15 Apr 2010 von Alexander Kornbrust.

Dennis Yurichev has released a new password cracker (brute-force) called ops_sse2 for Oracle DES passwords.  This password cracker is the fastest brute force cracker for Oracle DES passwords and approx. 3 times faster than woraauthbf from Laszlo Toth.

Here a quick comparision on my Quad2Core (2.4 GHz):

Password length (8 character) (only characters) can be cracked  in approx 3 hours. For numbers and characters it takes approx. 2.5 days for a single password.

Impressive work…

Geschrieben in Tools, passwords, Oracle Security | Drucken | Keine Kommentare »

6 Dez 2009 von Alexander Kornbrust.

Dennis Yurichev wrote an interesting background article about his FPGA password cracker for Oracle, currently the fastest (known) way to brute force Oracle DES passwords.

Dennis mentioned in the article that “By Oracle’s password standard, first password symbol is always Latin character (one of 26)”. This is not exactely correct if you enclose the password in double quotes. In this case all characters are allowed. I tested the FPGA cracker with the following test case and it seems not to crack the hash (currently still running).

SQL> grant dba to x identified by “1″;

USERNAME                       PASSWORD
—————————— ——————————
X                              4D91C057D0C4D801

If you want to try his FPGA cracker here is the link.
Well done and very interesting article Dennis. The only thing I would be interestedis the price of the FPGA hardware.

Geschrieben in Tools, passwords, Oracle Security | Drucken | Keine Kommentare »

6 Okt 2009 von Alexander Kornbrust.

Yesterday, Dennis Yurichev has published details about his FPGA based Oracle (DES) password cracker. His cracker can check up to 60 Mill. passwords per seconds (for short usernames) in brute force mode.

This is a good opportunity to show the current status of Oracle Password Cracking.
The benchmark numbers on our website are a little bit outdated and I will refresh them soon.

Here a quick summary of the fastest programs in every class (AFAIK, please correct me if you know
faster tools). All tests were performed on my old Core2Quad 2.4 GHz.
New Intel i7 would perform much faster (30-50%) comparing to Core2Quad.

If you look for pure numbers, dictionary based rainbow tables for DES are the fastest solution with approx. 250 Mill password hashes, followed by FPA with 60 Mill pw/sec, followed by brute force with 4 Mill pw/sec.

The SHA1 algorithm is a bad choice from the password cracking perspective because it can be cracked much faster (30 Mill pw/s instead of 4 Mill pw/s) on the same computer.

1. Dictionary Based (* Core2Quad 2.4 GHz)
DES: approx. 3 Mill pw/sec    (Repscan 3.0 and woraauthbf)
SHA1: approx. 19 Mill pw/sec  (Repscan 3.0)

2. Brute Force (* Core2Quad 2.4 GHz)
DES: up to 4 Mill pw/sec       (Repscan 3.0 and woraauthbf)
SHA1: approx. 30 Mill pw/sec   (Repscan 3.0)

3. Rainbow Table (* Core2Quad 2.4 GHz)
DES: n/a                       (Cain)
SHA1: hash salted, not useful

4. Dictionary based Rainbow Tables (* Core2Quad 2.4 GHz)
DES: up to 250 Mill pw/sec     (ophcrack)
SHA1: hash salted, not useful

5. FPGA
DES: up to 60 Mill pw/sec      (Dennis Yurichev)
SHA1: not available

6. GPCPU
DES:  n/a
SHA1: n/a (estimated 175 Mill pw/sec)

Geschrieben in Tools, passwords, Allgemein | Drucken | Keine Kommentare »

14 Dez 2008 von Alexander Kornbrust.

2 weeks ago, Massimiliano Montoro aka Mao, released a new version of Cain & Abel.

Here some of the new features of Cain & Abel v4.9.25:

- Oracle 11g (case sensitive) Password Extractor via ODBC.
- Added Oracle 11g Password Cracker (Dictionary and Brute-Force Attacks).
- Added support for Oracle TNS 11g (AES-192) in Oracle TNS Hashes Password Cracker.
- Added support for Oracle TNS 11g (AES-192) in Oracle TNS sniffer filter.
- Experimental SQL Query tool via ODBC.

The  AES implementation of Cain is slower than the implementation of GSAuditor (6,172,839 vs 2,654,719 on a 2.4 GHz C2D E4600)  but 2.6 Million passwords per second (via brute force) is still quite fast.

Massimilano wrote also 3 interesting whitepapers about the TNS authentication based on László Tóth work. Instead of using the oran10.dll/oran11.dll Mao is using the OpenSSL library:

Oracle 9i TNS 3DES authentication details 
Oracle 10g TNS AES-128 authentication details
Oracle 11g TNS AES-192 authentication details

Geschrieben in passwords, 11g, Oracle Security | Drucken | Keine Kommentare »

7 Dez 2008 von Alexander Kornbrust.

Danny boy from evilfingers.com informed me that his tool gsauditor now supports Oracle 11g passwords (+ many other variants of SHA-1). GSAuditor is really fast and with more than 6 million password hashes per second (Core2Quad Q6600 2.4 GHz, Vista 64) it’s currently the fastest Oracle 11g password cracker I know.  At the moment GSAuditor is not supporting multiple threads but Danny boy is working on it. The number will increase by 4 (=more than 20 mill hashes/second).

To extract the password hashes from Oracle 11g you can use the following SQL query to retrieve the Oracle password hash + salt from the table sys.user$:

SQL> set linesize 120
SQL> select ‘gsauditor -binary -set:?d -append -salt:’||substr(u.spare4,43,20)||”||substr(u.spare4,3,40)||’ ‘ from sys.user$ u where u.type#>0 and length(spare4) =62;

Geschrieben in Tools, passwords, Oracle Security | Drucken | 1 Kommentar »