The woraauthbf tool
Description
I developed the application, because I missed some features from the existing oracle password brute-forcers. After a while I realized, it reached a point when others could find it useful, so I made a decision to release it with hope it gains volunteers to test the application and give me some useful feedback.
License
It is released under GPLv2 and use at your own responsibility.
Download
The current version is 0.22R2 and the code needs massive code cleaning, refactoring and bug hunting. This version can be called the “just works” version. The source can be downloaded from here, the compiled version for windows from here.
Releases
The 0.22R2 is a bugfix release. I found a bug in 11g password hash checking. I did not modify the password loading module after the prehash implementation, thus the bruteforce mode in 11g10g mode did not work. Special thanks goes for Pete Finnigan and Alex Kornbust, who helped me in the testing phase of this release.
The 0.22 has some speed advancement because of the prehash implementation and has some usefull changes:
- Prehash implementation in the brute-force mode of the password hash.
- Prehash implementation in the dicitonary mode of the password hash (if the username len > 4)
- It saves the list of the index of the found passwords, so you can use –prev paramter to leave out the already cracked passwords from a previous session. In the session continue mode (-s), it loads the results automaticly.
- The order in the permutation engine was changed to follow a more logical way (thanks for Pete Finnigan suggesting it).
- The permutation engine has more parameters that controls which permutation should be included.
It is strongly recommended to use this new release. The list of some repaired bugs can be found here (thanks Michael Donnerer for reporting them). This is still an early release, so it needs massive bug hunting and code cleaning.
The 0.21R2 is a bugfiux release. Pete Finnigan found a bug in 11g password hash checking. If more than one user had the same password, the program found the first occurance only.
The 0.21 mainly a bugfix release, but it has the following new features:
- Test the user names and permutations of the user names as password
- If there is a default.txt it loads and checks it as the list of default passwords. The included default.txt was generated from the site www.petefinnigan.com.
The 0.20 was the first public release.
Features
- Oracle password hash attack
- Oracle password hash attack for 11g. It tries to crack the old hash and checks the case sensitivity with the new algorithm.
- 8i authentication attack without oracle dlls
- 9i and 10g authentication attack with oracle dlls
- Dictionary attack
- Incremental brute force attack
- Multithreaded
- Resume mode
Help
The program accepts the following command line parameters:
-p pwdfile [-d dictfile] -t type -m maxpwdlength -c charset -o dll –perm 0|1|2|3 –noarr –prev
-p Password file
-d Dictionary file
-t There are four possible values. “hash” and “11g10g” is for oracle password hash. “8i”, “9i”, “10g” are for the given authentication method. The default value is “hash”.
-m The maximum length of the password in brute-force mode. The maximum value is 10. The default value is 6.
-c This is the charset in brute-force mode. There are three possible values: “alpha” [A-Z], “alphanum” [A-Z0-9], and all [A-Z0-9!@#$%^&*()-_+=~`[]{}|:;"'<>,.?/]. The default value is “alpha”.
-s The session file contains the resume information. The programs generates two session files with name oraauth.sess.0 and oraauth.sess.1. Use the earlier one according the file access date. It automaticly loads the result files (see –prev paramter)
-o This is the path of the oran10.dll.
–perm It can have three values. The “0” value switches off the permutation of the user names. The “1” (default) value checks the reverse, duoble and the numbers at the beginning and at the and of the usernames. The “2” value checks numbers at the all positions of the usernames. The “3” value checks numbers at all positions with the reverse and double of the usernames.
–noarr It switches off the user names and default password checking.
–prev Loads the list of the found password from a previous run. The file name of the results file depends on the password file name. It is generated at the end of the program and in every 1 minutes when the session files are saved.
The password files have the following formats:
password hash
The file format is:
username:password hash:sid:server:
Example:
SCOTT:F894844C34402B66:test:testdb:
The following SQL can be used:
select username||':'||password||':'||name||':'||host_name||':'
from sys.dba_users, sys.V_$DATABASE, sys.v_$instance;
8i authentication
The file format is:
username:srvsesskey::authpasswd:clip:clp:srvip:srvp:
Example:
test:B18356B94CE0B21A:96D2C390490DE8BBB3A73C31077E9D79:192.168.81.3:4604:192.168.81.1:4552
9i authentication
The file format is:
username:srvsesskey::autpasswd:clip:clp:srvip:srvp:
Example:
test1:E6873C6A656BB5C…:B850849AF89C9E3A78C6DD441…:192.168.168.2:1432:192.168.254.254:13245:
10g authentication
The file format is:
username:srvsesskey:clsesskey:autpasswd:clip:clp:srvip:srvp:
Example:
test1:BF6325AB2B8A87638…:8D85098300E120985…:50176E4913E82EA8F…: 192.168.1.1:3332:192.168.1.2:1521:
11g password hash
The file format is:
username:password hash:11g password hash:sid:server:
Example:
AAAA:C2977AC2A123F7BA:79FFBB4C2CC9633C5…:ORCL:ora11g:
The following SQL can be used:
select u.name||':'||u.password||':'||substr(u.spare4,3,63)||':'||d.name||':'||
sys_context('USERENV','SERVER_HOST')||':'
from sys.user$ u, sys.V_$DATABASE d where u.type#=1;
Future plans
There are better tools out there like hashcat, which can use GPUs for certain oracle hashes. This tool won’t be developed further.
This was an early release.
Speed comparison table
The program is quite fast on a multi core CPU, because it is multithreaded. On a single core CPU orabf is faster.
|
Dictionary1 |
Dictionary2 |
Bruteforce1 |
Bruteforce2 |
orabf 0.7.6 |
4s |
10s |
16s |
415s |
woraauthbf 0.2 |
3s |
5s |
12s |
302s |
woraauthbf 0.22 |
3s |
5s |
10s |
256s |
checkpwd 1.22 |
8s |
17s |
none |
none |
orabf 0.7.6 |
311994c/s |
301072c/s |
742586c/s |
744375c/s |
woraauthbf v0.2 |
515114c/s |
618137c/s |
990114c/s |
1022899c/s |
woraauthbf v0.22 |
515114c/s |
618137c/s |
1235663/s |
1254970c/s |
checkpwd 1.22 |
193168c/s |
181805c/s |
none |
none |
IBM Thinkpad T60 (1.86 MHZ Dualcore)
The password_file.txt comes from the release of Alex Kornbust excellent tool checkpwd.
Bruteforce1 charset: alpha length: 5 SCOTT:F894844C34402B66:::
Bruteforce2 charset: alpha length: 6 SCOTT:F894844C34402B66:::
Dictionary1 password_file.txt SCOTT:F894844C34402B66:::
Dictionary2 password_file.txt.2 SCOTT:F894844C34402B66:::