- 11g (12)
- Allgemein (29)
- David Litchfield (7)
- Exploit (23)
- Forensics (7)
- Oracle Security (105)
- passwords (8)
- Repscan (1)
- Security (22)
- Sentrigo (5)
- software (9)
- source code audit (5)
- SQL Injection (24)
- Tools (24)
- Trainings (3)
- Tutorial (2)
- 18 Nov 2011: DOAG 2011 Presentation "Best of Oracle Security 2011"
- 15 Okt 2011: Oracle Critical Patch Update Pre-Release Announcement - October 2011
- 17 Sep 2011: Disable Auditing and running OS commands using oradebug
- 13 Apr 2011: Blackhat Training "HACKING AND SECURING ORACLE (2 days) "
- 2 Apr 2011: Oracle Database 11.2 Express Edition Beta comes with weak default password
- 23 Mrz 2011: McAfee acquires Sentrigo
- 12 Okt 2010: TDE decrypt utilities and TDE/Password flash demo
- 22 Sep 2010: Marcell published "Writing your own password cracker" presentation
- 21 Sep 2010: Laszlo's presentation "Oracle Post Exploitation Techniques" and Marcel's Sybase ASE Password Cracker
- 10 Sep 2010: Update of "Project Lockdown" released
Oracle Security
SQL Injection
- November 2011
- Oktober 2011
- September 2011
- April 2011
- März 2011
- Oktober 2010
- September 2010
- August 2010
- April 2010
- März 2010
- Februar 2010
- Januar 2010
- Dezember 2009
- November 2009
- Oktober 2009
- September 2009
- August 2009
- Juli 2009
- Mai 2009
- April 2009
- März 2009
- Februar 2009
- Januar 2009
- Dezember 2008
- November 2008
- Oktober 2008
- August 2008
- Juli 2008
- Mai 2008
- April 2008
- März 2008
- Februar 2008
- Januar 2008
- Dezember 2007
- November 2007
- Oktober 2007
- September 2007
- August 2007
- Juli 2007
- Juni 2007
- Mai 2007
THC released the password cracker “OrakelCrackert” for Oracle 11g
Van Hauser from THC told me today that vonjeek/THC from released a password cracker for Oracle 11g on the THC website called OrakelCrackert. OrakelCrackert checks approx. 400.000 passwords/second on my 2 GHz Core2Duo and has a similar speed as checkpwd 2.0 (which will be released next week).
In this blog entry I mentioned that OrakelCrackert comes with the dictionary file from checkpwd. This is not true and I really apologize for this wrong accusation. In the case of OrakelCrackert I was looking for my lastname which is really unusual (not part of a normal dictionary)
But the other sidguessing tools (sidguesser, ora-getsid, coss) took my list of Oracle SIDs. “Taking” such collections without giving credentials is not unusual. The tools for guessing SIDs (e.g. . sidguesser from Cqure or ora-getsid from NGS Software) for example are taking the SID list I composed via Google Hacking, manual editing, …. without mentioning my work.
As a consequence of this wrong accusation of vonJeek I recreated the dictionary file for checkpwd 2.0 and I will document where I took the passwords from. This will become another blog entry.
3 Antworten auf “THC released the password cracker “OrakelCrackert” for Oracle 11g”
Antwort schreiben
Sie müssen als angemeldet sein, um einen Kommentar schreiben zu können.
2 Okt 2007 bei 22:28
Stating that the list is stolen is really easy. To compile a effective password cracking list, using given, famuly and pet names, brands, soccer clubs etc. is common. To harvest words - amongst others - family trees, statistic lists of the most used names are easy targets. Check e.g. and your name is found. Amonst *a lot* of other rarely seen names…
2 Okt 2007 bei 22:30
The link was filters, next try:
http://members.home.nl/jjnaus/TREE.TXT
6 Okt 2007 bei 18:47
Plagarism sucks but became the norm. But remember: there is no higher compliment than being copied.