Use orabf to crack Oracle user’s password

看到PUB上一个帖子,询问Oracle用户密码忘记如何找回,结果8楼一个哥直接上了个破解工具,遂学习之。

可使用orabf工具破解,工具介绍:

Orabf is an extremely fast offline brute force/dictionary attack tool that can be used when the particular username and hash are known for an Oracle account.  Obviously the speed of the brute force attack slows down the longer the amount of characters that it is trying to brute force with but for short username/hash combinations it can be over a million tries per second.

Command Syntax

C:\orabf-v0.7.5>orabf [hash]:[username] [options]
Options:

-c     [num] complexity: a number in [1..6] or a filename
– read words from stdin
[file] read words from file
1 numbers
2 alpha
3 alphanum
4 standard oracle (alpha)(alpha,num,_,#,$)… (default)
5 entire keyspace (‘ ‘..’~’)
6 custom (charset read from first line of file: charset.orabf)
-m [num] max pwd len: must be in the interval [1..14] (default: 14)
-n [num] min pwd len: must be in the interval [1..14] (default: 1)
-r resume: tries to resume a previous session

测试:

F

:\awrtmp>sqlplus / as sysdba 
SQL*Plus: Release 11.2.0.1.0 Production on 星期一 8月 29 08:20:55 2011 
Copyright (c) 1982, 2010, Oracle.  All rights reserved.
连接到: 
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production 
With the Partitioning, OLAP, Data Mining and Real Application Testing options 
SQL> set pages 1000 lines 100 
SQL> select username,password from dba_users where username='MARSHALL';
USERNAME                       PASSWORD 
------------------------------ ------------------------------ 
MARSHALL

在Oracle 11g之前,加密后的密码可以从DBA_USERS数据字典的PASSWORD字段中获得。但是在11g中,PASSWORD字段却不再显示密码的内容了。
那么,如果再去得到用户的加密密码呢?
从SYS.USER$基表中检查,在基表的password字段中仍然可以查到HASH后的值。

SQL> select name,password from user$ where name='MARSHALL';
NAME                           PASSWORD 
------------------------------ ------------------------------ 
MARSHALL                       A76A8C6CF0E4D786 
AGA                            1249697BA47A5831

 

获取了用户加密密码后,使用orabf工具破解:

SQL> exit 
从 Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production 
With the Partitioning, OLAP, Data Mining and Real Application Testing options 断开
F:\awrtmp>orabf A76A8C6CF0E4D786:marshall
orabf v0.7.6, (C)2005 [email protected] 
---------------------------------------
F:\awrtmp>orabf 1249697BA47A5831:aga
orabf v0.7.6, (C)2005 [email protected] 
--------------------------------------- 
Trying default passwords... 
password found: AGA:AGA

 

破解SYS密码:摘取一部分,不给力啊

F:\awrtmp>orabf 75800913E1B66343:sys
orabf v0.7.6, (C)2005 [email protected] 
--------------------------------------- 
Trying default passwords...warning: couldn't open default.txt...done
Starting brute force session using charset: 
#$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_
press 'q' to quit. any other key to see status
current password: W4FP 
1355425 passwords tried. elapsed time 00:00:01. t/s:1200485
current password: AF9OO 
2609079 passwords tried. elapsed time 00:00:02. t/s:1172026
current password: ANZZY 
3123616 passwords tried. elapsed time 00:00:02. t/s:1182225
current password: B34FK 
4202732 passwords tried. elapsed time 00:00:03. t/s:1201398
current password: BDZJ8 
4843217 passwords tried. elapsed time 00:00:04. t/s:1208017

 

Marshall的密码没有破解出来,SYS的给了n多结果,但是AGA的被破解了。
不管怎么说,这个工具玩玩还是有点意思的。

orabf下载地址:http://www.redoracle.com/index.php?option=com_remository&Itemid=82&func=startdown&id=26

参考:

《sqlplus的密码忘了咋办?》http://www.itpub.net/thread-1475613-1-1.html

《orabf》http://www.vulnerabilityassessment.co.uk/orabf.htm

《Oracle密码破解之—使用orabf破解Oracle的密码》  http://space.itpub.net/13804621/viewspace-368835

普人特福的博客cnzz&51la for wordpress,cnzz for wordpress,51la for wordpress