Crack Oracle Database Password

Уважаемый гость, на данной странице Вам доступен материал по теме: Crack Oracle Database Password. Скачивание возможно на компьютер и телефон через торрент, а также сервер загрузок по ссылке ниже. Рекомендуем также другие статьи из категории «Кейгены».

Crack Oracle Database Password.rar
Закачек 1939
Средняя скорость 7824 Kb/s
Скачать

Crack Oracle Database Password

Oracle 11g database : working with THC tool

  • admin
  • Databases

vonjeek from THC realeased a cracker for Oracle 11g version : http://freeworld.thc.org/thc-orakelcrackert11g/

Documentation

OrakelCrackert-11g is an Oracle 11g database password hash cracker using a weakness in the Oracle password storage strategy. With Oracle 11g, case sensitive SHA1 based hashing is introduced.

Storing passwords in a case sensitive way introduces more possible password combinations so password cracking takes longer. For example, the number of possible password combinations using a password generated out of the character set «[a-z][A-Z]8#$_» where passwords start with a alpha character using is 52/65 * 65 ^ passlength. For an 8 position password this means 254.915.850.312.500 combinations.

Since Oracle is still storing the DES based password hashes, an attack much faster than brute forcing can be launched for most (not all) passwords.

  • 1 — Get both the Oracle

Online Hash Crack is an online service that attempts to recover your passwords thanks to the power of GPUs:

— hashes like MD5, NTLM, WordPress.

— WPA dumps (handshakes)

— Office encrypted files (Word, Excel or Powerpoint)

obtained in a legal way (pentest, audit, lost password. ).

I have written an Oracle password cracker in PL/SQL. Why should I do this, you may ask? — well I wanted to have a password cracker that would be easy and simple to run. It doesn’t necessarilly need to be fast and it doesn’t need to replace excellent password crackers such as woraauthbf. What i wanted was to promote the need to check for weak passwords in customer databases but allow the customer to have a safe and easy method to do it that doesn’t involve downloading binaries, oracle clients, ssl dlls and more. I wanted it to be as easy as possible for people to at least do a high level check of password strength.

Then there is no excuse to not do it. This method is as simple as running a sqlplus script, no more, no less, no libraries, nothing. Just fire up SQL*Plus and type @cracker-v2.0.sql and it runs and checks passwords. That said there is still value in real password crackers as they are faster and can check mopre complex and longer passwords. The PL/SQL cracker can get the basics done for you easily and will show where you are on the scale of password weakness. If you can run cracker-v2.0.sql and it doesnt crack any passwords then you are on the road to success and more importantly you will have started a regime in your company of password cracking. So moving to a tool such as woraauthbf is easier for you to do to check strength to a better level.

All of the sites I audit will (would have) failed using cracker-v2.0.sql so its worth running it, period. The speed is still not bad as it does around 13,000 hash attempts per second. I have seen it do 16,000 hashes a second as well. This is not woraauthbf of course that does 1.2Million hashes a second on my laptop BUT as i said cracker-v2.0.sql will find the key issues for you as well as woraauthbf.

Of course the other major advantage to PL/SQL is that you can simply read the code and see how it works and also because it runs in the database you can be sure to block any danger by designing the privileges of the user who will run it to be the minimum necessary. This at present is CREATE SESSION, SELECT ON SYS.USER$ and EXECUTE ON DBMS_OBFUSCATION_TOOLKIT.

The cracker works on 9i (r1 and r2), 10g (r1 and r2) and 11gR1. I dont have 8i to test with but i assume it ewill work.

The cracker is very simple to run as you can see above. It runs pretty fast, in the sample 11gR1 database I tested with above its testing 57 user accounts and also roles that have had passwords assigned. In this case 3 passwords could not be cracked as they had been set to impossible passwords (These are where the password hash is not a valid hash, i.e. they have been set with the undocumented ALTER USER IDENTIFIED BY VALUES command). One further password could not be cracked as it is identified as being externally authenticated or a GLOBAL password (such as those authenticated by OID). Of the rest, in this example only 7 passwords were not cracked. This gives a percentage of 87% of passwords were cracked easily, in other words the passwords had very weak settings. This unfortunately is something I see regularly on real production systems. This emphasises why a simple PL/SQL based tool has value and the fast C based tools should be used later.

OK, so what does the tool do. It first checks which accounts it cannot crack. It then tries to crack users accounts and roles with passwords. The type is identified in the first column, a value of ‘U’ser or ‘R’ole is set. The next column is the username or rolename. The next column is the cracked password or blank if the password was not cracked. If the password hash is an impossible one as described above then the password column has [IMP ]. If the password is GLOBAL or EXTERNAL then the password column shows [GL-EX ] for a GLOBAL password, for instance. Another possible setting for the password column is [HASH ]. This is output for cases where the password hash is a known default BUT we dont know what the password is. This should still be changed of course.

The columns after the password are as follows. The first column is the method with which the password was cracked. The first check is for ‘DE’fault passwords. The second check is ‘PU’ which means the password is set to the username. The third check is ‘DI’ctionary where the password is set to a dictionary word. The final check is ‘BF’ which means the password was brute forced.

Of course the values for the above conditions, ‘IM’ for Impossible, ‘GE’ for GLOBAL/EXTERNAL and ‘HS’ for hash are also output. Any row that has ‘—‘ means the password was not cracked. The next column seems redundant as it shows ‘—‘ for not cracked or ‘CR’ for cracked passwords but I added this to use awk to pull out the lines more easily. The final column is the account status. The values can be seen in the code, but OP means Open and EL means Expired/Locked for instance.

A few notes: The brute force mode is hard coded to a length of 4 characters at the moment (you can change this of course) as this takes around 35 seconds for a single password for the character set used. You can change the character set to alpha, alpha/num or alpha/num/+specials by changing the length from 26 to 36 to 39 respectively. You can also add bigger character sets.

The driving select in the pre_load function can also be changed to read user_history$ for instance or to check a subset of users or roles by changing the where clause.

The dictionary included is pretty small, you can add your own dictionary words easily. I have added around 2000 in my own copy but have refrained from including them here as I simply cannot find where I got them from.

The code includes a trace/debug interface. To turn on debug if there is a problem, uncomment the debugw calls and turn on the debug at the top of the file. This would only be needed if you find a bug, if you can reproduce you can send me a trace file to be able to fix the issues.

If anyone has requests, ideas for improvement please ask me and i will try and add them. Send an email to to Pete Finnigan.

Oracle Database stealth password cracking vulnerability

Oracle suffered with serious vulnerability in the authentication protocol used by some Oracle databases . This Flaw enable a remote attacker to brute-force a token provided by the server prior to authentication and determine a user’s password.

A researcher — Esteban Martinez Fayo , a researcher with AppSec tomorrow will demonstrate a proof-of-concept attack.

Martinez Fayo and his team first reported the bugs to Oracle in May 2010. Oracle fixed it in mid-2011 via the 11.2.0.3 patch set, issuing a new version of the protocol. «But they never fixed the current version, so the current 11.1 and 11.2 versions are still vulnerable,» Martinez Fayo says, and Oracle has no plans to fix the flaws for version 11.1.

Because the vulnerability is in a widely deployed product and is easy to exploit , Fayo said he considers it to be quite dangerous .


Статьи по теме

Сведения об авторе