Introduction
------------

I developed the application, because I missed some features from the existing 
oracle password brute-forcers. After a while I realized, it reached a point 
when others could find it useful, so I made a decision to release it with hope
it gains volunteers to test the application and give me some useful feedback.

License
-------

It is released under GPLv2 and use at your own responsibility.

Source
------

The current version is 0.2 and the code needs massive code cleaning, 
refactoring and bug hunting. This version can be called the "just works" 
version. The source can be downloaded from here, the compiled version for 
windows from here.

Features
--------

    * Oracle password hash attack
    * Oracle password hash attack for 11g. It tries to crack the old hash and 
      checks the case sensitivity with the new algorithm.
    * 8i authentication attack without oracle dlls
    * 9i and 10g authentication attack with oracle dlls
    * Dictionary attack
    * Incremental brute force attack
    * Multithreaded
    * Resume mode

Help
----

The program accepts the following command line parameters:

  -p pwdfile [-d dictfile] -t type -m maxpwdlength -c charset -o dll

  -p  Password file
  -d  Dictionary file
  -t  There are four possible values. "hash" and "11g10g" is for oracle 
      password hash. "8i",  "9i", "10g" are for the given authentication
      method. The default value is "hash".
  -m  The maximum length of the password in brute-force mode. The maximum 
      value is 10. The default value is 6.
  -c  This is the charset in brute-force mode. There are three possible 
      values:  "alpha" [A-Z], "alphanum" [A-Z0-9], and all [A-Z0-9!@#$%^&*()-_
      +=~`[]{}|\:;"'<>,.?/].  The default value is "alpha".
  -s  The session file contains the resume information. The programs generates
      two session files with name oraauth.sess.0 and oraauth.sess.1. Use the
      earlier one according the file access date.
  -o  This is the path of the oran10.dll.

The  password files have the following formats:

  password hash:
    The file format is:
      username:password hash:sid:server:
    Example:
       SCOTT:F894844C34402B66:test:testdb:
    The following SQL can be used:
      select username||':'||password||':'||name||':'||host_name||':'
      from sys.dba_users, sys.V_$DATABASE,  sys.v$instance;

  8i authentication
    The file format is:
      username:srvsesskey::authpasswd:clip:clp:srvip:srvp:
    Example:
      test:B18356B94CE0B21A:96D2C390490DE8BBB3A73C31077E9D79:192.168.81.3:4604:192.168.81.1:4552

  9i authentication:
    The file format is:
      username:srvsesskey::autpasswd:clip:clp:srvip:srvp:
    Example:
      test:B18356B94CE0B21A:96D2C390490DE8BBB3A73C31077E9D79:192.168.81.3:4604:192.168.81.1:4552

  10g authentication:
    The file format is:
      username:srvsesskey:clsesskey:autpasswd:clip:clp:srvip:srvp:
    Example:
      test1:BF6325AB2B8A87638...:8D85098300E120985...:50176E4913E82EA8F...: 192.168.1.1:3332:192.168.1.2:1521:

  11g password hash:
    The file format is:
      username:password hash:11g password hash:sid:server:
    Example:
      AAAA:C2977AC2A123F7BA:79FFBB4C2CC9633C5...:ORCL:ora11g:
    The following SQL can be used:
      select u.name||':'||u.password||':'||substr(u.spare4,3,63)||':'||d.name||':'||
      sys_context('USERENV','SERVER_HOST')||':'
      from sys.user$ u, sys.V_$DATABASE d where u.type#=1;

Future plans
------------

This is an early release, thus the first steps are massive code cleaning and 
bug hunting. In the next couple of month I would like to implement the 
following features:

    *     automatic default password handling (The program has dictionary 
	  mode, so this is a nice to have feature)
    *     check the variation of the user names
    *     simple distributed mode
    *     configurable charset handling
    *     port to Linux
    *     extract the authentication information from a pcap file
    *     11g authentication handling


Long term plans
---------------

    * sophisticated distributed mode
    * refactoring for simple extensibility


Speed comparison table
----------------------

The program is quite fast on a multi core CPU, because it is multithreaded. On
a single core CPU orabf is faster.

	       Dictionary1   Dictionary2     Bruteforce1     Bruteforce2
orabf 0.7.6       4s            10s             16s             415s
woraauthbf 0.2    3s             5s             12s             302s
checkpwd 1.22     8s            17s             none            none
orabf 0.7.6     311994c/s     301072c/s       742586c/s      744375c/s
woraauthbf 0.2  515114c/s     618137c/s       990114c/s      1022899c/s
checkpwd 1.22   193168c/s     181805c/s         none            none


IBM Thinkpad T60 (1.86 MHZ Dualcore)

The password_file.txt comes from the release of Alex Kornbust excellent tool
 checkpwd.

Bruteforce1        charset: alpha length: 5 SCOTT:F894844C34402B66:::            
Bruteforce2        charset: alpha length: 6 SCOTT:F894844C34402B66:::            
Dictionary1         password_file.txt SCOTT:F894844C34402B66:::            
Dictionary2         password_file.txt.2 SCOTT:F894844C34402B66:::

Disclaimer
----------

Lszl Tth is a Senior Manager in PricewaterhouseCoopers (PwC) Performance
Improvment Consulting, in the Security and Technology team Hungary. The 
software is released by him and there is no any connection or liablity that
belongs to his employer. The software is provided 'as is' without warranty of 
any kind. Use at your own reponsibility. Laszlo may be contacted on 
donctl@gmail.com.


