Oracle password cracking for Database Administrators

The content of this article is for Oracle password cracking for database administrators, and the implication is to let Oracle administrators keep things related to user names and passwords ...... Cracking and security have always been contradictions.

For those who are very concerned about the security of Oracle relational database systems, especially those that involve Oracle password mechanisms or algorithms, the old version of Oracle (especially 10 Gb or earlier versions) it has always been regarded as an easy target for hackers. It seems that you will never find a way to protect your system from hacker attacks. You can arm your system in many ways, but there are things you can never avoid. For example, there are always people who need to be able to access and access sensitive data, most client connections also involve data transmission over the network.

Sometimes the database administrator has to use the "hacker" password cracking Technique to solve the problem. You will ask, how can a database administrator have all the keys in the database and become a hacker? Because the ability to access all data does not mean that you can view all the data. In particular, the ability to view the hash value of a password does not mean that the password itself can be viewed.

Why does the database administrator want to see the actual password value? More specifically, why does the database administrator want to know the plaintext of a specific password? As you can imagine, this is indeed the case in many cases. Common reasons include the use of old application products, high-frequency personnel transfer, and poor password management and archiving. Changing the password of SYS and SYSTEM is usually not a big problem, but what if it is an OLD_APP password?

Search for "Oracle password cracking tools" on the Internet, and you will find many "Good things" and even self-made software similar to hacker programs. This article selects the Laszlo Toth woraauthbf tool, which can meet the needs of this article. You can use woraauthbf to create a text file that includes the user name, hash password value, SID, and server name to deal with the old version of Oracle. Only the user name and hash password values are true. If you have thoroughly studied how Oracle creates hash values, you will surely know that the user name and password are closely linked, and there is no relationship between SID and server name and hash value creation. Other "cracking" programs rely on network information, such as clients, Server IP addresses, ports, and third-party "sniffer" tools, to view the data transmitted between the client and the server.

Enter the instance quickly. Copy the output result of the following command to a txt file, and create the password file mentioned above.

 
 

  
  
select username||':'||password||':'||name||':'||host_name||':'from sys.dba_users, sys.V_$DATABASE, sys.v_$instance; 
 
 

Remind me again that the above name and host_name are whatever you want to obtain, or use real values. The output text file in this example is as follows:

SCOTT: DE59105EDBF4A687: ORCL: MYPC:

We know that the password of Oracle test user Scott is tiger, here is tigers (the final result is TIGERS, Oracle case-insensitive), from 5 to 6 characters. Decompress the downloaded woraauthbf file, open the command prompt line (DOS) window, and call this tool from here. Save the password file name as "named password_file.txt". Enter the following command line text:

Woraauthbf.exe-p c: \ password_file.txt

All parameters are selected by default. After the session is executed, the output result is as follows:

 
 

  
  
C:\[my path]>woraauthbf.exe -p c:\password_file.txtUsernames will be permuted!  
  
  
 
  
  
The number of processors: 2 
  
  
 
  
  
Number of pwds to check: 321272406 
  
  
 
  
  
Number of pwds to check by thread: 160636203 
  
  
 
  
  
Password file: c:\password_file.txt, charset: alpha, maximum length: 6, type: hash  
  
  
 
  
  
Start: 0 End: 160636203 
  
  
 
  
  
Start array thread with 489 number of passwords!  
  
  
 
  
  
Start: 160636203 End: 321272406 
  
  
 
  
  
Writing session files...  
  
  
 
  
  
Writing session files...  
  
  
 
  
  
Password found: SCOTT:TIGERS:ORCL:MYPC  
  
  
 
  
  
Elpased time: 164s  
  
  
 
  
  
Checked passwords: 153976754 
  
  
 
  
  
Password / Second: 938882 
  
  
 
 
 

The program calculates the 0.3 billion, and passwords to be checked, and uses two processors to cut the workload by half, and the default character set is alpha (A-Z ), it also takes 164 seconds to confirm that Scott's password is TIGERS, and the number of passwords checked per second is 938,882. We were lucky to win the bid after checking almost half of the password.

If you want to exclude physical restrictions (such as the number of CPUs and the speed of the processor), there are two key factors that affect the running completion time: password length and character set. If you know the password length and character set (only letters, letters, numbers, letters, numbers, and special characters), you can greatly reduce the number of passwords to be checked. By narrowing down the prediction scope at the beginning, the running time can certainly be significantly reduced.

To make a comparison, we changed the character set to alphanum, and Scott's password remained unchanged. It took more than six minutes to find Scott's password. If the password information of another user is added to the same user password file, it is assumed that the password is 6 characters in length and is of the letter and digit type, the entire running time exceeds 29 minutes (for privacy reasons, the name and password of the second user shown below have been edited ).

 
 

  
  
woraauthbf.exe -p c:\password_file.txt -m 6 -c alphanumUsernames will be permuted!  
  
  
 
  
  
The number of processors: 2 
  
  
 
  
  
Number of pwds to check: 2238976116 
  
  
 
  
  
Number of pwds to check by thread: 1119488058 
  
  
 
  
  
Password file: c:\password_file.txt, charset: alphanum, maximum length: 6, type: hash  
  
  
 
  
  
Start: 0 End: 1119488058 
  
  
 
  
  
Start: 1119488058 End: 2238976116 
  
  
 
  
  
Start array thread with 490 number of passwords!  
  
  
 
  
  
Writing session files...  
  
  
 
  
  
Writing session files...  
  
  
 
  
  
Writing session files...  
  
  
 
  
  
Writing session files...  
  
  
 
  
  
Writing session files...  
  
  
 
  
  
Writing session files...  
  
  
 
  
  
Password found: SCOTT:TIGERS:ORCL:MYPC  
  
  
 
  
  
Writing session files...  
  
  
 
  
  
Writing session files...  
  
  
 
  
  
Writing session files...  
  
  
 
  
  
...  
  
  
 
  
  
Writing session files...  
  
  
 
  
  
Writing session files...  
  
  
 
  
  
Password found: SOMENAMES:X1M72Y:ORCL:MYPC  
  
  
 
  
  
Elpased time: 2152s  
  
  
 
  
  
Checked passwords: 1917149967 
  
  
 
  
  
Password / Second: 890868 
  
  
 
 
 

The second entry in the above password file comes from an 8i database system, and Scott's hash value comes from the 10g version. The meaning of this article is very clear: Protect anything that exposes the USER name and its hash password value, and do not allow it to be easily accessed by others, especially the SYS. USER $ table (do not rely on the DBA_USERS view ).

It takes a reasonable time to find the plaintext of the second user's password. Sometimes it may take several hours (or even days) to find a password, but it is much lower than the cost of modifying the forgotten password with those who hate downtime.

1. Oracle Password File learning experience
2. Details about verifying Oracle SQL statements
3. Oracle user tablespace completed in three minutes
4. Oracle export SQL statement Stored Procedure
5. Oracle user tablespace