14 Okt 2007 von Alexander Kornbrust.

From time to time I’m doing research on Russian websites (with Google Translate) because you can find interesting information and tools. Last week I found a small program Oracle scanner called goss a GUI Oracle Scanner.

This tools contains features like getting the SID (similar to sidguess), password guessing, retrieve password hashes from the database, …

The output is displayed in a new window.

Some of the features in this tool where not working properly against my test databases.

Geschrieben in software, Security, Oracle Security, Allgemein | Drucken | Keine Kommentare »

9 Okt 2007 von Alexander Kornbrust.

Today Laszlo released his password cracker woraauthbf for Oracle, the fastest windows tool for cracking Oracle passwords (supports the new and old password hash format plus cracking the authentication attack).

On his webpage Laszlo has a small benchmark comparing the 3 leading password Oracle crackers checkpwd, orabf and woraauthbf. According to Laszlo’s benchmark checkpwd 1.22 is the slowest cracker (but only out of these 3).

I was surprised that checkpwd was so slow comparing to the benchmarks I did on my systems. The reason for this is bad result was the way how Laszlo performed the tests.

Laszlo was testing only 1 password hash. The implementation of reading of the dictionary file is slow that’s why this affects the entire result of checkpwd. In the real world you are normally testing many password hashes and not only 1 hash
That’s why I run a benchmark how long it takes to crack 40 hashes (instead of 1 hash) with the new checkpwd 2.0 which supports reading passwords hashes from a text file (to get rid of the file reading overhead). I run the tests on my 2 GHz Core2Duo.

woraauthbf 0.2 1.103.773 pw/s (Laszlo: 515114 pw/s)

checkpwd 2.0 637.263 pw/s (Laszlo: 193.168 pw/s)

orabf 0.76 400.000 pw/s (Laszlo: 311.994 pw/s)

Checkpwd 2.0 was nearly 2 times faster in this benchmark (just by cracking 40 instead of 1 password (637.263 vs 309.057)).

In checkpwd 2.0 we will focus on intelligent password cracking instead of pure power but we are still interested to improve the speed of checkpwd.
Here some new features of checkpwd 2 (released next week)

* cracking APEX passwords
* support for Oracle 11g
* support for Oracle Password History
* intelligent password collector
* many new options
* …

Geschrieben in 11g, Security, Oracle Security | Drucken | Keine Kommentare »

2 Okt 2007 von Alexander Kornbrust.

The following url contains a cheat sheet for Oracle SQL Injection. Not complete, some statements are a little bit complicated (e.g. SELECT table_name FROM all_tables WHERE TABLESPACE_NAME=’USERS’ or SELECT username, FROM all_users UNION SELECT name, password FROM sys.user$, better: SELECT name, password FROM sys.user$ where type#=1).

Geschrieben in Oracle Security | Drucken | Keine Kommentare »

2 Okt 2007 von Alexander Kornbrust.

Van Hauser from THC told me today that vonjeek/THC from released a password cracker for Oracle 11g on the THC website called OrakelCrackert. OrakelCrackert checks approx. 400.000 passwords/second on my 2 GHz Core2Duo and has a similar speed as checkpwd 2.0 (which will be released next week).

In this blog entry I mentioned that OrakelCrackert comes with the dictionary file from checkpwd. This is not true and I really apologize for this wrong accusation. In the case of OrakelCrackert I was looking for my lastname which is really unusual (not part of a normal dictionary)

But the other sidguessing tools (sidguesser, ora-getsid, coss) took my list of Oracle SIDs. “Taking” such collections without giving credentials is not unusual. The tools for guessing SIDs (e.g. . sidguesser from Cqure or ora-getsid from NGS Software) for example are taking the SID list I composed via Google Hacking, manual editing, …. without mentioning my work.

As a consequence of this wrong accusation of vonJeek I recreated the dictionary file for checkpwd 2.0 and I will document where I took the passwords from. This will become another blog entry.

Geschrieben in Oracle Security | Drucken | 3 Kommentare »

2 Okt 2007 von Alexander Kornbrust.

Yesterday I uploaded an updated version of sidguess for Windows and MacOSX. In this version (1.0.2) the brute force mode for guesssing SIDs is now working properly.

Geschrieben in Oracle Security | Drucken | 2 Kommentare »