password cracking – Stuck with salted hashes and can’t go any further (via SQLMAP and Sql Injection)

Long story short, I scanned a website and found an sql injection bug. (Did it several times and that was the only thing I could find).

So I used sqlmap to retrieve databases, tables, and columns. This website is using Oracle database. (Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 – 64bit Production)

Now here is the problem, I don’t have enough privilege to access SYS, and on the other side all the passwords are hashed in that database.
I created an account using password ‘password’ and this is what I got:

3A67FDA4FF2DEAA60898A60DDE0114FF

I changed my password to something gibberish and changed it back to ‘password’ and the hash changed so it’s definitely salted as well.

So now I’m stuck with bunch of hashed passwords and don’t really know what to do. Any ideas?

— Just to clarify one more time, the database is Oracle, the only bug I could find was SQL INJECTION, oh and almost forgot to mention that the backend is ASP.NET if it helps(?). Also the current user is not sys. I don’t have enough privilege to access sys db.

hashing – How to create verifiable unique hashes to include in any text?

There isn’t really something out there to do this, so it will come down to creating something yourself.

You need to create a webscript accessible by everyone to verify your post and part of that script has an encryption routine that only works if you enter the correct password.

Your encryption routine creates a hash using a secret method. This could be using SHA256 etc, but does something to the hash so that it is not too large, otherwise a long post would also create an equally long or longer hash, and you don’t want that.

Once done, your script outputs what you would put in your post. The user then copies the entire post + hash into your script, presses verify and then knows if the hash matches the content of the post.

Note, if the user doesn’t copy everything, for example, they miss a ., they would get a mismatch and may think the post is not valid, so it requires lots of testing.

That said, I don’t think many people would even go through the trouble to verify your posts and would only be done in a dispute. So I’m not sure its actually worth the trouble. But if you want to, this is the way to go.

authentication – Number of biometric samples required to form an exhaustive set of fingerprint hashes?

I am going for possibly feasible, or definitely infeasible. If ten samples might be enough we have an answer. If less than a million will never be enough then we have an answer.

Put this down as definitely infeasible, then (at least unless you come up with a very accurate, extremely lossy, very clever mathematical “flattening” of the fingerprint scans.)


Fingerprint scanning is an analog process: it’s essentially a (potentially very poor quality) photograph; according to some website, these may reasonably be as low as 96×96 pixels.

If we take the coarse assumptions that each of these pixels can be reduced to a bit depth of around 3 (that is, around 8 possible brightness levels), that 95% of a 96×96px scan’s pixels are fixed by a finger (or fix-able by your mathematical analysis), and that the finger will only move up to ±10px in each of the X and Z axes, that gives you approximately too many possible images that a given fingerprint might produce.


If you want to find a way to hash “fingerprints”, you will have to find a serious analytic reduction of them based on pivotal attributes, and go about hashing that mathematical characterization of each instead.

beginner – Generating millions of hashes sha256 and random String in Java

I would like to generate Millions of Random String and Hashes in Java fast as possible. For the moment, @Turing85 gave me a pretty good code who was pretty fast only 5 sec for 50M of random String but the next problem to which I am confronted is the slowness when I hash my passwords in my String. The only problem is that the hash must match the generated password.

For the moment I got this code for sha256 and the random String into a file.

import java.io.IOException;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.StandardOpenOption;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.text.DecimalFormat;
import java.text.DecimalFormatSymbols;
import java.util.Random;
import java.util.concurrent.TimeUnit;

class Scratch {

    private final static String policy = "azertyuiopqsdfghjklmwxcvbnAZERTYUIOPQSDFGHJKLMWXCVBN1234567890";
    private final static Random random = new Random();

    private static final int MIN = '!';
    private static final int MAX = '~';
    private static final Random RANDOM = new Random();

    public static void main(final String... args) throws IOException, NoSuchAlgorithmException {
        final Path passwordFile = Path.of("passwords.txt");
        final Path hashFile = Path.of("hash.txt");
        if (!Files.exists(passwordFile)) {
            Files.createFile(passwordFile);
        }
        if (!Files.exists(hashFile)) {
            Files.createFile(hashFile);
        }
        final DecimalFormat df = new DecimalFormat();
        final DecimalFormatSymbols ds = df.getDecimalFormatSymbols();
        ds.setGroupingSeparator('_');
        df.setDecimalFormatSymbols(ds);
        final int numberOfPasswordsToGenerate = 50_000_000;
        final int chunkSize = 500_000;
        int passwordLength;
        final int min = 'A';
        final int max = 'Z';
        int generated = 0;
        int chunk = 0;

        final long start = System.nanoTime();
        while (generated < numberOfPasswordsToGenerate) {
            final StringBuilder passwords = new StringBuilder();
            final StringBuilder hashes = new StringBuilder();
            for (int index = chunk * chunkSize; index < (chunk + 1) * chunkSize && index < numberOfPasswordsToGenerate;
                    ++index) {
                final StringBuilder password = new StringBuilder();
                final StringBuilder hash = new StringBuilder();

                passwordLength = random.nextInt(9 - 6) + 6;
                for (int character = 0; character < passwordLength; ++character) {
                    //password.append(policy.charAt(random.nextInt(policy.length())));
                    password.append(fetchRandomLetterFromAlphabet());
                }
                passwords.append(password.toString()).append(System.lineSeparator());

                hash.append(toHexString(getSHA(password.toString())));
                hashes.append(hash.toString()).append(System.lineSeparator());

                ++generated;
                if (generated % 500_000 == 0) {
                    System.out.printf(
                            "%s / %s%n",
                            df.format(generated),
                            df.format(numberOfPasswordsToGenerate));
                }
            }
            ++chunk;
            Files.writeString(passwordFile, passwords.toString(), StandardOpenOption.WRITE);
            Files.writeString(hashFile, hashes.toString(), StandardOpenOption.WRITE);
        }
        final long consumed = System.nanoTime() - start;
        System.out.printf("Done. Took %d seconds%n", TimeUnit.NANOSECONDS.toSeconds(consumed));
        //System.out.printf("Done. Took %d seconds%n", TimeUnit.NANOSECONDS.toNanos(consumed)/*.toSeconds(consumed)*/);
    }

    private static char fetchRandomLetterFromAlphabet() {
        return (char) (RANDOM.nextInt(MAX - MIN + 1) + MIN);
    }

    public static byte() getSHA(String input) throws NoSuchAlgorithmException {
        MessageDigest md = MessageDigest.getInstance("SHA-256");
        return md.digest(input.getBytes(StandardCharsets.UTF_8));
    }

    public static String toHexString(byte() hash) {
        BigInteger number = new BigInteger(1, hash);
        StringBuilder hexString = new StringBuilder(number.toString(16));
        while (hexString.length() < 32) {
            hexString.insert(0, '0');
        }
        return hexString.toString();
    }
}

btw if you didn’t understand the problematic, I would like to increase speed of the sha256 algorithm to make it more efficient

Thanks 🙂

How to convert an array of hashes to a human readable srting in Ruby

I have the following output:

=> [{"name"=>"Content-Security-Policy", "value"=>"block-all-mixed-content", "decreasesSecurity"=>false, "increasesSecurity"=>true},
 {"name"=>"Strict-Transport-Security", "value"=>"max-age=31536000", "decreasesSecurity"=>false, "increasesSecurity"=>true},
 {"name"=>"X-Content-Type-Options", "value"=>"nosniff", "decreasesSecurity"=>false, "increasesSecurity"=>true},
 {"name"=>"X-Frame-Options", "value"=>"DENY", "decreasesSecurity"=>false, "increasesSecurity"=>true},
 {"name"=>"Content-Length", "value"=>"258", "decreasesSecurity"=>false, "increasesSecurity"=>false},
 {"name"=>"Retry-Count", "value"=>"0", "decreasesSecurity"=>false, "increasesSecurity"=>false},
 {"name"=>"Date", "value"=>"Sun, 28 Mar 2021 17:10:37 GMT", "decreasesSecurity"=>false, "increasesSecurity"=>false},
 {"name"=>"Content-Type", "value"=>"text/html", "decreasesSecurity"=>false, "increasesSecurity"=>false},
 {"name"=>"X-Xss-Protection", "value"=>"1", "decreasesSecurity"=>false, "increasesSecurity"=>true}]

These are headers from an HTTP response, and I just want to convert it into a “human readable” format, such as:

Content-Security-Policy: block-all-mixed-content
Strict-Transport-Security: max-age=xxxx

installation – Sources disagree on hashes for supposely identical version when trying to install CUDA 11.2 toolkit

I am new to GPU computing and I am trying to install CUDA on my linux 20.04 focal with kernel 5.4.0 workstation that is equipped with NVIDIA quadro p4000 GPU.

I have followed the instructions in this link:

https://docs.nvidia.com/cuda/cuda-installation-guide-linux/index.html#post-installation-actions

and when I did step 3.8 (sudo apt-get install cuda) I get this message:

Sources disagree on hashes for supposely identical version ‘11.2.2-1’ of ‘cuda-command-line-tools-11-2:amd64’
and when I tried nvcc –version after the installation finished with the above message and a few other similar messages I got nothing which means it didn’t install.

Actually I am trying to do the installation on a remote machine so I was not able to do any restarts during the installation if that is actually needed, because I don’t have access to the physical machine.

can you please help me figure out what is going wrong with my installation?

encryption – Having a list of hashes for the same password compromise the security of the password?

An attacker want’s access to a specific account, he doesn’t know the password.

  • It’s a high entropy password. +128bits
  • The attacker has the hash for the password (Assuming OWASP suggested bcrypt with cost 12)
  • The attacker has a list with n hashes that HE KNOWS are hashes for the same password he is looking for. (He magically knows, just bear with me)

Does the list of hashes makes it easier for the attacker to gain access to the password? (Either by guessing the password of finding a collision) Or is the difficulty the same as if he had a single hash?


I’m aware it’s an unlikely scenario, I’m just trying to understand more about the risks of exposed hashes.

I have very little understanding of InfoSec and hash functions, but it seems to me that the hash list makes no difference for trying to crack the password, but it could improve the chances for the attacker to find a collision. If my assumption is correct, how large would the list have to be, for it to become a realistic problem? (Ballpark estimates are fine)

Is it OK to hash sensitive data, given hashes provide no confidentiality?

  1. Confidentiality is the property of a message whereby no one but the person who knows a secret (let’s calle it K) can read the message.
  2. Hashes do not provide confidentiality (data is destroyed, you can’t recover it)

Following these definitions, is it OK to hash sensitive data (eg: passwords) and store it in a database? I already know using SHA256 (or any other non-specialised hash) is dangerous, because brute forcing is relatively easy. Let’s say we are using Argon2.

The question now becomes: is it OK to assume the hashed data remains private when using the correct hashing algorithm? If so, what’s the name of the property that provides this safety? Is it non-reversibility? SHA256 also provides non-reversibility, but is easy to bruteforce. Is there a name for this property?

hash – Why does firebase encrypt with password hashes instead of storing the hashes?

I am trying to migrate off of firebase, as in doing so, you can export the hashes of user passwords. Looking at their algorithm, they do not store password hashes, but rather, they use the first 32-characters of a password hash to encrypt a secret key, and store that instead.

I was mostly wondering, why would they be doing this? Standard practice seems to be to hash with salts, store the result, but they also do this encryption step. Is there any benefit here?

For reference, here is some python code roughly showing the algorithm:

intermediary = hashlib.scrypt(password, salt=salt + salt_seperator, n=2**14, r=8, p=1)
signing_key = base64.b64decode(PASSWORD_V2_SIGNING_KEY) # provided by firebase
# encrypt signing_key with the password hash
cipher = AES.new(intermediary(:32), AES.MODE_CTR, initial_value=b'x00' * 16, nonce=b'')
result = cipher.encrypt(signing_key)
hash_to_store = base64.b64decode(result)