Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Alex has released version 1.1 of Checkpwd - the Oracle dictionary password cracker"] [Next entry: "A career change and some site revamping"]

1.02 Million hashes/second Oracle dictionary and brute force password cracker available

0rm of emailed me last night to let me know that he has made the full version of his Oracle dictionary and brute force password cracker available to he public. This cracker is the fastest Oracle password cracker that i know of - and I know of more than 10 different Oracle password crackers that are either in commercial tools or are in private hands. It is also probably the best featured Oracle password cracker available.

I have known about this cracker since version 0.32 when it was previously available but its presence was not advertised. The cracker was then removed from toolcrypt and has just now been made available again as version 0.7. You can download orabf version 0.7 here.

Orabf is a dictionary cracker and a brute force cracker. It is possible to define the character set used in the brute force attack. You can choose alpha, alpha+numeric,numeric or the full character set. You can also define the number of characters to check up to for the password. For instance you can check just for 5 character passwords. You can also start a cracking session and stop it and then use the resume feature to restart from the point you left off. The zip also includes a DOS batch script that can be used to attack multiple usernames/hashes in the same run. There is also included a nice tool called permute that can be used to mangle and manage dictionary or wordlists. There is also a word list and a tool to generate password hashes rather than crack them.

0rm has worked on this cracker for some time and he says it is unlikely to get much more work done on it as it is already very fast. I have clocked 1.02 Million hashes per second on a 2.8 gighz pentium 4. He has done some great tuning work on the DES algorithm itself to make this cracker very fast.

Here is a sample run:-

First alter the SCOTT users password so we can do a brute force cracking session.

SQL> alter user scott identified by xfd7h;

User altered.

SQL> select username, password from dba_users
2 where username='SCOTT';

------------------------------ -----------------------


First view the parameters to pass to orabf:


orabf v0.7, (C)2005

usage: orabf [hash]:[username] [complexity] [{}|maxpwdlen] [{}|'resume']

where complexity is a number in [1..4] or a filename
- read words from stdin
[file] read words from file
1 numbers
2 alpha
3 alphanum
4 entire keyspace

0 < maxpwdlen < 15 (brute force mode only)

resume tries to resume a previous session

Now run the orabf tool to brute force crack the password:

C:\\orm_version_7>orabf 0BF93A124BAD1F02:scott 3 5

orabf v0.7, (C)2005
Trying default passwords
Starting brute force session

press 'q' to quit. any other key to see status

password found:SCOTT:XFD7H

57871891 passwords tried. elapsed time 00:00:56. t/s:1026442


As you can see the 5 character password was cracked in 56 seconds and the cracker ran at 1.02 Million hashes per second.

This is a fantastic tool. Anyone interested in Oracle Security should get it and use it to test password strength in their databases. Of course I have added 0rm's cracker to my Oracle Security Tools page.