Crack Oracle Password: [Oracle password]-vulnerability warning-the black bar safety net

2008-03-18T00:00:00
ID MYHACK58:62200818544
Type myhack58
Reporter 佚名
Modified 2008-03-18T00:00:00

Description

Note: the station authorization starting, reprint please indicate the source Author:Mickey To connect to a remote Oracle database, need to know the SID, user name, password, and of course the most important IP address. SID If is administrator to modify, you can use sidguess to be cracked, the speed is very fast, as for success, it is necessary to look at your dictionary configuration. Crack effect as shown in Figure 1.

! [](http://www.lengmo.net/attachment.php?fid=944)

Figure 1

Oracle different version with a lot of the default account password. But in some cases, Oracle database administrator change the default password to modify, we will choose the brute force. If the account crack is successful, the login up, is DBA permissions best words, not the words, you can also use Oracle some of thevulnerabilities. the right to a DBA. Into the database, I generally choose to grab other user's password hash value, then the local Rainbow crack. If the same segment there are other Oracle databases, you can capture waiting for the other user to the Oracle login authentication, remove sensitive information and then crack. Further expanding the war fruit. Below I will separately talk about the three types of cracking methods and related tools to use.] (<http://www.lengmo.net/> "http://www.lengmo.net" )

Quotation

About the Oracle password of the basics

1, The standard Oracle password may consist of letters, numbers,#, and underscores (), the dollar character($)Configuration, The maximum password length is 3 0 character; the Oracle password is not to"$","#",""or any number at the beginning; the password cannot contain like"SELECT"AND"DELETE","CREATE"such Oracle/SQL keywords.

2, Oracle a weak encryption algorithm mechanism: two of the same username and password on two different Oracle database machine, will have the same hash value. These hash values are stored in the SYS. The USER$table. Can by like DBA_USERS such view access.

3, Oracle the default configuration, each of the account if there are 1 0 times of failed login, the Account will be locked. But the SYS account in Oracle database having the highest privilege, able to do anything, including startup/shutdown of Oracle database. Even if SYS is locked, it is still possible to access the database.

A remote brute-force

By the foregoing basics 3, You can learn to select the remote crack Oracle the best account is SYS, because this account is always valid. In Oracle10g The previous version at the time of installation and does not prompt to modify the SYS default password, Oracle10g although prompted to change the password, but did not check the password complexity. As shown in Figure 2

! [](http://www.lengmo.net/attachment.php?fid=945)

Figure 2

You can use Orabrute tool for remote crack, in using this tool, you need to system in advance of Install Sqlplus, the tool of the principle is very simple, is to constantly call Sqlplus and login authentication, the account selected is SYS, the password for the password.txt the key code word. As long as the login is successful, it will call selectpassword. sql script to crawl out in the SYS. The USER$table of the other users of the hash value, and then exit the program. There is a note of the place, when the second run of Orabrute of the time, you need to delete or move the the same directory of the previous run Orabrute Generated when thepasswordsarehere . txt and output.txt file.

Orabrute the use of the method:

orabrute <hostip> <port> <sid> <millitimewait>

The effect is shown in Figure 3, 4

! [](http://www.lengmo.net/attachment.php?fid=946)

Figure 3

! [](http://www.lengmo.net/attachment.php?fid=947)

Figure 4

Orabrute the crack speed is relatively slow, we can take alternative methods to crack, if the Oracle database version Oracle10g is. The default comes with a by 8 0 8 0 Port to remotely manage the database of the WEB interface, as shown in Figure 5

! [](http://www.lengmo.net/attachment.php?fid=948)

Figure 5

When we visit <http://ip:8080/oradb/public/global_name> when will the pop-up authentication information, such HTTP Basic authentication, there is a good Multi-Tool can be quick to crack, can choose the famous Hydra, I have here selected is a graphical interface wwwhack, set a good user named SYS, select Dictionary, it can be cracked. Speed than by Orabrute to crack fast many. The effect is shown in Figure 6

! [](http://www.lengmo.net/attachment.php?fid=949)

Figure 6

Second, the DBA privileges to login after the hack

When you get a Telnet account, you can use the Checkpwd to verify the database of all the default user of the default password. Checkpwd is the use of a remote hack, the speed is relatively slow. But can be clearly seen that each of the account status(expired, locked), Checkpwd use of the method:

checkpwdusername/password@//ip:port/sidpasswordfile

The effect is shown in Figure 7

! [](http://www.lengmo.net/attachment.php?fid=950)

Figure 7

We can also use Sqlplus and log in directly to the Oracle database, then use select username,password form dba_users command to view the database username and password, and then local use Cain to crack, as shown in Figure 8.

! [](http://www.lengmo.net/attachment.php?fid=951)

Figure 8

The local crack speed is very fast, I recommend to first select a dictionary to crack, in Cain, click the Cracker tab, and then right-click on the previously imported good user name and the hash value, select"Dictionary Attack"option, it can be dictionary cracked. The effect is shown in Figure 9, Figure 1 0 is.

! [](http://www.lengmo.net/attachment.php?fid=952)

Figure 9

! [](http://www.lengmo.net/attachment.php?fid=953)

Figure 1 0

Dictionary attacks ineffective, you can use RainBow crack, Cain comes with a Rainbow table generator, open Winrtgen and select"AddTable", in the"Hash" field, select Oracle in the"Min Len", "Max Len", respectively, indicates the minimum password length and maximum password length, "Charset"select the password in the character set, and then point"Ok"button to start generating a Rainbow table, as shown in Figure 1 1

! [](http://www.lengmo.net/attachment.php?fid=954)

Figure 1 1

Generating the time table depends on your CPU and you have just the Rainbow configuration, the generated table will take a lot of hard disk space. However the benefits are a secondary to be used multiple times. Use the Rainbow method to crack, it will take a lot of memory. But the speed is very fast, efficiency is also very high.

Third, the same switch/Hub the following other Oracle database crack

THC organization of the new released a called Orakel tools, the tools to analyze, crack of Oracle database vulnerability a remote authentication mechanism. By my test, this tool seems only to Oracle8i Telnet authentication effective. But withsoftwarethe accompanying document provides an attack method. If it is in the same Hub(hub)at the other port with Oracle8i database, we know that the Hub(HUB)is in the same collision domain and broadcast domain. You can directly use the Ethereal kind of capture tool to grab other port users to connect Oracle8i database authentication information. I tested the time to choose is the Ethereal packet capture tool, because the tool has a very good feature"Follow TCP Stream", you can use this feature to quickly to find out the authentication package in the AUTH_SESSKEY AND AUTH_PASSWORD, the connection user name value, then the associated value to fill the OrakelSniffert tool, it can crack, OrakelSniffert tools to support dictionary-crack and brute-force, crack speed is very fast. The effect is shown in Figure 1 2 Figure 1 3

! [](http://www.lengmo.net/attachment.php?fid=955)

Figure 1 2

! [](http://www.lengmo.net/attachment.php?fid=956)

Figure 1 3

If it is in the switch environment (SWITCH), each port is a collision domain, we cannot directly capture to the other port of the information, but can use ARP spoofing techniques or the configuration of the switch port analysis function(SPAN), leaving the other port of the packet traffic flowing through the local, practical applications, the most commonly used or ARP spoofing technology, and then use Ethereal to grab the certification process, to crack the method is the same.

Fourth, the protection

By the basics 1 that is set by default to the standard Oracle password that is very complex, but you can use double quotes to break Oracle Set Password restrictions by using double quotation marks to be able to add the following additional characters

%^@$*()_+~`-=[{]}\|;:',<.& gt;

In Oracle add and give the user DBA privileges command as follows:

SQL> create user minnie identified by"%^@$*()_+~`=-[}[{\:'"; SQL> grant dba to minnie; The effect is shown in Figure 1 4 shows:

! [](http://www.lengmo.net/attachment.php?fid=957)

Figure 1 4

By setting such a complex password, can to some extent prevent the password is cracked.

References:

The OraclePasswordsAndOraBrute of The TheNextLevelOfOracleAttack of The TheOracleHackersHandbook of