Oracle Password Algorithm 11g – PoC Code

Oracle 11g is using a new password algorithm based on SHA-1 and finally supports case-sensitive passwords. Our partner, Recurity Labs GmbH (formerly known as S*bre Labs GmbH), did an analysis of the algorithm for us. A really great blog entry about their process of research could be found here.

Thorsten Schröder from Recurity Labs GmbH wrote a small python script as a PoC. The updated version of checkpwd 2.0 with support for Oracle 11g will be released on monday. On monday we will also release some performance numbers with a benchmark 10g vs 11g.

—

#!python

# “PoC” Oracle 11g Database password-hash cracker
# This program uses the password hash value “spare4″ from the internal
# oracle user-database and a list of passwords via stdin to calculate a new
# hash value of the plaintext password. The new generated hash value is subsequently
# compared against the hash-value from sys.user, the internal oracle user-database.

# Author: Thorsten Schroeder <ths “theAthing” recurity-labs.com>
# Berlin, 19. Sep. 2007

# TODO:
# cut passwords at length 30

import hashlib
import binascii
import sys

def main():

if( len(sys.argv[1]) != 60 ):
usage()
sys.exit(1)

try:
oraHash = sys.argv[1]
oraSalt = oraHash[40:60]
oraSha1 = oraHash[:40]
oraSha1 = oraSha1.upper()

print “[+] using salt: 0x%s” % oraSalt
print “[+] using hash: 0x%s” % oraSha1

for passwd in sys.stdin:
passwd = passwd.rstrip()
#print “[*] trying password “%s”” % passwd

s = hashlib.sha1()
s.update(passwd)
s.update(binascii.a2b_hex(oraSalt))
if( s.hexdigest().upper() == oraSha1 ):
print “[*] MATCH! -> %s” % passwd
sys.exit(0)

except Exception, e:
print “[!] Error: “, e
usage()
raise

sys.exit(0)

def usage():
print “[+] usage: ./ora11gPWCrack.py <hex-value> < wordlist.txt”
return

if __name__ == ‘__main__’:
main()

Leave a Reply

You must be logged in to post a comment.