.SCOTT\01\0\0\0".
--//註意01一定要使用\01,開始使用\1測試錯誤.

A@book> select owner,name,namespace,type,hash_value,full_hash_value from V$DB_OBJECT_CACHE where owner='SCOTT' and name='DEPT';
OWNER  NAME                 NAMESPACE       TYPE  HASH_VALUE FULL_HASH_VALUE
------ -------------------- --------------- ----- ---------- --------------------------------
SCOTT  DEPT                 TABLE/PROCEDURE TABLE 2152664343 1383925607dd84fd07c34017804f0d17

$ echo -e -n "DEPT.SCOTT\01\0\0\0" | md5sum |sed 's/  -//' | xxd -r -p | od -t x4
0000000 13839256 07dd84fd 07c34017 804f0d17
0000020

--//拼接起來13839256 07dd84fd 07c34017 804f0d17 變成 1383925607dd84fd07c34017804f0d17!!
--//^_^,正好是前面FULL_HASH_VALUE值對上了.

--//再拿一個最長字元串owner||name測試看看
A@book> select owner,name,namespace,type,hash_value,full_hash_value from V$DB_OBJECT_CACHE where owner||name='APEX_030200WWV_FLOW_CUSTOM_AUTH_SETUPS';
OWNER        NAME                           NAMESPACE       TYPE  HASH_VALUE FULL_HASH_VALUE
------------ ------------------------------ --------------- ----- ---------- --------------------------------
APEX_030200  WWV_FLOW_CUSTOM_AUTH_SETUPS    TABLE/PROCEDURE TABLE 2757059300 ae088e68645bfa46e406e327a45562e4

$ echo -e -n "WWV_FLOW_CUSTOM_AUTH_SETUPS.APEX_030200\01\0\0\0" | md5sum |sed 's/  -//' | xxd -r -p | od -t x4
0000000 ae088e68 645bfa46 e406e327 a45562e4
0000020

--//OK也是正確了.

--//總結:
--//表的FULL_HASH_VALUE計算就是table_name.owner加上"\01\0\0\0".