How to decrypt an Oracle password using John the Ripper and checkpwd

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Oracle database security How to use DBMS_CRYPTO package for Oracle password encryption/hashing How to use the CREATE SESSION command to track Oracle database logins How to troubleshoot Oracle critical patch updates using OPatch Can I automate Oracle patching when installing Oracle Standard Edition? Is it possible to automate Oracle CPUs for a DoD project? Three steps to help improve Oracle database security Tips for auditing and securing database backups in Oracle How to prevent a SQL injection attack in Oracle Oracle database security Oracle delivers database fixes in Critical Patch Update How to use DBMS_CRYPTO package for Oracle password encryption/hashing How to use the CREATE SESSION command to track Oracle database logins How to troubleshoot Oracle critical patch updates using OPatch Can I automate Oracle patching when installing Oracle Standard Edition? Is it possible to automate Oracle CPUs for a DoD project? Three steps to help improve Oracle database security Tips for auditing and securing database backups in Oracle How to prevent a SQL injection attack in Oracle Forrester outlines database security trends in 2009

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

It can be a bit tricky to decrypt an Oracle password . Before we head down this road, you may want to consider alternate ways of accomplishing your goals. Determining if you can access the schema by logging in as a privileged user and simply changing the password to a known value will save you hours of work. If that is not possible or unfeasible, you may want to try getting in via another, standard account (check for default passwords) and attempt privilege escalation. If that doesn't work, we still have options in 10g.

In Oracle 10g and all previous versions, the password is not encrypted at all. It is simply a DES hash that is salted with the username, both of which can be found quite easily in the DBA_USERS view. DES strength is based more on the length of the hashed password than the complexity (which is hobbled by the passwords being converted to capital letters, and there are also some special characters that cannot be used). In Oracle 11g, if backwards compatibility is not necessary, SHA-1 is used exclusively, uses an unlisted salt, and is a much harder nut to crack.

Unfortunately, hashing is a one-way trip. When your password is authenticated, your plain text password isn't compared. Instead, your submission is run through the same hashing algorithm, and the results are compared. If the hash of your submission and the stored hash match, you are authenticated. This means that there is no recovering of keys to unencryptthe password; the most effective method of cracking the hash is to guess the password. Luckily, these days we can generate a lot of guesses per second.

Your best bet is to use one of the very effective Oracle password crackers available, such as Red-Database-Security.com's Checkpwd or John the Ripper. Both are free and work on nearly every platform/OS. CheckPwd uses a dictionary attack and given the dictionary files available (you can always tailor your own as well), it is very effective. John the Ripper has both dictionary and brute force attacks. A well-crafted dictionary attack is often very productive and amazingly fast because of its focused nature. If brute force is used on a modern desktop system, it will crack passwords under six characters in anywhere from a few minutes to a couple of hours. Any password over eight characters will take a few days.

I hope this helps you out, and I wish you the best of luck!