From time to time I’m doing research on Russian websites (with Google Translate) because you can find interesting information and tools. Last week I found a small program Oracle scanner called goss a GUI Oracle Scanner.
This tools contains features like getting the SID (similar to sidguess), password guessing, retrieve password hashes from the database, …
The output is displayed in a new window.
Some of the features in this tool where not working properly against my test databases.
Today Laszlo released his password cracker woraauthbf for Oracle, the fastest windows tool for cracking Oracle passwords (supports the new and old password hash format plus cracking the authentication attack).
On his webpage Laszlo has a small benchmark comparing the 3 leading password Oracle crackers checkpwd, orabf and woraauthbf. According to Laszlo’s benchmark checkpwd 1.22 is the slowest cracker (but only out of these 3).
I was surprised that checkpwd was so slow comparing to the benchmarks I did on my systems. The reason for this is bad result was the way how Laszlo performed the tests.
Laszlo was testing only 1 password hash. The implementation of reading of the dictionary file is slow that’s why this affects the entire result of checkpwd. In the real world you are normally testing many password hashes and not only 1 hash
That’s why I run a benchmark how long it takes to crack 40 hashes (instead of 1 hash) with the new checkpwd 2.0 which supports reading passwords hashes from a text file (to get rid of the file reading overhead). I run the tests on my 2 GHz Core2Duo.
woraauthbf 0.2 1.103.773 pw/s (Laszlo: 515114 pw/s)
checkpwd 2.0 637.263 pw/s (Laszlo: 193.168 pw/s)
orabf 0.76 400.000 pw/s (Laszlo: 311.994 pw/s)
Checkpwd 2.0 was nearly 2 times faster in this benchmark (just by cracking 40 instead of 1 password (637.263 vs 309.057)).
In checkpwd 2.0 we will focus on intelligent password cracking instead of pure power but we are still interested to improve the speed of checkpwd.
Here some new features of checkpwd 2 (released next week)
* cracking APEX passwords
* support for Oracle 11g
* support for Oracle Password History
* intelligent password collector
* many new options
* …
Yesterday the US Cert published an advisory that the ActiveX control of Jinitiator 1.1.18.16 and earlier contains multiple buffer overflows allowing remote code execution. Even a new installation of Jinitiator does not fix the problem because the old, vulnerable control will not be removed. The US Cert recommends to disable ActiveX or to set the appropriate killbit.
Create and execute the following textfile to set the killbit. Additional information about killbits and activeX are available in the following Microsoft support note 240797.
killbit.reg
killbit.reg—
Red-Database-Security GmbH in Germany and PeteFinnigan.com Limited in the UK are pleased to announce an exclusive partnership to promote and sell services / training and products to give customers the best choices in securing Oracle databases. Pete Finnigan and Alex Kornbrust are both world leaders in the field of securing Oracle databases and this exclusive partnership will provide a stronger combined proposition for customers of both companies. Alex and Pete are pleased to announce an exclusive and exciting limited opportunity to attend a 5 day Oracle Anti Hacker training in London from October 29th to November 2nd. The places are limited so don’t miss this unique opportunity. See www.petefinnigan.com and www.red-database-security.com for more details and to register.“