Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "IOUG Data Security Report 2009 is out"] [Next entry: "Oracle Security Worst Practices"]

60 million password hashes/second Oracle password cracker available

I first chatted to Dennis Yurichev probably around a couple of years ago about his efforts to make an FPGA password cracker. We exchanged numerous emails and i think without checking back he had one FPGA cracker working that did 76 million hashes per second. Well Dennis has finally finished up his cracker and has added a web based front end to the hardware that is accessible from his website. Dennis emailed me this morning to test it out but when i tried unluckilly he had a power outage. Now his site is back up and you can go there and submit Oracle usernames and password hashes to be queued to run on the hardware. I submitted a user "DY" with a password of GH56BG8

SQL*Plus: Release - Production on Mon Oct 5 12:21:05 2009

Copyright (c) 1982, 2008, Oracle. All rights reserved.

Connected to:
Personal Oracle Database 11g Release - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> create user dy identified by gh56bg8;

User created.

SQL> select name,password from sys.user$
2 where name='DY';

------------------------------ ------------------------------
DY 4BD6926200326C0E


The FPGA cracker is available at Dennis's site, simply cut and paste the username and the hash into the boxes on the screen, Dennis queues the job to run on the cracker. The screen updates to give you progress.

Here is a look at the cracker running (click the image to increase it):

FPGA password cracker running

The Oracle RDBMS passwords solver page gives some details, make sure that you don't post production passwords/hashes as these will be displayed publically.

Nice site Dennis, it will be interesting to see how much it gets used.

There has been 2 Comments posted on this article

October 5th, 2009 at 01:40 pm

Pete Finnigan says:

Needless to say, it is currently working only in A-Z passwords range, for the sake of demonstration speed. Full A-Z0-9#$_ range will demand 16.5 hours.

October 5th, 2009 at 01:49 pm

Pete Finnigan says:

Hi Dennis,

Thanks for your comment; i appreciated that also from your email. I have just submitted another user whose name is "DT" and the password is "CA7ECAB60348F235" - this time its just ALPHA, I am impressed its solved it already - it was just 6 characters BUT i wanted to see that it worked.

Thanks Dennis,