Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: " Limited Advisory for the Oracle Jan 2008 CPU"] [Next entry: "Oracle database exploits available for January 2008 CPU fixes"]

A new version of woraauthbf - The Oracle password cracker is released

Today Laszlo has released a new version of his Oracle password cracker woraauthbf. The latest version includes a number of new features and also some bug fixes. The version 0.21 features and fixes taken straight from the release.txt file are:

Main errors

* It calculated the possible number of password in the bf mode as
26^6 instead of 26+26^2+26^3 ... etc. It checked less than the
possible number of passwords.

* There was a problem in the bin to hex conversation function. It
caused problems with certain hashes and affected the authentication
functions. It did not affect the hash function.

* There were some problems in the concurrent data access in the
authentication functions. It was found when more than three threads
were running.


* Test the user names and permutations of the user names as password
* If there is a default.txt it loads and checks it as the list of default
passwords. The included default.txt was generated from the site

The binary version of woraauthbf is available here for Windows and the source code of woraauthbf is available here.