暴力破解Oracle数据库密码

联系:手机/微信(+86 17813235971) QQ(107644445)QQ咨询惜分飞

标题:暴力破解Oracle数据库密码

作者:惜分飞©版权所有[未经本人同意,不得以任何形式转载,否则有进一步追究法律责任的权利.]

一、验证不能通过修改用户的password实现登录不知道密码的用户

[oracle@node1 ~]$ sqlplus / as sysdba

SQL*Plus: Release 11.2.0.3.0 Production on Mon Nov 7 12:22:46 2011

Copyright (c) 1982, 2011, Oracle.  All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Data Mining,
Oracle Database Vault and Real Application Testing options

SQL> grant create session to xff identified by xifenfei;

Grant succeeded.

SQL> conn xff/xifenfei
Connected.
SQL> conn / as sysdba
Connected.
SQL> grant create session to chf identified by xifenfei;

Grant succeeded.

SQL> conn chf/xifenfei
Connected.

SQL> conn / as sysdba
Connected.
SQL> desc user$
 Name                                      Null?    Type
 ----------------------------------------- -------- ----------------------------
 USER#                                     NOT NULL NUMBER
 NAME                                      NOT NULL VARCHAR2(30)
 TYPE#                                     NOT NULL NUMBER
 PASSWORD                                           VARCHAR2(30)
 DATATS#                                   NOT NULL NUMBER
 TEMPTS#                                   NOT NULL NUMBER
 CTIME                                     NOT NULL DATE
 PTIME                                              DATE
 EXPTIME                                            DATE
 LTIME                                              DATE
 RESOURCE$                                 NOT NULL NUMBER
 AUDIT$                                             VARCHAR2(38)
 DEFROLE                                   NOT NULL NUMBER
 DEFGRP#                                            NUMBER
 DEFGRP_SEQ#                                        NUMBER
 ASTATUS                                   NOT NULL NUMBER
 LCOUNT                                    NOT NULL NUMBER
 DEFSCHCLASS                                        VARCHAR2(30)
 EXT_USERNAME                                       VARCHAR2(4000)
 SPARE1                                             NUMBER
 SPARE2                                             NUMBER
 SPARE3                                             NUMBER
 SPARE4                                             VARCHAR2(1000)
 SPARE5                                             VARCHAR2(1000)
 SPARE6                                             DATE

SQL> select name,password from user$ where name in('XFF','CHF');

NAME                           PASSWORD
------------------------------ ------------------------------
CHF                            F3CF2F0CB35CB6CA
XFF                            1B60F4BFF1DAB500

SQL> alter user xff identified by values 'F3CF2F0CB35CB6CA';

User altered.

SQL> select name,password from user$ where name in('XFF','CHF');

NAME                           PASSWORD
------------------------------ ------------------------------
CHF                            F3CF2F0CB35CB6CA
XFF                            F3CF2F0CB35CB6CA

SQL> conn xff/xifenfei
ERROR:
ORA-01017: 用户名/口令无效; 登录被拒绝


Warning: You are no longer connected to ORACLE.
SQL> conn chf/xifenfei
Connected.

SQL> conn / as sysdba
Connected.
SQL> alter user xff identified by values '1B60F4BFF1DAB500';

User altered.

SQL> conn xff/xifenfei
Connected.

注:这个实验使用11g证明,其实10g也是同样的结果;在oracle 9i中可以通过修改password的values值实现登录

二、使用orabf破解数据库密码
1、修改数据库密码

SQL> conn / as sysdba
Connected.
SQL> alter user xff identified by xff01;

User altered.

SQL> alter user chf identified by chf00; 

User altered.

SQL> select name,password from user$ where name in('XFF','CHF');

NAME                           PASSWORD
------------------------------ ------------------------------
CHF                            05BD6F8AB28BD8CA
XFF                            A51B3879056B3DDD

2、orabf使用

C:\Users\XIFENFEI\Downloads\orabf-v0.7.6>orabf

orabf v0.7.6, (C)2005 orm@toolcrypt.org
---------------------------------------

usage: orabf [hash]:[username] [options]

options:
-c [num]  complexity: a number in [1..6] or a filename
   -      read words from stdin
   [file] read words from file
   1      numbers
   2      alpha
   3      alphanum
   4      standard oracle (alpha)(alpha,num,_,#,$)... (default)
   5      entire keyspace (' '..'~')
   6      custom (charset read from first line of file: charset.orabf)
-m [num]  max pwd len: must be in the interval [1..14] (default: 14)
-n [num]  min pwd len: must be in the interval [1..14] (default: 1)
-r        resume: tries to resume a previous session


C:\Users\XIFENFEI\Downloads\orabf-v0.7.6>orabf A51B3879056B3DDD:XFF

orabf v0.7.6, (C)2005 orm@toolcrypt.org
---------------------------------------
Trying default passwords...done

Starting brute force session using charset:
#$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_

press 'q' to quit. any other key to see status

current password: D9X50
9229361 passwords tried. elapsed time 00:00:13. t/s:697938

current password: HI0QJ
18967617 passwords tried. elapsed time 00:00:27. t/s:698403

current password: OB#QD
34743632 passwords tried. elapsed time 00:00:49. t/s:698844

password found: XFF:XFF01

55826385 passwords tried. elapsed time 00:01:19. t/s:704047


C:\Users\XIFENFEI\Downloads\orabf-v0.7.6>orabf 05BD6F8AB28BD8CA:CHF -c 3 -n 4 -m 6

orabf v0.7.6, (C)2005 orm@toolcrypt.org
---------------------------------------
Trying default passwords...done

Starting brute force session using charset:
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ

press 'q' to quit. any other key to see status

password found: CHF:CHF00

22647601 passwords tried. elapsed time 00:00:31. t/s:719113

说明:-c 6不能正常运行,不清楚是不是因为我的win 7系统原因导致

三、使用ops_sse2破解数据库密码
1、sys用户的password

SQL> select password from user$ where name='SYS';

PASSWORD
------------------------------
18698BFD1A045BCC

2、ops_sse2使用

C:\Users\XIFENFEI\Downloads\ops_SIMD_win32>ops_sse2
Oracle passwords (DES) solver 0.3 (SSE2) -- Dennis Yurichev <dennis@conus.info>
Compiled @ Apr  5 2011 12:13:15
Demo version, supporting only SYS usernames.
Usage:

  ops_sse2.exe --hashlist=filename.txt
    [--min=min_password_length] [--max=max_password_length]
    [--first_symbol_charset=characters] [--charset=characters]
    [--results=filename.txt]

hashlist file format:
username:hash:comment_or_SID

By default, results are dumped to stdout.
This can be changed by setting --results option

Default values:
  min_password_length=1
  max_password_length=8
  first_symbol_charset=ABCDEFGHIJKLMNOPQRSTUVWXYZ
  charset=ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789#$_

#ops_file.txt内容
SYS:18698BFD1A045BCC:xff

C:\Users\XIFENFEI\Downloads\ops_SIMD_win32>ops_sse2 --hashlist=ops_file.txt --min=6  --charset=CDEFNHITX
Oracle passwords (DES) solver 0.3 (SSE2) -- Dennis Yurichev <dennis@conus.info>
Compiled @ Apr  5 2011 12:13:15
Demo version, supporting only SYS usernames.
username=SYS: 1 unsolved hash(es) left
Checking 6-symbol passwords for username SYS
overall progress=  0%
username=SYS: 1 unsolved hash(es) left
Checking 7-symbol passwords for username SYS
overall progress= 98% / time remaining:
time elapsed: 12s, ~ 1160449 passwords/hashes per second
username=SYS: 1 unsolved hash(es) left
Checking 8-symbol passwords for username SYS
overall progress= 91% / time remaining: 8s
time elapsed: 1m31s, ~ 1248875 passwords/hashes per second
SYS/xff: Found password: XIFENFEI
SYS:XIFENFEI:xff

说明:Demo version只能使用于破解sys用户的密码,而且秘密长度不能超过8.

综合说明的试验,虽然都有缺陷,但是相对而已还是orabf破解更加的给力点
orabf-v0.7.6下载
ops_SIMD_win32
ops_SIMD_linux86

参考:忘记oracle 用户密码怎么办?

此条目发表在 Oracle 分类目录。将固定链接加入收藏夹。

暴力破解Oracle数据库密码》有 1 条评论

  1. 惜 分飞 说:
    CREATE TABLE USER$                                             /* user table */
    ( USER#         NUMBER NOT NULL,                   /* user identifier number */
      name          varchar2("M_IDEN") NOT NULL,                 /* name of user */
      TYPE#         NUMBER NOT NULL,                       /* 0 = role, 1 = user */
      password      varchar2("M_IDEN"),                    /* encrypted password */
      datats#       NUMBER NOT NULL, /* default tablespace for permanent objects */
      tempts#       NUMBER NOT NULL,  /* default tablespace for temporary tables */
      ctime         DATE NOT NULL,                 /* user account creation time */
      ptime         DATE,                                /* password change time */
      exptime       DATE,                     /* actual password expiration time */
      ltime         DATE,                         /* time when account is locked */
      resource$     NUMBER NOT NULL,                        /* resource profile# */
      audit$        varchar2("S_OPFL"),                    /* user audit options */
      defrole       NUMBER NOT NULL,                  /* default role indicator: */
                   /* 0 = no roles, 1 = all roles granted, 2 = roles in defrole$ */
      defgrp#       NUMBER,                                /* default undo group */
      defgrp_seq#   NUMBER,               /* global sequence number for  the grp *
      spare         varchar2("M_IDEN"),                   /* reserved for future */
      astatus       NUMBER DEFAULT 0 NOT NULL,          /* status of the account */
                    /* 1 = Locked, 2 = Expired, 3 = Locked and Expired, 0 - open */
      lcount        NUMBER DEFAULT 0 NOT NULL, /* count of failed login attempts */
      defschclass   varchar2("M_IDEN"),                /* initial consumer group */
      ext_username  varchar2("M_VCSZ"),                     /* external username */
      spare1        NUMBER, /* used for schema level supp. logging: see ktscts.h */
      spare2        NUMBER,
      spare3        NUMBER,
      spare4        varchar2(1000),
      spare5        varchar2(1000),
      spare6        DATE
    )