How to Cracking Oracle 11g


Download Windows Binary: thc-orakelcrackert11g.tar.gz

OrakelCrackert 1.00 released 20070926
=====================================
OrakelCrackert is an Oracle 11g database password hash cracker using a 
weakness in the Oracle password storage strategy. With Oracle 11g, case 
sensitive SHA1 based hashing is introduced. Storing passwords in a case 
sensitive way introduces more possible password combinations so 
password cracking takes longer. For example, the number of possible 
password combinations using a password generated out of the character 
set "[a-z][A-Z][0-9]#$_" where passwords start with a alpha character 
using is 52/65 * 65 ^ passlength. For an 8 position password this means 
254.915.850.312.500 combinations.

Since Oracle is still storing the DES based password hashes, an attack 
much faster than brute forcing can be launched for most (not all) 
passwords. To do so:

1 - Get both the Oralce < 11g and 11g password hash, for example by 
executing the query "select user, password, spare4 from sys.user$ where 
username = ".

2 - Crack the old DES based password hash (field "password") which is 
generated using the upper case version of the mixed case password 
(note: this is not applicable to all possible passwords in Oracle 11g).

3 - If the upper case password is found, calculate the SHA1 result of 
the ASCII value of the password followed by the salt (nibble 41-60 of 
field SPARE4) to the SHA1 based password hash (nibble 1-40 of field 
SPARE4). Do this for every upper/lower case combination possible until 
you have got a match.

4 - Voila!

Using a password generated out of the character set 
"[a-z][A-Z][0-9]#$_" where passwords start with a alpha character 
(currently supported by OrakelCrackert), the number of password 
combinations shrinks to 26/39 * 39 ^ length (= step 2) + 2 ^ length (= 
step 3). A full brute force for an 8 position password will now at 
maximum 'just' take 3.568.006.173.910 tries. This is about 77 times 
less than the original value.

Example:
========
select name, password, spare4 from sys.user$ where name = 'THC';
THC,435D0D3C8468DBC4,S:D39F4CC16573323279E5E4E16D359D6C55DCC09202B03D5D74B6841CEA2E

USER_PASS = ASCII(USER + GUESSED_PASS)
PASS_UPPER = ORACLEHASH(GUESSES_PASS)
FOR(ALL UPPER/LOWER CASE COMBINATIONS)
	PASS_SALT = ASCII(PASS + SALT)
	GUESSED_CASE = SHA1(PASS_SALT)
	IF(GUESSED_CASE == SPARE4)
		DONE!

With real-life data:
USER_PASS = ASCII(THC + THC#) = 0x54484354484323
PASS_UPPER = ORACLEHASH(0x54484354484323) = 0x435D0D3C8468DBC4
FOR LOOP (only the correct guess):
	PASS_SALT = ASCI(tHC# + 0x02B03D5D74B6841CEA2E) = 
0x7448432302B03D5D74B6841CEA2E
	GUESSED_CASE = SHA1(0x7448432302B03D5D74B6841CEA2E) = 
0xD39F4CC16573323279E5E4E16D359D6C55DCC092
	IF(0xD39F4CC16573323279E5E4E16D359D6C55DCC092 == 
0xD39F4CC16573323279E5E4E16D359D6C55DCC092)
		WE'VE GOT HIM!'

How to use Hydra

Say you have wireless router to which you have forgotten the password. The easiest thing to do in this case is
to reset the router to factory defaults. However if you have a lot of custom settings and your backup is
nonexistent, out-dated, corrupted, or the backup restored a password which you do not remember, you can
try a brute force attack on the router. From http://freeworld.thc.org/thc-hydra/. Hydra currently supports:
TELNET, FTP, HTTP-GET, HTTP-HEAD, HTTPS-GET, HTTPS-HEAD, HTTP-PROXY, LDAP2, LADP3,
SMB, SMBNT, MS-SQL, MYSQL, POSTGRES, REXEC, RSH, RLOGIN, CVS, SNMP, SMTP-AUTH,
SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, SSH2, Teamspeak, Cisco auth, Cisco enable,
Cisco AAA (incorporated in telnet module)
For the sake of this document I will use a Linksys WRT54GL, hardware v1.1, Linksys firmware 4.30.11 and
dd-wrt v2.4sp1. The first thing you have to do is find out if the device uses a username AND password to
login. Several devices only require a password to login into the device as admin, root, system, etc. The easiest
way to find this out is to goto the vendor’s website and download installation manual which willgive you this
information. For the Linksys firmware
boot BackTrack and login as root 1.
hydra -l “” -P wordlist.txt -f -v -e ns 192.168.1.1 http-get /
-l is for a username which is null in this case
-P is a wordlist of passwords to try
-f stop hydra when it finds the password
-v is for verbose
-e try no password and password the ip address of the device one of the currently supported options
192.168.1.1 is the IP of the AP
http-get is the correct option to this AP
/ is where you have to put in the username and password. In this case you have to put in the username
and password before you can do anything. You will have to figure this out for yourself as each device is
different.
2.
some other option you may need are:
-t TASKS run TASKS number of connects in parallel (default: 16)
You may have to adjust this number down as larger numbers may cause the router to crash or
misbehave. I usually use 10.
-v / -V verbose mode / show login+pass combination for each attempt
3.
As I said earlier, http-get is the correct option for my Linksys AP (with the factory firmware). When you goto
the AP website a dialog box opens and prompts for a username and password. Each AP is different and as
Cracking Passwords Version 1.1 file:///D:/password10.html
23 of 45 2/15/2010 3:48 PM
such you will have to change options as RaginRob found out. The following is a slightly modified version
from his tutorial.
I recently started playing around with Hydra and tried to hack my router. After searching the forum and
googling around a while I noticed that there are only some howto’s for routers that have http-auth
authentication. That is, when you go to 192.168.2.1 e.g. and before showing anything you have to enter login
and password in a popup. My router (T-Com Sinus 154 DSL Basic 3) and many others I’ve dealt with so far
work differently. When I want to login to my router, I have to go to 192.168.2.1, a web interface with a
password field shows up, and I have to enter the password which is then checked by /cgi-bin/login.exe via
http-post.
It was quite tricky to find out how to use this authentication with hydra, so I guess there are some of you that
can benefit from this. I’ll describe how I did it, so you can adapt the method and use it with your own router.
First of all I examined the login page of the web interface. Be sure to look at the frame source and not the
frameset. You should see the form and the action, here’s what I saw:
The form is defined as:
<form name=”tF” method=”post” action=”/cgi-bin/login.exe” onSubmit=”evaltF();”>
Somewhere in the form there will be the field that takes the password:
<input type=”password” name=”pws” class=”stylepwd” size=”12″ maxlength=”12″>
This is probably the most important data you need. You need to write down the field name (“pws” in my
case). The size attribute comes in very handy too because it tells us that the password’s max length is 12
characters.
After that I tried to get familiar with Hydra’s options. I figured out that you needthe following options:
hydra -l “” -P passwords.txt -t 1 -f -v -V 192.168.2.1 http-post-form /cgi-bin
/login.exe:pws=^PASS^:loginpserr.htm
-l Sets the login name. In the end I don’t need a login name but hydra gets kind of pissed when you don’tpass
something, so I gave an empty string.
-P The wordlist to use for the password
-t 1 task only, not really necessary, I just wanted to make sure Hydra doesn’t choke on too many requests -f
Hydra shall stop when a working password is found
-v be verbose. and even more. I skipped that in the final version but it’s ok for debugging
192.168.1.1 is victim’s ip
http-post-form the method to use
/cgi-bin/login.exe:pws=^PASS^:loginpserr.htm
This is the most important part. Here we tell Hydra what to pass the passwords to. The argument consists of
three parts separated by “:”.
The first part is the script that takes the POST data, we found that in the frame source above.
The second part is the field name of the password field with an added =^PASS^. ^PASS^ is the variable that
hydra substitutes with the passwords in the wordlist.
The third part is the “incorrect” condition. Hydra has to find out somehow if the current password that was
send to the router is correct or not. You have to find a string that is actually IN A NEGATIVE RESPONSE
from the router. As we don’t have the password yet we can’t know what the router will send if the password is
correct, therefore we have to check if it is NOT, which we can find out easily. To find out what the router
sends back to hydra I used Wireshark.
Cracking Passwords Version 1.1 file:///D:/password10.html
Open up wireshark, go to the router login page, start capturing and then login with a wrong password. After
that, stop capturing and apply a “http” filter. You will see the POST data sentfrom hydra to the router (you
should also see the “pws=blabla” in the details, that’s where hydra sends the passwords from the wordlist).
Below that you’ll find the router answer. In my case it says something like “This page has moved to
loginpserr.htm” packed in some basic HTML. So I used the string loginpserr.htm to validate the .. uhm…
faultyness. OMFG %-]
Hydra will consider a password as CORRECT when the router answer DOES NOT contain the given string.
So be sure to take an expression that somehow sounds like “incorrect” or “wrong”. If you took “the” for
example, and the POSITVE response would be something like “the password you entered was correct”, hydra
will not recognize it as correct but incorrect.
If your router does not only need a password but also a username, you can easily add the according login
name to the last part. So if you need to send the field “login” or whatever it is called in your case with the
value “admin” as the only username you could use
/cgi-bin/login.exe:login=admin&pws=^PASS^:loginpserr.htm
When you need to try a whole username list then you can specify the list via
-L usernames.txt
and
/cgi-bin/login.exe:login=^USER^&pws=^PASS^:loginpserr.htm
For dd-wrt do
boot BackTrack and login as root 1.
hydra -l admin -P wordlist.txt -f -e ns 192.168.1.1 http-get /login.asp
-l is for a username which is admin in this case. dd-wrt allows the user to chose the username that is
require to login to the device so it could be anything.
-P is a wordlist of passwords to try
-f stop hydra when it finds the password
-v is for verbose
-e try no password and password the ip address of the device one of the currently supported options
192.168.1.1 is the IP of the AP
http-get is the correct option to this AP
/ is where you have to put in the username and password. In this case you have to put in the username
and password before you can do anything. You will have to figure this out for yourself as each device is
different.
2.
some other option you may need are:
-t TASKS run TASKS number of connects in parallel (default: 16)
You may have to adjust this number down as larger numbers may cause the router to crash or
misbehave. I usually use 10.
-v / -V verbose mode / show login+pass combination for each attempt

END of hydra

How to use my MySQL Server”Basics”

MySQL is a database to store the user information MySQL is free and Opensource  it is very easy to use,SQl stand for “structure query language.”

What is Database ?

This is one of the hardest topic to define but i will enplane you as easy as possible lets go, imagine an excel sheet on your mind then divide them into rows and columns and give the row a name like a,b,c,d and give the columns 1,2,3,4 then i want you to store “apple” in a1 if you did it then when you need a apple you would go to a1. this is like an array where the data is stores in specific memory and then pointing that memory to access that data.if you understand this then you know what is a database, a database is used to store large amount of data then application or web pages  use that database to access that data,a user can store there picture,music in a database a user can also password protect the data in a database.

How to install Mysql ?

To install MySQL Server on a windows here is the process you can choose your platform.

  • Download MySQL by visiting here .
  • Download the MySQL windows installer.
  • after Downloading install it on the computer.
  • Locate the directory where MySQL is installed and open it up.

after the above process it would open a console window ,type in password if you have entered any  in the installation process.so lets get started to use MySQL first enter the “help” command basically it will print the list of MySQL commands. To see the Databases enter this command “show databases;”   remember to put semi-colon at the end of the command or statement because it means the command or statement has ended.after typing this command you will see some databases that are created to use these databases we will use the “use” command and the name of the database(e.g. use test).to see tables inside the database we will use the “show tables;” remember we are using the test database, To see which database are you using use the “status;” command to see the current status of the database.under the current database you can see your current database that you are using.this command also shows which database server are you using which TCP port are you using and many more things.to create a database we will use “create database” command and the name of the database (e.g.”create database hello;”) this will create a hello database to see your database type the “show databases” command,To delete a database we will use the “drop database” command and the name of the database(e.g.”drop database hello“)this will completely remove every thing of the database that you have chosen remember to use this command with caution.to use our database that we have created we will then again use the “use” command.Let’s create a Table if you don’t know what is a table you can think of this way think a folder is a database and the files inside that folder are tables,to create a table we will use the ‘create’ command,(e.g.”create table infor (name varchar(25), address varchar(100), age int, pnumber varchar(12));”)so it will create a fields named info and inside that it will create varchar(variable character) which is 25 character long and it will create another varchar which is 100 character long then  int(integer) age and then varchar which is 12 character long.to see your tables that you have created type the “show tables” command it will the show your tables.if you want to see the content of  the infor table use the “describe” command and the name of the table(e.g.”describe infor;”)to erase a table we will use the “drop” command and the name of the table(e.g.”drop table infor”).to insert something in to a table for example our name, address etc.. we will use the “insert into” command and the name of the table.(e.g.”insert into infor values (“sik”, ” fake address”, 14, “5555-555-103”); “) remember string would be in quotes.after that we will select every thing using the “select * from” command and the name of the table(e.g.”select * from infor“) it will basically select every thing from infor table that is inside the “hello” database.if you want to see only address not the name and any other fields the we will use “select”command name of the field and the table name (e.g.”select address from infor”)it will echo the address that is stored in infor.to delete something from the table we will use the “delete from” command and table name then we will type “where” and the name of the field which is equal to content in the field.(e.g.”delete from infro where address=” fake address”).then enter this command “select * from infor” to see if the fake address has deleted or not.

End of MySQL Basics.