RE: Oracle password cracker

From: Wozny, Scott (swozny@mhtny.com)
Date: Mon Jan 28 2008 - 12:39:28 EST

• Next message: Kurt Buff: "Re: ESX Vmware Physically connected to different segments"
• Previous message: Marco Ivaldi: "Re: Scanning for "live" hosts, nmap vs unicornscan (scanrand?)"
• In reply to: ahgaber_rehan@yahoo.com: "Oracle password cracker"
• Next in thread: techlists@comcast.net: "Re: Oracle password cracker"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I've had to do this before and while there's no import function, I found
knowing your way around notepad and excel can make it significantly easier
than using the GUI to do it one by one. Here are my cheat sheet notes from
an audit I conducted in a previous life; hope you can get some use out of
them.

- Add 1 hash using the GUI and then shut down Cain. Then, in the Cain
directory, there is a file called ORACLE.LST you can open with notepad and
use the format of the line added from the GUI as a guide to add additional
hashes. This can be done in Excel with the CONCATENATE function but I
usually just put on some mindless techno and cut and paste back and forth in
notepad (find and replace works well with inserting the requisite semicolons
as field separators as well).
- Once you've updated the ORACLE.LST file, save and close and then you can
fire up Cain again to run the brute force checker with all caps, numbers and
symbols up to X characters to detect passwords not in compliance.

Also, Pete Finnigan's website has a lot of great Oracle security resources
and should be required reading to audit an Oracle database. He also has an
extensive collection of well known accounts and their hashes. Very much
worth reading.

Good luck,

Scott
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of ahgaber_rehan@yahoo.com
Sent: Friday, January 25, 2008 3:26 AM
To: pen-test@securityfocus.com
Subject: Oracle password cracker

Hi All ,

i am auditing Oracle DB , i have requested the DBA to extract all Password
has in text file, i have the list, any body have a tool which can import the
file and verify the hash against my dictionary ?

i have cain , but i couldn't find the option to import the list of
passwords, it's done 1 by 1

regards,

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Kurt Buff: "Re: ESX Vmware Physically connected to different segments"
• Previous message: Marco Ivaldi: "Re: Scanning for "live" hosts, nmap vs unicornscan (scanrand?)"
• In reply to: ahgaber_rehan@yahoo.com: "Oracle password cracker"
• Next in thread: techlists@comcast.net: "Re: Oracle password cracker"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:22 EDT