30 Dez 2008 von Alexander Kornbrust.

Yesterday the new version of Inguma (0.1.0 (R1), an exploit framework with support for many systems e.g. Oracle, DB2, Informix,… , was released.

This new version of Inguma comes with a lot of new features. Joxean has added the module liboracleinternals.py. At the moment this script is only creating oracle password files (from version 8 to 11) but in future we will see more…

Geschrieben in Oracle Security | Drucken | Keine Kommentare »

24 Dez 2008 von Alexander Kornbrust.

 Dear ReaderI wish you (and your families) a merry Christmas and a happy new year.P.S.: This lovely baby is our daughter Anna. Already 10 months old…

Geschrieben in Allgemein | Drucken | Keine Kommentare »

14 Dez 2008 von Alexander Kornbrust.

2 weeks ago, Massimiliano Montoro aka Mao, released a new version of Cain & Abel.

Here some of the new features of Cain & Abel v4.9.25:

- Oracle 11g (case sensitive) Password Extractor via ODBC.
- Added Oracle 11g Password Cracker (Dictionary and Brute-Force Attacks).
- Added support for Oracle TNS 11g (AES-192) in Oracle TNS Hashes Password Cracker.
- Added support for Oracle TNS 11g (AES-192) in Oracle TNS sniffer filter.
- Experimental SQL Query tool via ODBC.

The  AES implementation of Cain is slower than the implementation of GSAuditor (6,172,839 vs 2,654,719 on a 2.4 GHz C2D E4600)  but 2.6 Million passwords per second (via brute force) is still quite fast.

Massimilano wrote also 3 interesting whitepapers about the TNS authentication based on László Tóth work. Instead of using the oran10.dll/oran11.dll Mao is using the OpenSSL library:

Oracle 9i TNS 3DES authentication details 
Oracle 10g TNS AES-128 authentication details
Oracle 11g TNS AES-192 authentication details

Geschrieben in passwords, 11g, Oracle Security | Drucken | Keine Kommentare »

8 Dez 2008 von Alexander Kornbrust.

Last week at the DOAG conference I published a few numbers about the MD5 cracking speed of BarsWF.  Today I found a new record on the web. 3.6 billion (!!!) password hashes per second can calculated with BarsWF. This configuration was using 4x [eVGA 9800GX2] without  overclocking.Here are some calculations how long it takes to break MD5 hashes.All passwords (lowercase or uppercase, alpha, 26^1+26^2+26^3+…)

• up to 8 characters => 60 seconds
• up to 9 characters => 26 minutes
• up to 10 characters => 11 hours

All passwords (mixed case, alphanum, 62^1+62^2+62^3+…)

• up to 7 characters => 16 minutes
• up to 8 characters => 17 hours
• up to 9 characters =>44 days

Several Oracle products like OID, OVS (Oracle Virtual Server) or Apex (until 2.2.) are using plain MD5 for hashing passwords. But even the usage of salt (like Apex 3.0) does not help against this computing power….

Geschrieben in Oracle Security | Drucken | 3 Kommentare »

7 Dez 2008 von Alexander Kornbrust.

Danny boy from evilfingers.com informed me that his tool gsauditor now supports Oracle 11g passwords (+ many other variants of SHA-1). GSAuditor is really fast and with more than 6 million password hashes per second (Core2Quad Q6600 2.4 GHz, Vista 64) it’s currently the fastest Oracle 11g password cracker I know.  At the moment GSAuditor is not supporting multiple threads but Danny boy is working on it. The number will increase by 4 (=more than 20 mill hashes/second).

To extract the password hashes from Oracle 11g you can use the following SQL query to retrieve the Oracle password hash + salt from the table sys.user$:

SQL> set linesize 120
SQL> select ‘gsauditor -binary -set:?d -append -salt:’||substr(u.spare4,43,20)||”||substr(u.spare4,3,40)||’ ‘ from sys.user$ u where u.type#>0 and length(spare4) =62;

Geschrieben in Tools, passwords, Oracle Security | Drucken | 1 Kommentar »