联系:手机/微信(+86 17813235971) QQ(107644445)
作者:惜分飞©版权所有[未经本人同意,不得以任何形式转载,否则有进一步追究法律责任的权利.]
一、验证不能通过修改用户的password实现登录不知道密码的用户
[oracle@node1 ~]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.3.0 Production on Mon Nov 7 12:22:46 2011
Copyright (c) 1982, 2011, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Data Mining,
Oracle Database Vault and Real Application Testing options
SQL> grant create session to xff identified by xifenfei;
Grant succeeded.
SQL> conn xff/xifenfei
Connected.
SQL> conn / as sysdba
Connected.
SQL> grant create session to chf identified by xifenfei;
Grant succeeded.
SQL> conn chf/xifenfei
Connected.
SQL> conn / as sysdba
Connected.
SQL> desc user$
Name Null? Type
----------------------------------------- -------- ----------------------------
USER# NOT NULL NUMBER
NAME NOT NULL VARCHAR2(30)
TYPE# NOT NULL NUMBER
PASSWORD VARCHAR2(30)
DATATS# NOT NULL NUMBER
TEMPTS# NOT NULL NUMBER
CTIME NOT NULL DATE
PTIME DATE
EXPTIME DATE
LTIME DATE
RESOURCE$ NOT NULL NUMBER
AUDIT$ VARCHAR2(38)
DEFROLE NOT NULL NUMBER
DEFGRP# NUMBER
DEFGRP_SEQ# NUMBER
ASTATUS NOT NULL NUMBER
LCOUNT NOT NULL NUMBER
DEFSCHCLASS VARCHAR2(30)
EXT_USERNAME VARCHAR2(4000)
SPARE1 NUMBER
SPARE2 NUMBER
SPARE3 NUMBER
SPARE4 VARCHAR2(1000)
SPARE5 VARCHAR2(1000)
SPARE6 DATE
SQL> select name,password from user$ where name in('XFF','CHF');
NAME PASSWORD
------------------------------ ------------------------------
CHF F3CF2F0CB35CB6CA
XFF 1B60F4BFF1DAB500
SQL> alter user xff identified by values 'F3CF2F0CB35CB6CA';
User altered.
SQL> select name,password from user$ where name in('XFF','CHF');
NAME PASSWORD
------------------------------ ------------------------------
CHF F3CF2F0CB35CB6CA
XFF F3CF2F0CB35CB6CA
SQL> conn xff/xifenfei
ERROR:
ORA-01017: 用户名/口令无效; 登录被拒绝
Warning: You are no longer connected to ORACLE.
SQL> conn chf/xifenfei
Connected.
SQL> conn / as sysdba
Connected.
SQL> alter user xff identified by values '1B60F4BFF1DAB500';
User altered.
SQL> conn xff/xifenfei
Connected.
注:这个实验使用11g证明,其实10g也是同样的结果;在oracle 9i中可以通过修改password的values值实现登录
二、使用orabf破解数据库密码
1、修改数据库密码
SQL> conn / as sysdba
Connected.
SQL> alter user xff identified by xff01;
User altered.
SQL> alter user chf identified by chf00;
User altered.
SQL> select name,password from user$ where name in('XFF','CHF');
NAME PASSWORD
------------------------------ ------------------------------
CHF 05BD6F8AB28BD8CA
XFF A51B3879056B3DDD
2、orabf使用
C:\Users\XIFENFEI\Downloads\orabf-v0.7.6>orabf
orabf v0.7.6, (C)2005 orm@toolcrypt.org
---------------------------------------
usage: orabf [hash]:[username] [options]
options:
-c [num] complexity: a number in [1..6] or a filename
- read words from stdin
[file] read words from file
1 numbers
2 alpha
3 alphanum
4 standard oracle (alpha)(alpha,num,_,#,$)... (default)
5 entire keyspace (' '..'~')
6 custom (charset read from first line of file: charset.orabf)
-m [num] max pwd len: must be in the interval [1..14] (default: 14)
-n [num] min pwd len: must be in the interval [1..14] (default: 1)
-r resume: tries to resume a previous session
C:\Users\XIFENFEI\Downloads\orabf-v0.7.6>orabf A51B3879056B3DDD:XFF
orabf v0.7.6, (C)2005 orm@toolcrypt.org
---------------------------------------
Trying default passwords...done
Starting brute force session using charset:
#$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_
press 'q' to quit. any other key to see status
current password: D9X50
9229361 passwords tried. elapsed time 00:00:13. t/s:697938
current password: HI0QJ
18967617 passwords tried. elapsed time 00:00:27. t/s:698403
current password: OB#QD
34743632 passwords tried. elapsed time 00:00:49. t/s:698844
password found: XFF:XFF01
55826385 passwords tried. elapsed time 00:01:19. t/s:704047
C:\Users\XIFENFEI\Downloads\orabf-v0.7.6>orabf 05BD6F8AB28BD8CA:CHF -c 3 -n 4 -m 6
orabf v0.7.6, (C)2005 orm@toolcrypt.org
---------------------------------------
Trying default passwords...done
Starting brute force session using charset:
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
press 'q' to quit. any other key to see status
password found: CHF:CHF00
22647601 passwords tried. elapsed time 00:00:31. t/s:719113
说明:-c 6不能正常运行,不清楚是不是因为我的win 7系统原因导致
三、使用ops_sse2破解数据库密码
1、sys用户的password
SQL> select password from user$ where name='SYS'; PASSWORD ------------------------------ 18698BFD1A045BCC
2、ops_sse2使用
C:\Users\XIFENFEI\Downloads\ops_SIMD_win32>ops_sse2
Oracle passwords (DES) solver 0.3 (SSE2) -- Dennis Yurichev <dennis@conus.info>
Compiled @ Apr 5 2011 12:13:15
Demo version, supporting only SYS usernames.
Usage:
ops_sse2.exe --hashlist=filename.txt
[--min=min_password_length] [--max=max_password_length]
[--first_symbol_charset=characters] [--charset=characters]
[--results=filename.txt]
hashlist file format:
username:hash:comment_or_SID
By default, results are dumped to stdout.
This can be changed by setting --results option
Default values:
min_password_length=1
max_password_length=8
first_symbol_charset=ABCDEFGHIJKLMNOPQRSTUVWXYZ
charset=ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789#$_
#ops_file.txt内容
SYS:18698BFD1A045BCC:xff
C:\Users\XIFENFEI\Downloads\ops_SIMD_win32>ops_sse2 --hashlist=ops_file.txt --min=6 --charset=CDEFNHITX
Oracle passwords (DES) solver 0.3 (SSE2) -- Dennis Yurichev <dennis@conus.info>
Compiled @ Apr 5 2011 12:13:15
Demo version, supporting only SYS usernames.
username=SYS: 1 unsolved hash(es) left
Checking 6-symbol passwords for username SYS
overall progress= 0%
username=SYS: 1 unsolved hash(es) left
Checking 7-symbol passwords for username SYS
overall progress= 98% / time remaining:
time elapsed: 12s, ~ 1160449 passwords/hashes per second
username=SYS: 1 unsolved hash(es) left
Checking 8-symbol passwords for username SYS
overall progress= 91% / time remaining: 8s
time elapsed: 1m31s, ~ 1248875 passwords/hashes per second
SYS/xff: Found password: XIFENFEI
SYS:XIFENFEI:xff
说明:Demo version只能使用于破解sys用户的密码,而且秘密长度不能超过8.
综合说明的试验,虽然都有缺陷,但是相对而已还是orabf破解更加的给力点
orabf-v0.7.6下载
ops_SIMD_win32
ops_SIMD_linux86
加我QQ
CREATE TABLE USER$ /* user table */ ( USER# NUMBER NOT NULL, /* user identifier number */ name varchar2("M_IDEN") NOT NULL, /* name of user */ TYPE# NUMBER NOT NULL, /* 0 = role, 1 = user */ password varchar2("M_IDEN"), /* encrypted password */ datats# NUMBER NOT NULL, /* default tablespace for permanent objects */ tempts# NUMBER NOT NULL, /* default tablespace for temporary tables */ ctime DATE NOT NULL, /* user account creation time */ ptime DATE, /* password change time */ exptime DATE, /* actual password expiration time */ ltime DATE, /* time when account is locked */ resource$ NUMBER NOT NULL, /* resource profile# */ audit$ varchar2("S_OPFL"), /* user audit options */ defrole NUMBER NOT NULL, /* default role indicator: */ /* 0 = no roles, 1 = all roles granted, 2 = roles in defrole$ */ defgrp# NUMBER, /* default undo group */ defgrp_seq# NUMBER, /* global sequence number for the grp * spare varchar2("M_IDEN"), /* reserved for future */ astatus NUMBER DEFAULT 0 NOT NULL, /* status of the account */ /* 1 = Locked, 2 = Expired, 3 = Locked and Expired, 0 - open */ lcount NUMBER DEFAULT 0 NOT NULL, /* count of failed login attempts */ defschclass varchar2("M_IDEN"), /* initial consumer group */ ext_username varchar2("M_VCSZ"), /* external username */ spare1 NUMBER, /* used for schema level supp. logging: see ktscts.h */ spare2 NUMBER, spare3 NUMBER, spare4 varchar2(1000), spare5 varchar2(1000), spare6 DATE )