6 Dez 2009 von Alexander Kornbrust.

Dennis Yurichev wrote an interesting background article about his FPGA password cracker for Oracle, currently the fastest (known) way to brute force Oracle DES passwords.

Dennis mentioned in the article that “By Oracle’s password standard, first password symbol is always Latin character (one of 26)”. This is not exactely correct if you enclose the password in double quotes. In this case all characters are allowed. I tested the FPGA cracker with the following test case and it seems not to crack the hash (currently still running).

SQL> grant dba to x identified by “1″;

USERNAME                       PASSWORD
—————————— ——————————
X                              4D91C057D0C4D801

If you want to try his FPGA cracker here is the link.
Well done and very interesting article Dennis. The only thing I would be interestedis the price of the FPGA hardware.

Geschrieben in Tools, passwords, Oracle Security | Drucken | Keine Kommentare »

6 Okt 2009 von Alexander Kornbrust.

Yesterday, Dennis Yurichev has published details about his FPGA based Oracle (DES) password cracker. His cracker can check up to 60 Mill. passwords per seconds (for short usernames) in brute force mode.

This is a good opportunity to show the current status of Oracle Password Cracking.
The benchmark numbers on our website are a little bit outdated and I will refresh them soon.

Here a quick summary of the fastest programs in every class (AFAIK, please correct me if you know
faster tools). All tests were performed on my old Core2Quad 2.4 GHz.
New Intel i7 would perform much faster (30-50%) comparing to Core2Quad.

If you look for pure numbers, dictionary based rainbow tables for DES are the fastest solution with approx. 250 Mill password hashes, followed by FPA with 60 Mill pw/sec, followed by brute force with 4 Mill pw/sec.

The SHA1 algorithm is a bad choice from the password cracking perspective because it can be cracked much faster (30 Mill pw/s instead of 4 Mill pw/s) on the same computer.

1. Dictionary Based (* Core2Quad 2.4 GHz)
DES: approx. 3 Mill pw/sec    (Repscan 3.0 and woraauthbf)
SHA1: approx. 19 Mill pw/sec  (Repscan 3.0)

2. Brute Force (* Core2Quad 2.4 GHz)
DES: up to 4 Mill pw/sec       (Repscan 3.0 and woraauthbf)
SHA1: approx. 30 Mill pw/sec   (Repscan 3.0)

3. Rainbow Table (* Core2Quad 2.4 GHz)
DES: n/a                       (Cain)
SHA1: hash salted, not useful

4. Dictionary based Rainbow Tables (* Core2Quad 2.4 GHz)
DES: up to 250 Mill pw/sec     (ophcrack)
SHA1: hash salted, not useful

5. FPGA
DES: up to 60 Mill pw/sec      (Dennis Yurichev)
SHA1: not available

6. GPCPU
DES:  n/a
SHA1: n/a (estimated 175 Mill pw/sec)

Geschrieben in Tools, passwords, Allgemein | Drucken | Keine Kommentare »

14 Dez 2008 von Alexander Kornbrust.

2 weeks ago, Massimiliano Montoro aka Mao, released a new version of Cain & Abel.

Here some of the new features of Cain & Abel v4.9.25:

- Oracle 11g (case sensitive) Password Extractor via ODBC.
- Added Oracle 11g Password Cracker (Dictionary and Brute-Force Attacks).
- Added support for Oracle TNS 11g (AES-192) in Oracle TNS Hashes Password Cracker.
- Added support for Oracle TNS 11g (AES-192) in Oracle TNS sniffer filter.
- Experimental SQL Query tool via ODBC.

The  AES implementation of Cain is slower than the implementation of GSAuditor (6,172,839 vs 2,654,719 on a 2.4 GHz C2D E4600)  but 2.6 Million passwords per second (via brute force) is still quite fast.

Massimilano wrote also 3 interesting whitepapers about the TNS authentication based on László Tóth work. Instead of using the oran10.dll/oran11.dll Mao is using the OpenSSL library:

Oracle 9i TNS 3DES authentication details 
Oracle 10g TNS AES-128 authentication details
Oracle 11g TNS AES-192 authentication details

Geschrieben in passwords, 11g, Oracle Security | Drucken | Keine Kommentare »

7 Dez 2008 von Alexander Kornbrust.

Danny boy from evilfingers.com informed me that his tool gsauditor now supports Oracle 11g passwords (+ many other variants of SHA-1). GSAuditor is really fast and with more than 6 million password hashes per second (Core2Quad Q6600 2.4 GHz, Vista 64) it’s currently the fastest Oracle 11g password cracker I know.  At the moment GSAuditor is not supporting multiple threads but Danny boy is working on it. The number will increase by 4 (=more than 20 mill hashes/second).

To extract the password hashes from Oracle 11g you can use the following SQL query to retrieve the Oracle password hash + salt from the table sys.user$:

SQL> set linesize 120
SQL> select ‘gsauditor -binary -set:?d -append -salt:’||substr(u.spare4,43,20)||”||substr(u.spare4,3,40)||’ ‘ from sys.user$ u where u.type#>0 and length(spare4) =62;

Geschrieben in Tools, passwords, Oracle Security | Drucken | 1 Kommentar »

8 Mai 2008 von Alexander Kornbrust.

2 weeks ago Oracle released the instant client 10.2.0.4 for Mac OS Intel. Yesterday I had the time to recompile checkpwd (checkpwd for other platforms) with the new instant client. The compilation worked flawless.

The performance of checkpwd with the native Oracle Mac client is 50% faster than the previous version for PPC.

Here are the links:

• Checkpwd 1.23  [Mac - Intel - native] - 37 MB - with Oracle instant client
• Checkpwd 1.23  [Mac - Intel - native] - 68 KB - without Oracle instant client
• Checkpwd 1.23  [Mac - Intel - native] - 68 KB - Passwords are not displayed

And here sidguess recompiled for Mac - Intel:

•  Sidguess 1.02  [Mac - Intel - native] - 16 KB -without Oracle instant client

Geschrieben in passwords, checkpwd, Security, Oracle Security | Drucken | Keine Kommentare »

27 Dez 2007 von Alexander Kornbrust.

The russian software company Elcom released a new version (2.10.137) of their distributed password cracker.

I did a small performance check (700,000 pw/s on a 2,16 MHz Core2Duo in BF mode) and updated the password cracker comparision chart.

Woraauthbf (1,480,000 pw/s), orabf (1,110,000 pw/s) and JtR (780,000) in dictionary mode are faster (on my computer) and free.

I was interested to see the performance improvements by using the Geforce graphic card for cracking Oracle passwords but according to the documentation the Geforce 8800 series is only supported for Windows LM/NTLM hashes.

Only bruteforce password cracking for Oracle is supported but I couldn’t find anything in the online help. That’s why I had to play a little bit.EDPR expects the hashes in a file with the extension .orc and username:hash

—– elcom.orc —–
ALEX:5BA465109942B4DE
—– elcom.orc —–

The password cracking itself was simple and I like the possibility to crack passwords in distributed mode on multiple PCs. EDPR is a commercial software and the price starts at 500 USD for up to 20 clients.

I found also a small bug. EDPR is also checking for ” (double-quotes) in passwords. This is not possible in Oracle (afaik, correct me if I’m wrong).

Geschrieben in passwords, Oracle Security | Drucken | Keine Kommentare »

23 Okt 2007 von Alexander Kornbrust.

I just uploaded checkpwd 2.00 A12. This first version of checkpwd  2.0 comes with a lot of new features making it the smartest and most convenient Oracle password checker around… (and it’s free).

2 weeks ago Laszlo released his password cracker woraauthbf becoming the fastest password cracker for Oracle (but not the smartest). Woraauthbf is working in offline mode only and does not use information from the database.

Checkpwd is connecting to the database (offline is possible too) and uses passwords and potential password candidates from the database for cracking Oracle passwords. This approach is often more successful than the normal dictionary based approach (see password of MGMT_VIEW in screenshot). Due to this technique checkpwd finds more passwords than woraauthbf and that’s the main goal of a password checking tool. Speed is not everything…

Another interesting but dangerous feature writes the found passwords into a file called foundpw.txt. The content of this file is used the next time, making the passwords dictionary more and more powerful. This feature is useful for cloned databases which are normal in company environments. Be careful with this file…

Here are some of the new features of checkpwd:

* support for Oracle 11g passwords
* support for APEX passwords (1.4-3.0.1)
* collect passwords from the database
* collect password candidates from the database
* option not to display the oracle password in command line
* crack passwords from the password history
* crack role passwords
* save checkpwd default configuration in a configuration file
* read username and password hashes from a file
* …

Feature-Requests and comments are welcome.

Geschrieben in passwords, checkpwd, Oracle Security | Drucken | 1 Kommentar »