Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
     
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Welcome, Guest. Please Login.
May 25th, 2019, 4:54pm
News: If you would like to register contact the forum admin
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security
(Moderator: Pete Finnigan)
   C script to generate hash value for Oracle 11g sha
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: C script to generate hash value for Oracle 11g sha  (Read 4916 times)
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
C script to generate hash value for Oracle 11g sha
« on: Dec 25th, 2008, 2:37am »
Quote | Modify

I wrote  one C script to generate hash value for Oracle 11g sha1 algorithm.
 
@>alter user system identified by p1;
User altered.
 
@>select NAME,PASSWORD,SPARE4 from user$ where NAME=’SYSTEM’;
NAME                 PASSWORD                       SPARE4
——— ———————– ———————————————————————-
SYSTEM    2E1168309B5B9B7A        S:09043B9ABFA366DF41DD16DE6768FDC04C57EF1374E0B04DAC8616716074
 
 
[oracle@chen src]$ cat orapw11g.c
#include <openssl/sha.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#define SALT_LEN 10
#define HASH_LEN 20
 
/********************************************************
Function: Generate password hash value for Oracle 11g
Author: Yaping Chen
Email: yaping123@gmail.com
Blog: yaping123.wordpress.com
Revised: Yaping Chen, 2008/10
Comment: Compiled with gcc 3.2.3 on RHEL 4
*********************************************************/
 
main(int argc,char *argv[])
{
  char *md;
  char *pwd;
  char *data;
  char *saltraw;
  char *saltstr;
  int i,n;
  char *c1;
  char *c2;
  char *c5;
  char *c6;
 
  if (argc!=3) {
     printf(”Parameters invalid.\nUsage:\nargv[0] pwd salt(hex)\n\n”);
     return -1;
  }
 
  if (strlen((char *)argv[2]) != SALT_LEN * 2) {
     printf(”salt’s length error, it must be %d in hex\n”,SALT_LEN*2);
     return -1;
  }
 
  pwd=malloc(strlen((char *)argv[1]));
  saltraw=malloc(SALT_LEN * 2);
  saltstr=malloc(SALT_LEN);
  data=malloc(strlen((char *)argv[1]) + SALT_LEN);
  md=malloc(HASH_LEN);
  c1=malloc(2);
  c2=malloc(40);
  c5=malloc(Cool;
  c6=malloc(Cool;
 
  if (!pwd || !saltraw || !data || !md || !c1 || !c2 || !c5 || !c6) {
     perror(”malloc fail”);
     return -1;
  }
 
  pwd=argv[1];
  saltraw=argv[2];
  for(i=0;i<SALT_LEN;i++) {
     strncpy(c1,saltraw+i*2,2);
     sscanf(c1,”%X”,&n);
     saltstr[i]=(char)n;
  }
 
  memcpy(data,pwd,strlen((char*)pwd));
  memcpy(data+strlen((char*)pwd),saltstr,SALT_LEN);
  SHA1(data,strlen((char*)pwd) + SALT_LEN,md);
 
  printf(”pwd:%s,\tsaltraw:%s,\tsaltstr:%s,\tsha1 value:\n”,pwd,saltraw,saltstr);
  for(i=0;i<HASH_LEN;i++) {
     sprintf(c5,”%X”,md[i]);
     sprintf(c6,”%s”,c5);
     n=strlen(c6);
     if (n == 1) {
        c2[i*2]=’0&#8242;;
        c2[i*2 + 1]=c6[0];
     }
     else if (n == 2) {
        c2[i*2]=c6[0];
        c2[i*2 + 1]=c6[1];
     }
     else {
        c2[i*2]=c6[n-2];
        c2[i*2 + 1]=c6[n-1];
     }
  }
  printf(”%s\n\n”,c2);
  return 0;
}
 
[oracle@chen src]$ gcc orapw11g.c -lssl -o orapw11g
[oracle@chen src]$
[oracle@chen src]$
[oracle@chen src]$ ./orapw11g p1 74E0B04DAC8616716074
pwd:p1, saltraw:74E0B04DAC8616716074,   saltstr:tŕ°M??q`t,      sha1 value:
09043B9ABFA366DF41DD16DE6768FDC04C57EF13
[oracle@chen src]$
 
But this script has issue when password contains special symbols.
 
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: C script to generate hash value for Oracle 11g
« Reply #1 on: Nov 6th, 2009, 11:53am »
Quote | Modify

hi;
 
is there a script or tool that generates password hash for a given username for Oracle 10g.
 
Thx.
 
turgay.
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: C script to generate hash value for Oracle 11g
« Reply #2 on: Nov 9th, 2009, 9:33am »
Quote | Modify

Hi,
 
Yes there are lots of options. You can download woraauthbf that includes the C source code; its a complete password cracker for Oracle. There is also orabf that includes a binary cracker for Oracle but also a tool called "oraclehash" that generates a single hash for a user. There are links to these tools available on my Oracle security tools page http://www.petefinnigan.com/tools.htm
 
You can also use my PL/SQL function to generate a hash for a user/password that is passed in. This is simple, source code is included and you can find it here - http://www.petefinnigan.com/testpwd.sql
 
Kind regards
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board