Penetration Testing mailing list archives
RE: Oracle password cracker
From: "Wozny, Scott" <swozny () mhtny com>
Date: Mon, 28 Jan 2008 12:39:28 -0500
I've had to do this before and while there's no import function, I found knowing your way around notepad and excel can make it significantly easier than using the GUI to do it one by one. Here are my cheat sheet notes from an audit I conducted in a previous life; hope you can get some use out of them. - Add 1 hash using the GUI and then shut down Cain. Then, in the Cain directory, there is a file called ORACLE.LST you can open with notepad and use the format of the line added from the GUI as a guide to add additional hashes. This can be done in Excel with the CONCATENATE function but I usually just put on some mindless techno and cut and paste back and forth in notepad (find and replace works well with inserting the requisite semicolons as field separators as well). - Once you've updated the ORACLE.LST file, save and close and then you can fire up Cain again to run the brute force checker with all caps, numbers and symbols up to X characters to detect passwords not in compliance. Also, Pete Finnigan's website has a lot of great Oracle security resources and should be required reading to audit an Oracle database. He also has an extensive collection of well known accounts and their hashes. Very much worth reading. Good luck, Scott -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of ahgaber_rehan () yahoo com Sent: Friday, January 25, 2008 3:26 AM To: pen-test () securityfocus com Subject: Oracle password cracker Hi All , i am auditing Oracle DB , i have requested the DBA to extract all Password has in text file, i have the list, any body have a tool which can import the file and verify the hash against my dictionary ? i have cain , but i couldn't find the option to import the list of passwords, it's done 1 by 1 regards, ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Oracle password cracker ahgaber_rehan (Jan 25)
- Re: Oracle password cracker Ti (Jan 28)
- Re: Oracle password cracker Rory McCune (Jan 28)
- Re: Oracle password cracker Rodrigo Montoro (Sp0oKeR) (Jan 28)
- Re: Oracle password cracker Marco Ivaldi (Jan 28)
- RE: Oracle password cracker Wozny, Scott (Jan 28)
- <Possible follow-ups>
- Re: Oracle password cracker techlists (Jan 29)