Archive for Dezember, 2008

Inguma 0.1.0 (R1) released

Dienstag, Dezember 30th, 2008

Yesterday the new version of Inguma (0.1.0 (R1), an exploit framework with support for many systems e.g. Oracle, DB2, Informix,… , was released.

This new version of Inguma comes with a lot of new features. Joxean has added the module At the moment this script is only creating oracle password files (from version 8 to 11) but in future we will see more…

Merry Christmas

Mittwoch, Dezember 24th, 2008

 Dear ReaderI wish you (and your families) a merry Christmas and a happy new year.Merry ChristmasP.S.: This lovely baby is our daughter Anna. Already 10 months old…

New version of cain with support for 11g passwords

Sonntag, Dezember 14th, 2008

2 weeks ago, Massimiliano Montoro aka Mao, released a new version of Cain & Abel.

Here some of the new features of Cain & Abel v4.9.25:

– Oracle 11g (case sensitive) Password Extractor via ODBC.
– Added Oracle 11g Password Cracker (Dictionary and Brute-Force Attacks).
– Added support for Oracle TNS 11g (AES-192) in Oracle TNS Hashes Password Cracker.
– Added support for Oracle TNS 11g (AES-192) in Oracle TNS sniffer filter.
– Experimental SQL Query tool via ODBC.

Cain Screenshot

The  AES implementation of Cain is slower than the implementation of GSAuditor (6,172,839 vs 2,654,719 on a 2.4 GHz C2D E4600)  but 2.6 Million passwords per second (via brute force) is still quite fast.

Massimilano wrote also 3 interesting whitepapers about the TNS authentication based on László Tóth work. Instead of using the oran10.dll/oran11.dll Mao is using the OpenSSL library:

Oracle 9i TNS 3DES authentication details 
Oracle 10g TNS AES-128 authentication details
Oracle 11g TNS AES-192 authentication details

MD5 Bruteforcer – BarsWF

Montag, Dezember 8th, 2008

Last week at the DOAG conference I published a few numbers about the MD5 cracking speed of BarsWF.  Today I found a new record on the web. 3.6 billion (!!!) password hashes per second can calculated with BarsWF. This configuration was using 4x [eVGA 9800GX2] without  overclocking.Barswf BenchmarkHere are some calculations how long it takes to break MD5 hashes.All passwords (lowercase or uppercase, alpha, 26^1+26^2+26^3+…)

  • up to 8 characters => 60 seconds
  • up to 9 characters => 26 minutes
  • up to 10 characters => 11 hours

All passwords (mixed case, alphanum, 62^1+62^2+62^3+…)

  • up to 7 characters => 16 minutes
  • up to 8 characters => 17 hours
  • up to 9 characters =>44 days

Several Oracle products like OID, OVS (Oracle Virtual Server) or Apex (until 2.2.) are using plain MD5 for hashing passwords. But even the usage of salt (like Apex 3.0) does not help against this computing power….Oracle Virtual Server

GSAuditor – Fastest Oracle 11g password cracker (AFAIK)

Sonntag, Dezember 7th, 2008

Danny boy from informed me that his tool gsauditor now supports Oracle 11g passwords (+ many other variants of SHA-1). GSAuditor is really fast and with more than 6 million password hashes per second (Core2Quad Q6600 2.4 GHz, Vista 64) it’s currently the fastest Oracle 11g password cracker I know.  At the moment GSAuditor is not supporting multiple threads but Danny boy is working on it. The number will increase by 4 (=more than 20 mill hashes/second).

GSAuditor - unsuccessful crack GSAuditor - successful crack

To extract the password hashes from Oracle 11g you can use the following SQL query to retrieve the Oracle password hash + salt from the table sys.user$:

SQL> set linesize 120
SQL> select ‚gsauditor -binary -set:?d -append -salt:’||substr(u.spare4,43,20)||“||substr(u.spare4,3,40)||‘ ‚ from sys.user$ u where u.type#>0 and length(spare4) =62;