How to crack Oracle version 11g Passwords (SHA1)

This page will give you the best tools to crack your Oracle hashes, database version 11g

Oracle 11g database : working with THC tool

Blog Single

Intro

vonjeek from THC realeased a cracker for Oracle 11g version : http://freeworld.thc.org/thc-orakelcrackert11g/

Documentation

OrakelCrackert-11g is an Oracle 11g database password hash cracker using a weakness in the Oracle password storage strategy. With Oracle 11g, case sensitive SHA1 based hashing is introduced.
Storing passwords in a case sensitive way introduces more possible password combinations so password cracking takes longer. For example, the number of possible password combinations using a password generated out of the character set "[a-z][A-Z][0-9]#$_" where passwords start with a alpha character using is 52/65 * 65 ^ passlength. For an 8 position password this means 254.915.850.312.500 combinations.
Since Oracle is still storing the DES based password hashes, an attack much faster than brute forcing can be launched for most (not all) passwords.
To do so:

  • 1 - Get both the Oracle < 11g and 11g password hash, for example by executing the query "select user, password, spare4 from sys.user$ where username = ".
  • 2 - Crack the old DES based password hash (field "password") which is generated using the upper case version of the mixed case password (note: this is not applicable to all possible passwords in Oracle 11g).
  • 3 - If the upper case password is found, calculate the SHA1 result of the ASCII value of the password followed by the salt (nibble 41-60 of field SPARE4) to the SHA1 based password hash (nibble 1-40 of field SPARE4). Do this for every upper/lower case combination possible until you have got a match.
  • 4 - Voila!
  • Using a password generated out of the character set "[a-z][A-Z][0-9]#$_" where passwords start with a alpha character (currently supported by OrakelCrackert), the number of password combinations shrinks to 26/39 * 39 ^ length (= step 2) + 2 ^ length (= step 3).
    A full brute force for an 8 position password will now at maximum 'just' take 3.568.006.173.910 tries. This is about 77 times less than the original value. Example:

    select name, password, spare4 from sys.user$ where name = 'THC';
    THC,435D0D3C8468DBC4,S:D39F4CC16573323279E5E4E16D359D6C55DCC09202B03D5D74B6841CEA2E
    
    USER_PASS = ASCII(USER + GUESSED_PASS)
    PASS_UPPER = ORACLEHASH(GUESSES_PASS)
    FOR(ALL UPPER/LOWER CASE COMBINATIONS)
    	PASS_SALT = ASCII(PASS + SALT)
    	GUESSED_CASE = SHA1(PASS_SALT)
    	IF(GUESSED_CASE == SPARE4)
    		DONE!!
    With real-life data:
    USER_PASS = ASCII(THC + THC#) = 0x54484354484323
    PASS_UPPER = ORACLEHASH(0x54484354484323) = 0x435D0D3C8468DBC4
    FOR LOOP (only the correct guess):
    	PASS_SALT = ASCI(tHC# + 0x02B03D5D74B6841CEA2E) = 
    0x7448432302B03D5D74B6841CEA2E
    	GUESSED_CASE = SHA1(0x7448432302B03D5D74B6841CEA2E) = 
    0xD39F4CC16573323279E5E4E16D359D6C55DCC092
    	IF(0xD39F4CC16573323279E5E4E16D359D6C55DCC092 == 
    0xD39F4CC16573323279E5E4E16D359D6C55DCC092)
    		WE'VE GOT HIM!'

    Further reading

    http://www.petefinnigan.com/weblog/archives/00001096.htm
    http://www.ngssoftware.com/papers/cracking-sql-passwords.pdf
    http://www.phenoelit.net/lablog/oracle.sl
    http://blog.red-database-security.com/

    Note

    Related article : How to crack Oracle Passwords

Share this Post: