Alexander Kornbrust Oracle Security Blog

The russian software company Elcom released a new version (2.10.137) of their distributed password cracker.

I did a small performance check (700,000 pw/s on a 2,16 MHz Core2Duo in BF mode) and updated the password cracker comparision chart.

Woraauthbf (1,480,000 pw/s), orabf (1,110,000 pw/s) and JtR (780,000) in dictionary mode are faster (on my computer) and free.

I was interested to see the performance improvements by using the Geforce graphic card for cracking Oracle passwords but according to the documentation the Geforce 8800 series is only supported for Windows LM/NTLM hashes.

Only bruteforce password cracking for Oracle is supported but I couldn’t find anything in the online help. That’s why I had to play a little bit.EDPR expects the hashes in a file with the extension .orc and username:hash

—– elcom.orc —–
ALEX:5BA465109942B4DE
—– elcom.orc —–

The password cracking itself was simple and I like the possibility to crack passwords in distributed mode on multiple PCs. EDPR is a commercial software and the price starts at 500 USD for up to 20 clients.

I found also a small bug. EDPR is also checking for “ (double-quotes) in passwords. This is not possible in Oracle (afaik, correct me if I’m wrong).

I just uploaded checkpwd 2.00 A12. This first version of checkpwd  2.0 comes with a lot of new features making it the smartest and most convenient Oracle password checker around… (and it’s free).

2 weeks ago Laszlo released his password cracker woraauthbf becoming the fastest password cracker for Oracle (but not the smartest). Woraauthbf is working in offline mode only and does not use information from the database.

Checkpwd is connecting to the database (offline is possible too) and uses passwords and potential password candidates from the database for cracking Oracle passwords. This approach is often more successful than the normal dictionary based approach (see password of MGMT_VIEW in screenshot). Due to this technique checkpwd finds more passwords than woraauthbf and that’s the main goal of a password checking tool. Speed is not everything…

Another interesting but dangerous feature writes the found passwords into a file called foundpw.txt. The content of this file is used the next time, making the passwords dictionary more and more powerful. This feature is useful for cloned databases which are normal in company environments. Be careful with this file…

Here are some of the new features of checkpwd:

* support for Oracle 11g passwords
* support for APEX passwords (1.4-3.0.1)
* collect passwords from the database
* collect password candidates from the database
* option not to display the oracle password in command line
* crack passwords from the password history
* crack role passwords
* save checkpwd default configuration in a configuration file
* read username and password hashes from a file
* …

Feature-Requests and comments are welcome.