Red-Database-Security GmbH ist Spezialist für Oracle Security

Produkte
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Dienstleistungen
Oracle Audit / Hardening (Härten)
Security Schulungen
Consulting

Informationen
Oracle Sicherheit Blog
Veröffentlichte Alerts RSS Published Alerts
Gemeldete Alerts RSS Upcoming Alerts
Patch Informationen
Whitepaper
Präsentationen
Fakten
Exploits
Tutorials
Videos
Skripte

Neuigkeiten/Termine
Termine
Neuigkeiten

Firma
Kontakt
Mitarbeiter
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
Oracle Password Cracker - V1.02


Oracle Password Tools

After the posting of the Oracle password algorithm in the comp.database.oracle.server newsgroup they are a lot of free and commerical Oracle Password Cracker available. This page contains information about the different tools and programs.

Name

Author

OS

Type

pw/sec *

License

Pro

Cons

URL

checkpwd 1.1 Red-Database-Security Windows, Linux Dictionary 150.000 Free can connect to the database and check multiple accounts in one step no BF mode Oracle Password Cracker
orabf 0.7.4 (new) 0rm Windows Brute Force, Dictionary 1.100.000 (BF) 330.000 (Dictionary) Free fastest tool for BF and BF no database connection Toolcrypt
John the Ripper   Windows, Unix Dictionary N/A Free source available, generic password cracker, many platforms no database connection Ripper Plugin
Bob the Butcher Bartavelle coming soon Brute Force N/A Free N/A N/A Bob the Butcher
AppDetective** AppSecInc Windows Dictionary Brute Force 5000 Commercial can connect to the database, BF and dictionary mode, check roles and default/easy to guess passwords   AppSecInc
NGSSquirrel NGS Software Windows Dictionary 138.979 Commercial can connect to the database, BF and dictionary mode + smart dictionary mode (0 replaces o, 1 replaces i, ...)   NGSSoftware
bfora dab Perl Dictionary, Brute Force N/A Free connect to the database platform independent slow, no BF mode Digitalsec
Hashattack 0.2.0 Josh Wright PL/SQL Dictionary < 500 Free platform independent slow, no BF mode Download
Oracle PW Cracker 1.6 Adam Martin PL/SQL / Oracle Forms Dictionary < 500 Free / Share (4$) platform independent slow, no BF mode download currently not available
Oracle PW Cracker Bear Dang PLSQL Brute Force < 500 Free platform independent slow Download
Cain & Abel Massimiliano Montoro Windows Brute Force N/A Free collection of many security tools fast Download

* Performance on a Pentium 4, 3 GHz (Windows XP), NGSSquirrel figures based on a P4, 3.6 GHz
** Password cracker for other databases (e.g. MS SQL Server, MySQL, DB2, Sybase...) available


Oracle brute force attacks / Oracle Password Decryption

It is not possible to decrypt a hashstring but the simple Oracle salt (=Username) it is possible to do a brute force or dictionary attack. There are several Oracle brute force or dictionary attack tools available. These tools encrypt the username/password and compare the hashkeys. If the hashkey are identical the password is known. From simple SQL based tools (<500 pw/second) up to special C programs like checkpwd. The fastest tool calculates 1.100.000 passwords/second. On a Pentium 4 with 3 GHz it takes (26 ascii characters only, e.g. 26^5)

  • 10 seconds to calculate all 5-ascii-character-combinations
  • 5 minutes to calculate all 6-ascii-character-combinations
  • 2 hours to calculate all 7-ascii-character-combinations
  • 2,1 days to calculate all 8-ascii-character-combinations
  • 57 days to calculate all 9-ascii-character-combinations
  • 4 years to calculate all 10-ascii-character-combinations


You should always use strong and long passwords to avoid brute force or dictionary attacks.


References


History
  • 09-nov-2005: orabf from 0rm was updated to 0.74
  • 11-nov-2005: David Litchfield informed me that NGSSquirrel is much faster and has more features than mentioned in the comparision.
  • 25-nov-2005: Cain and Abel added, New feature: Oracle Password Cracker


© 2005 by Red-Database-Security GmbH - last update 25-nov-2005

Oracle Patch Policy

Vulnerability Fixing Order of Oracke Vulnerabilities

  • Main line of Code
  • New Products (e.g. 10g Rel. 2)
  • Patchsets for older products (e.g. 9.2.0.7)
  • Critical Patch Update

More information available on Oracle OTN:

Security Vulnerability Fixing Policy and Process