If you don't know neither the enemy nor yourself, you will sucumb in every battle.
If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.
But if you know the enemy and know yourself you need not fear the result of a hundred battles.
The art of war (Sun Tzu)
readme

Introduction

I developed the application, because I missed some features from the existing oracle password brute-forcers. After a while I realized, it reached a point when others could find it useful, so I made a decision to release it with hope it gains volunteers to test the application and give me some useful feedback.

License

It is released under GPLv2 and use at your own responsibility.

Download

The current version is 0.22R2 and the code needs massive code cleaning, refactoring and bug hunting. This version can be called the "just works" version. The source can be downloaded from here, the compiled version for windows from here.

Releases

The 0.22R2 is a bugfiux release. I found a bug in 11g password hash checking. I did not modify the password loading module after the prehash implementation, thus the bruteforce mode in 11g10g mode did not work. Special thanks goes for Pete Finnigan and Alex Kornbust, who helped me in the testing phase of this release.

The 0.22 has some speed advancement because of the prehash implementation and has some usefull changes:
  • Prehash implementation in the brute-force mode of the password hash.
  • Prehash implementation in the dicitonary mode of the password hash (if the username len > 4)
  • It saves the list of the index of the found passwords, so you can use --prev paramter to leave out the already cracked passwords from a previous session. In the session continue mode (-s), it loads the results automaticly.
  • The order in the permutation engine was changed to follow a more logical way (thanks for Pete Finnigan suggesting it).
  • The permutation engine has more parameters that controls which permutation should be included.
It is strongly recommended to use this new release. The list of some repaired bugs can be found here (thanks Michael Donnerer for reporting them). This is still an early release, so it needs massive bug hunting and code cleaning.

 The 0.21R2 is a bugfiux release. Pete Finnigan found a bug in 11g password hash checking. If more than one user had the same password, the program found the first occurance only.

The 0.21 mainly a bugfix release, but it has the following new features:
  • Test the user names and permutations of the user names as password
  • If there is a default.txt it loads and checks it as the list of default passwords.  The included default.txt was generated from the site www.petefinnigan.com.
The 0.20 was the first public release.

Features

  • Oracle password hash attack
  • Oracle password hash attack for 11g. It tries to crack the old hash and checks the case sensitivity with the new algorithm.
  • 8i authentication attack without oracle dlls
  • 9i and 10g authentication attack with oracle dlls
  • Dictionary attack
  • Incremental brute force attack
  • Multithreaded
  • Resume mode

Help

The program accepts the following command line parameters:

    -p pwdfile [-d dictfile] -t type -m maxpwdlength -c charset -o dll --perm 0|1|2|3 --noarr --prev

-p    Password file
-d    Dictionary file
-t    There are four possible values. "hash" and "11g10g" is for oracle password hash. "8i",  "9i", "10g" are for the given authentication method. The default value is "hash".
-m  The maximum length of the password in brute-force mode. The maximum value  is 10. The default value is 6.
-c This is the charset in brute-force mode. There are three possible values:  "alpha" [A-Z], "alphanum" [A-Z0-9], and all [A-Z0-9!@#$%^&*()-_+=~`[]{}|\:;"'<>,.?/].  The default value is "alpha".
-s    The session file contains the resume information. The programs generates two session files with name oraauth.sess.0 and oraauth.sess.1. Use the earlier one according the file access date. It automaticly loads the result files (see --prev paramter)
-o      This is the path of the oran10.dll.
--perm  It can have three values. The "0" value switches off the permutation of the user names. The "1" (default) value checks the reverse, duoble and the numbers at the beginning and at the and of the usernames.  The "2" value checks numbers at the all positions of the usernames. The "3" value checks numbers at all positions with the reverse and double of the usernames.
--noarr  It switches off the user names and default password checking.
--prev    Loads the list of the found password from a previous run. The file name of the results file depends on the password file name. It is generated at the end of the program and in every 1 minutes when the session files are saved.

The  password files have the following formats:

password hash:
The file format is:
    username:password hash:sid:server:
Example:
     SCOTT:F894844C34402B66:test:testdb:
The following SQL can be used:
    select username||':'||password||':'||name||':'||host_name||':'
    from sys.dba_users, sys.V_$DATABASE, sys.v_$instance;
8i authentication
The file format is:
    username:srvsesskey::authpasswd:clip:clp:srvip:srvp:
Example:
    test:B18356B94CE0B21A:96D2C390490DE8BBB3A73C31077E9D79:192.168.81.3:4604:192.168.81.1:4552
9i authentication:
        The file format is:
            username:srvsesskey::autpasswd:clip:clp:srvip:srvp:
        Example:
            test1:E6873C6A656BB5C...:B850849AF89C9E3A78C6DD441...:192.168.168.2:1432:192.168.254.254:13245:
10g authentication:
The file format is:
     username:srvsesskey:clsesskey:autpasswd:clip:clp:srvip:srvp:
Example:
  test1:BF6325AB2B8A87638...:8D85098300E120985...:50176E4913E82EA8F...: 192.168.1.1:3332:192.168.1.2:1521:
11g password hash:
The file format is:
    username:password hash:11g password hash:sid:server:
Example:
    AAAA:C2977AC2A123F7BA:79FFBB4C2CC9633C5...:ORCL:ora11g:
The following SQL can be used:
	select u.name||':'||u.password||':'||substr(u.spare4,3,63)||':'||d.name||':'||
sys_context('USERENV','SERVER_HOST')||':'
from sys.user$ u, sys.V_$DATABASE d where u.type#=1;

Future plans

This is an early release, thus the first steps are massive code cleaning and bug hunting. In the next couple of month I would like to implement the following features:
  •     simple distributed mode
  •     configurable charset handling
  •     port to Linux
  •     extract the authentication information from a pcap file
  •     11g authentication handling

Long term plans

  • sophisticated distributed mode
  • refactoring for simple extensibility

Speed comparison table

The program is quite fast on a multi core CPU, because it is multithreaded. On a single core CPU orabf  is faster.

 

Dictionary1

Dictionary2

Bruteforce1

Bruteforce2

orabf 0.7.6

4s

10s

16s

415s

woraauthbf 0.2

3s

5s

12s

302s

woraauthbf 0.22

3s

5s

10s

256s

checkpwd 1.22

8s

17s

none

none

orabf  0.7.6

311994c/s

301072c/s

742586c/s

744375c/s

woraauthbf v0.2

515114c/s

618137c/s

990114c/s

1022899c/s

woraauthbf v0.22

515114c/s

618137c/s

1235663/s

1254970c/s

checkpwd 1.22

193168c/s

181805c/s

none

none



IBM Thinkpad T60 (1.86 MHZ Dualcore)

The password_file.txt comes from the release of Alex Kornbust excellent tool checkpwd.

Bruteforce1        charset: alpha length: 5 SCOTT:F894844C34402B66:::            
Bruteforce2        charset: alpha length: 6 SCOTT:F894844C34402B66:::            
Dictionary1         password_file.txt SCOTT:F894844C34402B66:::            
Dictionary2         password_file.txt.2 SCOTT:F894844C34402B66:::
Disclaimer
The views expressed in this article are my own and not necessarily the views of my current, past or future employers.