|
Produkte
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)
Dienstleistungen
Oracle Audit / Hardening (Härten)
Security Schulungen
Consulting
Informationen
Oracle Sicherheit Blog
Veröffentlichte Alerts 
Gemeldete Alerts
Patch Informationen
Whitepaper
Präsentationen
Fakten
Exploits
Tutorials
Videos
Skripte
Neuigkeiten/Termine
Termine
Neuigkeiten
Firma
Kontakt
Mitarbeiter
Partner
Impressum
Sitemap
Search
|
Oracle Password Cracker - V1.02
Oracle Password Tools
After the posting of the Oracle password algorithm in the comp.database.oracle.server newsgroup they are a lot of free and commerical Oracle Password Cracker available. This page contains information about the different tools and programs.
Name |
Author |
OS |
Type |
pw/sec * |
License |
Pro |
Cons |
URL |
| checkpwd 1.1 |
Red-Database-Security |
Windows, Linux |
Dictionary |
150.000 |
Free |
can connect to the database and check multiple accounts in one step |
no BF mode |
Oracle Password Cracker |
| orabf 0.7.4 (new) |
0rm |
Windows |
Brute Force, Dictionary |
1.100.000 (BF)
330.000 (Dictionary) |
Free |
fastest tool for BF and BF |
no database connection |
Toolcrypt |
| John the Ripper |
|
Windows, Unix |
Dictionary |
N/A |
Free |
source available, generic password cracker, many platforms |
no database connection |
Ripper Plugin |
| Bob the Butcher |
Bartavelle |
coming soon |
Brute Force |
N/A |
Free |
N/A |
N/A |
Bob the Butcher |
| AppDetective** |
AppSecInc |
Windows |
Dictionary
Brute Force |
5000 |
Commercial |
can connect to the database, BF and dictionary mode,
check roles and default/easy to guess passwords |
|
AppSecInc |
| NGSSquirrel |
NGS Software |
Windows |
Dictionary |
138.979 |
Commercial |
can connect to the database, BF and dictionary mode + smart dictionary mode (0 replaces o, 1 replaces i, ...) |
|
NGSSoftware |
| bfora |
dab |
Perl |
Dictionary,
Brute Force
|
N/A |
Free |
connect to the database
platform independent
|
slow, no BF mode
|
Digitalsec |
| Hashattack 0.2.0 |
Josh Wright |
PL/SQL |
Dictionary |
< 500 |
Free |
platform independent |
slow, no BF mode |
Download |
| Oracle PW Cracker 1.6 |
Adam Martin |
PL/SQL / Oracle Forms |
Dictionary |
< 500 |
Free / Share (4$) |
platform independent |
slow, no BF mode |
download currently not available |
| Oracle PW Cracker |
Bear Dang |
PLSQL |
Brute Force |
< 500 |
Free |
platform independent |
slow |
Download |
| Cain & Abel |
Massimiliano Montoro |
Windows |
Brute Force |
N/A |
Free |
collection of many security tools |
fast |
Download |
* Performance on a Pentium 4, 3 GHz (Windows XP), NGSSquirrel figures based on a P4, 3.6 GHz
** Password cracker for other databases (e.g. MS SQL Server, MySQL, DB2, Sybase...) available
Oracle brute force attacks / Oracle Password Decryption
It is not possible to decrypt a hashstring but the simple Oracle salt (=Username) it is possible to do a brute force or dictionary attack. There are several Oracle brute force or dictionary attack tools available. These tools encrypt the username/password and compare the hashkeys. If the hashkey are identical the password is known. From simple SQL based tools (<500 pw/second) up to special C programs like checkpwd. The fastest tool calculates 1.100.000 passwords/second. On a Pentium 4 with 3 GHz it takes (26 ascii characters only, e.g. 26^5)
- 10 seconds to calculate all 5-ascii-character-combinations
- 5 minutes to calculate all 6-ascii-character-combinations
- 2 hours to calculate all 7-ascii-character-combinations
- 2,1 days to calculate all 8-ascii-character-combinations
- 57 days to calculate all 9-ascii-character-combinations
- 4 years to calculate all 10-ascii-character-combinations
You should always use strong and long passwords to avoid brute force or dictionary attacks.
References
History
- 09-nov-2005: orabf from 0rm was updated to 0.74
- 11-nov-2005: David Litchfield informed me that NGSSquirrel is much faster and has more features than mentioned in the comparision.
- 25-nov-2005: Cain and Abel added, New feature: Oracle Password Cracker
© 2005 by Red-Database-Security GmbH - last update 25-nov-2005
|
Oracle Patch Policy
Vulnerability Fixing Order of Oracke Vulnerabilities
- Main line of Code
- New Products (e.g. 10g Rel. 2)
- Patchsets for older products (e.g. 9.2.0.7)
- Critical Patch Update
More information available on Oracle OTN:
Security Vulnerability Fixing Policy and Process
|
