|
Products
Repscan 2008
PLSQL-Scanner
Hedgehog Enterprise
Checkpwd (free)
Services
Oracle Audit / Hardening
Security Training
Consulting
Information
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Videos
Scripts
News & Events
Events
News
Company
Blog
Contact
People
Partner
Impressum
Sitemap
Search
|
Oracle Password Cracker - V1.04
Oracle Password Tools
After the posting of the Oracle password algorithm in the comp.database.oracle.server newsgroup they are a lot of free and commerical Oracle Password Cracker available. This page contains information about the different tools and programs.
Name |
Author |
OS |
Type |
pw/sec * |
License |
Pro |
Cons |
URL |
| checkpwd 2.00 |
Red-Database-Security |
Windows, Linux, MacOSX |
Dictionary |
603.690 |
Free |
can connect to the database and check multiple accounts in one step , Oracle Easy Connect, support for 11g
|
no BF mode |
Oracle Password Cracker |
| orabf 0.7.6 |
0rm |
Windows |
Brute Force, Dictionary |
431.701 (Dictionary)
1.118.528 (BF) |
Free |
fastest tool for BF |
no database connection |
Toolcrypt |
| John the Ripper 1.71 with Oracle patch |
|
Windows, Unix |
Brute Force, Dictionary |
503.227
(Dictionary)
784.862
(BF) |
Free |
source available, generic password cracker, many platforms |
no database connection |
Ripper Plugin |
| Cain & Abel |
Massimiliano Montoro |
Windows |
Brute Force |
95.012
(Dictionary)
704.342
(BF) |
Free |
collection of many security tools |
fast |
Download |
| AppDetective** |
AppSecInc |
Windows |
Dictionary
Brute Force |
5000 |
Commercial |
can connect to the database, BF and dictionary mode,
check roles and default/easy to guess passwords |
|
AppSecInc |
| NGSSquirrel |
NGS Software |
Windows |
Dictionary |
154.468
(Dictionary) |
Commercial |
can connect to the database, BF and dictionary mode + smart dictionary mode (0 replaces o, 1 replaces i, ...) |
|
NGSSoftware |
| bfora |
dab |
Perl |
Dictionary,
Brute Force
|
N/A |
Free |
connect to the database
platform independent
|
slow, no BF mode
|
Digitalsec |
| Hashattack 0.2.0 |
Josh Wright |
PL/SQL |
Dictionary |
< 500 |
Free |
platform independent |
slow, no BF mode |
Download |
| Oracle PW Cracker 1.6 |
Adam Martin |
PL/SQL / Oracle Forms |
Dictionary |
< 500 |
Free / Share (4$) |
platform independent |
slow, no BF mode |
download currently not available |
| Oracle PW Cracker |
Bear Dang |
PLSQL |
Brute Force |
< 500 |
Free |
platform independent |
slow |
Download |
| Matrixay |
DBAppSecurity |
Windows |
Brute Force / Dictionary |
156.354
(Dictionary) |
Commercial |
collection of many security tools |
fast |
Information |
| ora11gPWCrack |
Thorsten Schröder |
Python |
Dictionary |
|
Free |
platform independent |
11g only |
Download |
| OrakelCrackert |
vonjeek/THC |
Windows |
Brute Force / Dictionary |
399.301
(Dictionary)
892.851
(BF) |
Free |
|
11g only |
Download |
* Performance on a Core2Duo 2.16 GHz (Windows XP)
** Password cracker for other databases (e.g. MS SQL Server, MySQL, DB2, Sybase...) available
Oracle brute force attacks / Oracle Password Decryption
It is not possible to decrypt a hashstring but the simple Oracle salt (=Username) it is possible to do a brute force or dictionary attack. There are several Oracle brute force or dictionary attack tools available. These tools encrypt the username/password and compare the hashkeys. If the hashkey are identical the password is known. From simple SQL based tools (<500 pw/second) up to special C programs like checkpwd. The fastest tool calculates 1.100.000 passwords/second. On a Pentium 4 with 3 GHz it takes (26 ascii characters only, e.g. 26^5)
- 10 seconds to calculate all 5-ascii-character-combinations
- 5 minutes to calculate all 6-ascii-character-combinations
- 2 hours to calculate all 7-ascii-character-combinations
- 2,1 days to calculate all 8-ascii-character-combinations
- 57 days to calculate all 9-ascii-character-combinations
- 4 years to calculate all 10-ascii-character-combinations
You should always use strong and long passwords to avoid brute force or dictionary attacks.
References
History
- 09-nov-2005: orabf from 0rm was updated to 0.74
- 11-nov-2005: David Litchfield informed me that NGSSquirrel is much faster and has more features than mentioned in the comparision.
- 25-nov-2005: Cain and Abel added, New feature: Oracle Password Cracker
- 18-jul-2006: Matrixay added, checkpwd was updated to 1.12, orabf from 0rm was updated to 0.75
- 1-nov-2006: Performance figures added, programs updated (john 1.71, orabf 0.76)
- 24-jan-2007: checkpwd 1.22 updated, benchmark link added
- 4-oct-2007: new crackers for 11g added, checkpwd 2.0 updated
© 2005-2007 by Red-Database-Security GmbH - last update 4-oct-2007
|
Oracle Patch Policy
Vulnerability Fixing Order of Oracke Vulnerabilities
- Main line of Code
- New Products (e.g. 10g Rel. 2)
- Patchsets for older products (e.g. 9.2.0.7)
- Critical Patch Update
More information available on Oracle OTN:
Security Vulnerability Fixing Policy and Process
|
