Alexander Kornbrust Oracle Security Blog

The following url contains a cheat sheet for Oracle SQL Injection. Not complete, some statements are a little bit complicated (e.g. SELECT table_name FROM all_tables WHERE TABLESPACE_NAME=’USERS‘ or SELECT username, FROM all_users UNION SELECT name, password FROM sys.user$, better: SELECT name, password FROM sys.user$ where type#=1).

Van Hauser from THC told me today that vonjeek/THC from released a password cracker for Oracle 11g on the THC website called OrakelCrackert. OrakelCrackert checks approx. 400.000 passwords/second on my 2 GHz Core2Duo and has a similar speed as checkpwd 2.0 (which will be released next week).

In this blog entry I mentioned that OrakelCrackert comes with the dictionary file from checkpwd. This is not true and I really apologize for this wrong accusation. In the case of OrakelCrackert I was looking for my lastname which is really unusual (not part of a normal dictionary)

But the other sidguessing tools (sidguesser, ora-getsid, coss) took my list of Oracle SIDs. „Taking“ such collections without giving credentials is not unusual. The tools for guessing SIDs (e.g. . sidguesser from Cqure or ora-getsid from NGS Software) for example are taking the SID list I composed via Google Hacking, manual editing, …. without mentioning my work.

As a consequence of this wrong accusation of vonJeek I recreated the dictionary file for checkpwd 2.0 and I will document where I took the passwords from. This will become another blog entry.

Yesterday I uploaded an updated version of sidguess for Windows and MacOSX. In this version (1.0.2) the brute force mode for guesssing SIDs is now working properly.