Danny boy from evilfingers.com informed me that his tool gsauditor now supports Oracle 11g passwords (+ many other variants of SHA-1). GSAuditor is really fast and with more than 6 million password hashes per second (Core2Quad Q6600 2.4 GHz, Vista 64) it’s currently the fastest Oracle 11g password cracker I know. At the moment GSAuditor is not supporting multiple threads but Danny boy is working on it. The number will increase by 4 (=more than 20 mill hashes/second).
To extract the password hashes from Oracle 11g you can use the following SQL query to retrieve the Oracle password hash + salt from the table sys.user$:
SQL> set linesize 120
SQL> select ‚gsauditor -binary -set:?d -append -salt:’||substr(u.spare4,43,20)||“||substr(u.spare4,3,40)||‘ ‚ from sys.user$ u where u.type#>0 and length(spare4) =62;