How to Cracking Oracle 11g

Download Windows Binary: thc-orakelcrackert11g.tar.gz

OrakelCrackert 1.00 released 20070926
OrakelCrackert is an Oracle 11g database password hash cracker using a 
weakness in the Oracle password storage strategy. With Oracle 11g, case 
sensitive SHA1 based hashing is introduced. Storing passwords in a case 
sensitive way introduces more possible password combinations so 
password cracking takes longer. For example, the number of possible 
password combinations using a password generated out of the character 
set "[a-z][A-Z][0-9]#$_" where passwords start with a alpha character 
using is 52/65 * 65 ^ passlength. For an 8 position password this means 
254.915.850.312.500 combinations.

Since Oracle is still storing the DES based password hashes, an attack 
much faster than brute forcing can be launched for most (not all) 
passwords. To do so:

1 - Get both the Oralce < 11g and 11g password hash, for example by 
executing the query "select user, password, spare4 from sys.user$ where 
username = ".

2 - Crack the old DES based password hash (field "password") which is 
generated using the upper case version of the mixed case password 
(note: this is not applicable to all possible passwords in Oracle 11g).

3 - If the upper case password is found, calculate the SHA1 result of 
the ASCII value of the password followed by the salt (nibble 41-60 of 
field SPARE4) to the SHA1 based password hash (nibble 1-40 of field 
SPARE4). Do this for every upper/lower case combination possible until 
you have got a match.

4 - Voila!

Using a password generated out of the character set 
"[a-z][A-Z][0-9]#$_" where passwords start with a alpha character 
(currently supported by OrakelCrackert), the number of password 
combinations shrinks to 26/39 * 39 ^ length (= step 2) + 2 ^ length (= 
step 3). A full brute force for an 8 position password will now at 
maximum 'just' take 3.568.006.173.910 tries. This is about 77 times 
less than the original value.

select name, password, spare4 from sys.user$ where name = 'THC';


With real-life data:
USER_PASS = ASCII(THC + THC#) = 0x54484354484323
PASS_UPPER = ORACLEHASH(0x54484354484323) = 0x435D0D3C8468DBC4
FOR LOOP (only the correct guess):
	PASS_SALT = ASCI(tHC# + 0x02B03D5D74B6841CEA2E) = 
	GUESSED_CASE = SHA1(0x7448432302B03D5D74B6841CEA2E) = 
	IF(0xD39F4CC16573323279E5E4E16D359D6C55DCC092 == 

How to use Hydra

Say you have wireless router to which you have forgotten the password. The easiest thing to do in this case is
to reset the router to factory defaults. However if you have a lot of custom settings and your backup is
nonexistent, out-dated, corrupted, or the backup restored a password which you do not remember, you can
try a brute force attack on the router. From Hydra currently supports:
SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, SSH2, Teamspeak, Cisco auth, Cisco enable,
Cisco AAA (incorporated in telnet module)
For the sake of this document I will use a Linksys WRT54GL, hardware v1.1, Linksys firmware 4.30.11 and
dd-wrt v2.4sp1. The first thing you have to do is find out if the device uses a username AND password to
login. Several devices only require a password to login into the device as admin, root, system, etc. The easiest
way to find this out is to goto the vendor’s website and download installation manual which willgive you this
information. For the Linksys firmware
boot BackTrack and login as root 1.
hydra -l “” -P wordlist.txt -f -v -e ns http-get /
-l is for a username which is null in this case
-P is a wordlist of passwords to try
-f stop hydra when it finds the password
-v is for verbose
-e try no password and password the ip address of the device one of the currently supported options is the IP of the AP
http-get is the correct option to this AP
/ is where you have to put in the username and password. In this case you have to put in the username
and password before you can do anything. You will have to figure this out for yourself as each device is
some other option you may need are:
-t TASKS run TASKS number of connects in parallel (default: 16)
You may have to adjust this number down as larger numbers may cause the router to crash or
misbehave. I usually use 10.
-v / -V verbose mode / show login+pass combination for each attempt
As I said earlier, http-get is the correct option for my Linksys AP (with the factory firmware). When you goto
the AP website a dialog box opens and prompts for a username and password. Each AP is different and as
Cracking Passwords Version 1.1 file:///D:/password10.html
23 of 45 2/15/2010 3:48 PM
such you will have to change options as RaginRob found out. The following is a slightly modified version
from his tutorial.
I recently started playing around with Hydra and tried to hack my router. After searching the forum and
googling around a while I noticed that there are only some howto’s for routers that have http-auth
authentication. That is, when you go to e.g. and before showing anything you have to enter login
and password in a popup. My router (T-Com Sinus 154 DSL Basic 3) and many others I’ve dealt with so far
work differently. When I want to login to my router, I have to go to, a web interface with a
password field shows up, and I have to enter the password which is then checked by /cgi-bin/login.exe via
It was quite tricky to find out how to use this authentication with hydra, so I guess there are some of you that
can benefit from this. I’ll describe how I did it, so you can adapt the method and use it with your own router.
First of all I examined the login page of the web interface. Be sure to look at the frame source and not the
frameset. You should see the form and the action, here’s what I saw:
The form is defined as:
<form name=”tF” method=”post” action=”/cgi-bin/login.exe” onSubmit=”evaltF();”>
Somewhere in the form there will be the field that takes the password:
<input type=”password” name=”pws” class=”stylepwd” size=”12″ maxlength=”12″>
This is probably the most important data you need. You need to write down the field name (“pws” in my
case). The size attribute comes in very handy too because it tells us that the password’s max length is 12
After that I tried to get familiar with Hydra’s options. I figured out that you needthe following options:
hydra -l “” -P passwords.txt -t 1 -f -v -V http-post-form /cgi-bin
-l Sets the login name. In the end I don’t need a login name but hydra gets kind of pissed when you don’tpass
something, so I gave an empty string.
-P The wordlist to use for the password
-t 1 task only, not really necessary, I just wanted to make sure Hydra doesn’t choke on too many requests -f
Hydra shall stop when a working password is found
-v be verbose. and even more. I skipped that in the final version but it’s ok for debugging is victim’s ip
http-post-form the method to use
This is the most important part. Here we tell Hydra what to pass the passwords to. The argument consists of
three parts separated by “:”.
The first part is the script that takes the POST data, we found that in the frame source above.
The second part is the field name of the password field with an added =^PASS^. ^PASS^ is the variable that
hydra substitutes with the passwords in the wordlist.
The third part is the “incorrect” condition. Hydra has to find out somehow if the current password that was
send to the router is correct or not. You have to find a string that is actually IN A NEGATIVE RESPONSE
from the router. As we don’t have the password yet we can’t know what the router will send if the password is
correct, therefore we have to check if it is NOT, which we can find out easily. To find out what the router
sends back to hydra I used Wireshark.
Cracking Passwords Version 1.1 file:///D:/password10.html
Open up wireshark, go to the router login page, start capturing and then login with a wrong password. After
that, stop capturing and apply a “http” filter. You will see the POST data sentfrom hydra to the router (you
should also see the “pws=blabla” in the details, that’s where hydra sends the passwords from the wordlist).
Below that you’ll find the router answer. In my case it says something like “This page has moved to
loginpserr.htm” packed in some basic HTML. So I used the string loginpserr.htm to validate the .. uhm…
faultyness. OMFG %-]
Hydra will consider a password as CORRECT when the router answer DOES NOT contain the given string.
So be sure to take an expression that somehow sounds like “incorrect” or “wrong”. If you took “the” for
example, and the POSITVE response would be something like “the password you entered was correct”, hydra
will not recognize it as correct but incorrect.
If your router does not only need a password but also a username, you can easily add the according login
name to the last part. So if you need to send the field “login” or whatever it is called in your case with the
value “admin” as the only username you could use
When you need to try a whole username list then you can specify the list via
-L usernames.txt
For dd-wrt do
boot BackTrack and login as root 1.
hydra -l admin -P wordlist.txt -f -e ns http-get /login.asp
-l is for a username which is admin in this case. dd-wrt allows the user to chose the username that is
require to login to the device so it could be anything.
-P is a wordlist of passwords to try
-f stop hydra when it finds the password
-v is for verbose
-e try no password and password the ip address of the device one of the currently supported options is the IP of the AP
http-get is the correct option to this AP
/ is where you have to put in the username and password. In this case you have to put in the username
and password before you can do anything. You will have to figure this out for yourself as each device is
some other option you may need are:
-t TASKS run TASKS number of connects in parallel (default: 16)
You may have to adjust this number down as larger numbers may cause the router to crash or
misbehave. I usually use 10.
-v / -V verbose mode / show login+pass combination for each attempt

END of hydra

How to use my MySQL Server”Basics”

MySQL is a database to store the user information MySQL is free and Opensource  it is very easy to use,SQl stand for “structure query language.”

What is Database ?

This is one of the hardest topic to define but i will enplane you as easy as possible lets go, imagine an excel sheet on your mind then divide them into rows and columns and give the row a name like a,b,c,d and give the columns 1,2,3,4 then i want you to store “apple” in a1 if you did it then when you need a apple you would go to a1. this is like an array where the data is stores in specific memory and then pointing that memory to access that data.if you understand this then you know what is a database, a database is used to store large amount of data then application or web pages  use that database to access that data,a user can store there picture,music in a database a user can also password protect the data in a database.

How to install Mysql ?

To install MySQL Server on a windows here is the process you can choose your platform.

  • Download MySQL by visiting here .
  • Download the MySQL windows installer.
  • after Downloading install it on the computer.
  • Locate the directory where MySQL is installed and open it up.

after the above process it would open a console window ,type in password if you have entered any  in the installation lets get started to use MySQL first enter the “help” command basically it will print the list of MySQL commands. To see the Databases enter this command “show databases;”   remember to put semi-colon at the end of the command or statement because it means the command or statement has ended.after typing this command you will see some databases that are created to use these databases we will use the “use” command and the name of the database(e.g. use test).to see tables inside the database we will use the “show tables;” remember we are using the test database, To see which database are you using use the “status;” command to see the current status of the database.under the current database you can see your current database that you are using.this command also shows which database server are you using which TCP port are you using and many more create a database we will use “create database” command and the name of the database (e.g.”create database hello;”) this will create a hello database to see your database type the “show databases” command,To delete a database we will use the “drop database” command and the name of the database(e.g.”drop database hello“)this will completely remove every thing of the database that you have chosen remember to use this command with use our database that we have created we will then again use the “use” command.Let’s create a Table if you don’t know what is a table you can think of this way think a folder is a database and the files inside that folder are tables,to create a table we will use the ‘create’ command,(e.g.”create table infor (name varchar(25), address varchar(100), age int, pnumber varchar(12));”)so it will create a fields named info and inside that it will create varchar(variable character) which is 25 character long and it will create another varchar which is 100 character long then  int(integer) age and then varchar which is 12 character see your tables that you have created type the “show tables” command it will the show your tables.if you want to see the content of  the infor table use the “describe” command and the name of the table(e.g.”describe infor;”)to erase a table we will use the “drop” command and the name of the table(e.g.”drop table infor”).to insert something in to a table for example our name, address etc.. we will use the “insert into” command and the name of the table.(e.g.”insert into infor values (“sik”, ” fake address”, 14, “5555-555-103”); “) remember string would be in quotes.after that we will select every thing using the “select * from” command and the name of the table(e.g.”select * from infor“) it will basically select every thing from infor table that is inside the “hello” database.if you want to see only address not the name and any other fields the we will use “select”command name of the field and the table name (e.g.”select address from infor”)it will echo the address that is stored in delete something from the table we will use the “delete from” command and table name then we will type “where” and the name of the field which is equal to content in the field.(e.g.”delete from infro where address=” fake address”).then enter this command “select * from infor” to see if the fake address has deleted or not.

End of MySQL Basics.

How to crack a WPA encypted wifi Network.

 To crack a WPA encrypted wifi Network to use free Internet, you will need is compatible wifi card and backtrack 5.
First download Backtrack 5 from here.
Download the iso and burn it into a DVD or you can run on virtual Machine in this case i am using Vmware to Run backtrack.

So run the backtrack 5 after that you will see the Desktop then open command terminal and type “airmon-ng” this command will show your interface driver and chip set of your network card.

Then type this command “airmon-ng start wlan0” wlan0 is the name of my interface.

Then you will see at the bottom left corner (monitor mode enable on mon0) so i am using mon0 as my interface after that type this command “airodump-ng mon0” then i will start scanning for wifi networks, after that you will see bssid  channel, encryption, essid etc. my essid is “homenet” your will be different after that type this command “airodump-ng -c (channel) -w (file name) –bssid (bssid) mon0” type your bssid, channel and filename
e.g. airodump-ng -c 3 -w wep –bssid 00:18:01:a7:c0:00 mon0
then press enter

then data will flow slowly so to boost the data,
open up a new command terminal and type “aireplay-ng -1 0 -a (bssid) mon0” if you have strong signals coming from the wifi card the you will see this Association Successful

then type this “aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b (bssid) mon0” then data will flow much faster if you see Use this  packet press y and press enter,

after that open a another command terminal and type “aircrack-ng (filename)*.cap” and press enter, then it will try to crack it now. Then it will say Key found and the key is 12:34:56 coll ans are not the part of the password so remove it.

so Know you have the wireless password Remember to use this Knowledge for good not for evil be ethical.

Commands that i have used

2)airmon-ng start wlan0
3)airodump-ng mon0
4)airodump-ng -c (channel) -w (file name) –bssid (bssid) mon0
5)aireplay-ng -1 0 -a (bssid) mon0
6)aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b (bssid) mon0
7)aircrack-ng (filename)*.cap

How to use linux Commands.

To use Linux commands you need to understand the Linux command terminal or Linux Shell as some say, to start using Linux commands open the Shell or the command terminal you would see a console window in that window you type the Linux commands to do your works some Linux commands are as fallows.


File Commands

  • ls – Directory listing
  • ls -al -Show listing with hidden files
  • cd dir – change directory to dir
  • cd- change to home
  • pwd – show current directory
  • mkdir file – create a directory with a name file
  • rm file – remove a file
  • rm -r file – delete a directory file
  • cp file1 file 2 – copy file1 to file2
  • touch file – create a file
  • cat > file – places stander input into file

System Commands

  • date – show the current date and time
  • cal -show the calender
  • uptime – show current up time
  •  w – display who is online
  • whoami – who you are logged in as
  • finger user – display information about user
  • uname -a – show kernel information
  • cat /proc/cpuinfo – shows cou information
  • cat /proc/meminfo – shows memory information
  • man command – shows manual of a command
  • free – show memory and swap usage

Net Work

  • ping host – ping host and output the results
  • whois domain – get the information for the domain
  • dig domin – get DNS information for the domain
  • wget -x host – reverse look up host
  • wget file – download a file
  • wget -c file – continue a stopped download


  • install from source file
  • ./configure  – software configurations
  • make
  • make install – install the software
  • dpkg -i pkg.deb – install a debian package
  • rmp -uvh pkg.rpm – install a package (Rpm)

Process management


  • ps – display currently active processes
  • top – display all  running processes
  • kill – kill process
  • killall – kill all process

Search Commands

  •  grep pattern files – search for patterns in files
  • locate file – find all instances of files

PHP Data Types Variable

data type is a classification identifying one of various types of data, such as real-valued, integer or Boolean, that determines the possible values for that type.

Data type in php are very useful when we start knowing the language the first data type that we would use is “variable” a variable is symbolic representation of a value as name represent it can change or varies a variable start with a dollar sign “$” and the name of the variable.(e.g $variable = 22;) in this code i have set variable equal to an integer which is 22 and semi colon to end the statement.a variable can be written i many different ways some are as fallows






Remember these are case sensitive meaning if you write $variable and use this variable in your code and start the variable with a capital V $Variable it give an error because php doesn’t know what variable are you talking about so remember not to make this mistake.lets write an variable example code


$var1 = 3;

$var2 = 2;

echo $var1;


in the above code i created a variable $var and $var2 and set the value to 3 & 2 this code will echo or print the value that is inside in var1.

but if you write this code


$var1 = 3;

$var2 = 2;

echo $var1 . $var2;


in the above code i have added a $var1 and $var2 together with a point sign “.” this will add the value of variables and print it on the screen the output will be 5.remember this is an variable so we can change to what ever we want.

in the next example i have set the variable to an string


$var1 = “This is “;

$var2 = “String”;

echo $var1 . $var2;


this code will add the string an give the output “This is String” because we have coordinated the string.