Introduction
------------

I developed the application, because I missed some features from the existing 
oracle password brute-forcers. After a while I realized, it reached a point when 
others could find it useful, so I made a decision to release it with hope it 
gains volunteers to test the application and give me some useful feedback.

License
-------

It is released under GPLv2 and use at your own responsibility.

Download
--------

The current version is 0.22 and the code needs massive code cleaning, 
refactoring and bug hunting. This version can be called the "just works"
version. The source and the compiled version for windows can be downloaded 
from www.soonerorlater.hu.

Releases
--------

The 0.22 has some speed advancement because of the prehash implementation and
 has some usefull changes:

    * Prehash implementation in the brute-force mode of the password hash.
    * Prehash implementation in the dicitonary mode of the password hash 
      (if the username len > 4)
    * It saves the list of the index of the found passwords, so you can use
      --prev paramter to leave out the already cracked passwords from a
      previous session. In the session continue mode (-s), it loads the results
      automaticly.
    * The order in the permutation engine was changed to follow a more logical
      way (thanks for Pete Finnigan suggesting it).
    * The permutation engine has more parameters that controls which
      permutation should be included.

It is strongly recommended to use this new release. The list of some repaired
bugs can be found here (thanks Michael Donnerer for reporting them). This is
still an early release, so it needs massive bug hunting and code cleaning.

The 0.21R2 is a bugfiux release. Pete Finnigan found a bug in 11g password hash
checking. If more than one user had the same password, the program found the
first occurance only.

The 0.21 mainly a bugfix release, but it has the following new features:

    * Test the user names and permutations of the user names as password
    * If there is a default.txt it loads and checks it as the list of default 
      passwords.  The included default.txt was generated from the site 
      www.petefinnigan.com.

It is strongly recommended to use this new release. The list of some repaired 
bugs can be found in Release.txt. This is still an early release, so it needs 
massive bug hunting and code cleaning.

The 0.20 was the first public release.

Features
--------

    * Oracle password hash attack
    * Oracle password hash attack for 11g. It tries to crack the old hash and 
      checks the case sensitivity with the new algorithm.
    * 8i authentication attack without oracle dlls
    * 9i and 10g authentication attack with oracle dlls
    * Dictionary attack
    * Incremental brute force attack
    * Multithreaded
    * Resume mode

Help
----

The program accepts the following command line parameters:

  -p pwdfile [-d dictfile] -t type -m maxpwdlength -c charset -o dll

  -p  Password file
  -d  Dictionary file
  -t  There are four possible values. "hash" and "11g10g" is for oracle 
      password hash. "8i",  "9i", "10g" are for the given authentication
      method. The default value is "hash".
  -m  The maximum length of the password in brute-force mode. The maximum 
      value is 10. The default value is 6.
  -c  This is the charset in brute-force mode. There are three possible 
      values:  "alpha" [A-Z], "alphanum" [A-Z0-9], and all [A-Z0-9!@#$%^&*()-_
      +=~`[]{}|\:;"'<>,.?/].  The default value is "alpha".
  -s  The session file contains the resume information. The programs generates
      two session files with name oraauth.sess.0 and oraauth.sess.1. Use the
      earlier one according the file access date.
  -o  This is the path of the oran10.dll.
  --perm  It can have three values. The "0" value switches off the permutation
          of the user names. The "1" (default) value checks the reverse, duoble
          and the numbers at the beginning and at the and of the usernames.
          The "2" value checks numbers at the all positions of the usernames.
          The "3" value checks numbers at all positions with the reverse and
          double of the usernames.
  --noarr It switches off the user names and default password checking.
  --prev  Loads the list of the found password from a previous run. The file
          name of the results file depends on the password file name. It is
          generated at the end of the program and in every 1 minutes when the
          session files are saved.

The  password files have the following formats:

  * password hash:
    The file format is:
      username:password hash:sid:server:
    Example:
       SCOTT:F894844C34402B66:test:testdb:
    The following SQL can be used:
      select username||':'||password||':'||name||':'||host_name||':'
      from sys.dba_users, sys.V_$DATABASE,  sys.v$instance;

  * 8i authentication
    The file format is:
      username:srvsesskey::authpasswd:clip:clp:srvip:srvp:
    Example:
      test:B18356B94CE0B21A:96D2C390490DE8BBB3A73C31077E9D79:192.168.81.3:4604:192.168.81.1:4552

  * 9i authentication:
    The file format is:
      username:srvsesskey::autpasswd:clip:clp:srvip:srvp:
    Example:
      test:B18356B94CE0B21A:96D2C390490DE8BBB3A73C31077E9D79:192.168.81.3:4604:192.168.81.1:4552

  * 10g authentication:
    The file format is:
      username:srvsesskey:clsesskey:autpasswd:clip:clp:srvip:srvp:
    Example:
      test1:BF6325AB2B8A87638...:8D85098300E120985...:50176E4913E82EA8F...: 192.168.1.1:3332:192.168.1.2:1521:

  * 11g password hash:
    The file format is:
      username:password hash:11g password hash:sid:server:
    Example:
      AAAA:C2977AC2A123F7BA:79FFBB4C2CC9633C5...:ORCL:ora11g:
    The following SQL can be used:
      select u.name||':'||u.password||':'||substr(u.spare4,3,63)||':'||d.name||':'||
      sys_context('USERENV','SERVER_HOST')||':'
      from sys.user$ u, sys.V_$DATABASE d where u.type#=1;


Speed comparison table
----------------------

The program is quite fast on a multi core CPU, because it is multithreaded. On
a single core CPU orabf is faster.

	       Dictionary1   Dictionary2     Bruteforce1     Bruteforce2
orabf 0.7.6        4s            10s             16s             415s
woraauthbf 0.2     3s             5s             12s             302s
woraauthbf 0.22    3s             5s             10s             256s
checkpwd 1.22      8s            17s             none            none
orabf 0.7.6     311994c/s     301072c/s       742586c/s      744375c/s
woraauthbf 0.2  515114c/s     618137c/s       990114c/s      1022899c/s
woraauthbf 0.22 515114c/s     618137c/s       1235663c/s     1254970c/s
checkpwd 1.22   193168c/s     181805c/s         none            none


IBM Thinkpad T60 (1.86 MHZ Dualcore)

The password_file.txt comes from the release of Alex Kornbust excellent tool
 checkpwd.

Bruteforce1        charset: alpha length: 5 SCOTT:F894844C34402B66:::            
Bruteforce2        charset: alpha length: 6 SCOTT:F894844C34402B66:::            
Dictionary1         password_file.txt SCOTT:F894844C34402B66:::            
Dictionary2         password_file.txt.2 SCOTT:F894844C34402B66:::

Disclaimer
----------

Lszl Tth is a Senior Manager in PricewaterhouseCoopers (PwC) Performance
Improvment Consulting, in the Security and Technology team Hungary. The 
software is released by him and there is no any connection or liablity that
belongs to his employer. The software is provided 'as is' without warranty of 
any kind. Use at your own reponsibility. Laszlo may be contacted on 
donctl@gmail.com.1235663/s
