j-j.co.za

As mentioned in my very first post on this “new and improved’ site, my original site from way back when had some information on Oracle password hashes and a list of default passwords. This initial work was taken and improved on by Marcel-Jan Krijgsman and subsequently Pete Finnigan (read more about it here), who now runs what is probably one of the best Oracle Security resources available on the net.

During those early days not much was known about Oracle password hashes. There also weren’t too many options when it came to cracking them. Adam Martin came up with a plan in the early days, writing some code that would take create an account, and then change the password to each word in a dictionary (stored in another table) using the oracle password change functionality, and then grab the hash after the change to compare it to the hash you are trying to crack. It was slow (around 10 passwords/second if I recall correctly). I wrote my own version to automate the process and build a “pot” of known hashes along the way. I was busy getting this ready for release when Orm released his far superior tool. At that stage I stopped development and released my list of known hashes.

Orm’s tool was orabf. This tool changed the game, as it was a completely offline tool not needing a running database and it was orders of magnitude quicker. It is probably still the best password cracker around for pre 11g hashes. The early version was a little buggy after a few mails Orm quickly fixed it and has improved it since then. (History here). Download orabf here.

A little about Oracle password hashes and the algorithm (Oracle 7- Oracle 10g)

Passwords can be up to 30 characters in length. The username and password are concatenated and all characters are converted to uppercase, then an eight byte hash is generated using the DES encryption algorithm without any salt (just the username).

The hashes can be obtained using either
* SELECT username, password FROM DBA_USERS;
* SELECT name,password FROM SYS.USER$ WHERE password is not null;

The second is potentially safer if there is a suspicion the server may have been compromised.

Use orabf (download as per link earlier) to crack these hashes, or get the modified version of John the Ripper.

Oracle 11g pasword hashes

Oracle 11g password can be up to 50 characters in length, and passwords are no longer case insensitive. The passwords are stored in two ways (Ala LANMAN hashes – don’t they learn from mistakes of others?), the old style DES (password field) AND the new SHA-1 (spare4 field).

Oracle 11g concatenates the password and salt, then applies SHA-1 to obtain the hash.

Password hashes can no longer be selected from dba_users, so can only be obtained as follows :
* SELECT name,spare4 FROM SYS.USER$ WHERE password is not null;

For more detail on the the Oracle 11g password hashing read the writeup at Recurity Labs.

To crack Oracle 11g hashes you can use The Hackers Choice (THC) OrakelCrakert which handles both brute force and dictionary attacks.  Check first though to see if the old-style hashes are available first, as it’s much easier to crack the new style password if the old style is known first, THC explain how this works in their post linked above.

That’s pretty much where things are at currently with Oracle passwords and hashes. There are many more tools out there to help with hacking and securing Oracle. Google is your friend