And there is not only the paper, but “…THC further releases practical tools to sniff and crack the password of an oracle database within seconds…” all you need to know is how to use them.
Be careful, the passwords are not cracked in seconds. The timing would be the same if the hashes were read from the database if a dictionary crack or brute force attack were used. The paper is talking about sniffing AUTH_SESSION and AUTH_PASSWORD from the wire and extracting the password by dictionary attacking the password or brute forcing it. This is no differnet to doing it off line if you have the hash.
The key difference is that IF you have the hash you can get the password in seconds as the hash is used to encrypt the session key which in turn is used to encrypt the clear text password.
None of this is new. i talked about doing this in 2003 in the SANS course, many people have released papers and tools over the recent months doing the same. The papers by laszlo Toth are better than the THC papre as he doesnt stop with 8i and java clients as this paper does. the 9i and 10g protocols are different to that used in the paper. I talked about the same issue in my blog a few days ago at http://www.petefinnigan.com/weblog/entries/index.html
Hi Pete, I was pretty sure that you would respond to this post!
What I heard just recently is that
Oracle is about to change the hashing algorith
sometime soon which would render this method to crack the paaswords impossible.
=;-)
Pete,
I just heard that the time needed to crack an 8 digit password even with a normal PC is about 41 days.
It is not seconds but it is in a reasonable range isn’t it?
=;-(
I also heard ( i am not an 11g beta tester and have no access to 11g) that the password algorithm will be AES based rather than DES. I also heard the DES based algorithm will still be there. I guess on July 11th I will see..:-)
The timing to crack an 8 character password of 41 days even on a PC is acheivable for someone detremined to break a password. If you set your password lifetime longre than this then you are at risk with 8 character passwords.
It is vital to know how long it takes to crack a password on normal hardware when you decide on password lifetimes. Also its vital that the password hashes are not revealed.
The problem with the length of a password is worse if you use a dictionary word as an 8 character password would fall in a fraction of the time.
Also its worth noting that specialist hardware is now available that uses FPGA’s that can crack the DES keys in a number of days. If this were modified to crack Oracle passwords any length of password is vulnerable in a reasonable numbre of days. The product is called copacabana, its a German company.
I think that setting password life time to less than 41 days does not put you onthe safe side necessarily, because it might happen that it even worked out before the 41 days by incident, couldn’t it? I am not sure.
The new Oracle database 11g Courseware for the 11g New Features course
says that the new has algorithm used is
SHA-1 which uses a 160 bit key.
Passwords in 11g are:
- case sensitive
- salted , not as it was with the old hash function,
- can contain special characters, also other than ‘$’, ‘_’ and ‘#’.
- can be up to 50 characters ¦ 30 bytes long (will be 30 characters) bytes semantics used
Thanks for your reply. I meant SHA-1 but said AES..:-(,
I didnt mean to suggest that you are safe at 41 days, i meant the opposite, if you have an 8 character password and your life time for the password is 60 days you are doomed if someone attacks it. Also you are right, the times quoted are maximums, the passwoord could fall under brute force quicker than the maximum.
Hi Pete, I have lost my oracle password in my office, I can’t manage the database again, because only me know the system password, how to open or see my lost password without formatting my computer server
Hi Lutz,
Be careful, the passwords are not cracked in seconds. The timing would be the same if the hashes were read from the database if a dictionary crack or brute force attack were used. The paper is talking about sniffing AUTH_SESSION and AUTH_PASSWORD from the wire and extracting the password by dictionary attacking the password or brute forcing it. This is no differnet to doing it off line if you have the hash.
The key difference is that IF you have the hash you can get the password in seconds as the hash is used to encrypt the session key which in turn is used to encrypt the clear text password.
None of this is new. i talked about doing this in 2003 in the SANS course, many people have released papers and tools over the recent months doing the same. The papers by laszlo Toth are better than the THC papre as he doesnt stop with 8i and java clients as this paper does. the 9i and 10g protocols are different to that used in the paper. I talked about the same issue in my blog a few days ago at http://www.petefinnigan.com/weblog/entries/index.html
cheers
Pete
Hi Pete, I was pretty sure that you would respond to this post!
What I heard just recently is that
Oracle is about to change the hashing algorith
sometime soon which would render this method to crack the paaswords impossible.
=;-)
Pete,
I just heard that the time needed to crack an 8 digit password even with a normal PC is about 41 days.
It is not seconds but it is in a reasonable range isn’t it?
=;-(
Hi Lutz,
I also heard ( i am not an 11g beta tester and have no access to 11g) that the password algorithm will be AES based rather than DES. I also heard the DES based algorithm will still be there. I guess on July 11th I will see..:-)
The timing to crack an 8 character password of 41 days even on a PC is acheivable for someone detremined to break a password. If you set your password lifetime longre than this then you are at risk with 8 character passwords.
It is vital to know how long it takes to crack a password on normal hardware when you decide on password lifetimes. Also its vital that the password hashes are not revealed.
The problem with the length of a password is worse if you use a dictionary word as an 8 character password would fall in a fraction of the time.
Also its worth noting that specialist hardware is now available that uses FPGA’s that can crack the DES keys in a number of days. If this were modified to crack Oracle passwords any length of password is vulnerable in a reasonable numbre of days. The product is called copacabana, its a German company.
cheers
Pete
Pete,
I think that setting password life time to less than 41 days does not put you onthe safe side necessarily, because it might happen that it even worked out before the 41 days by incident, couldn’t it? I am not sure.
The new Oracle database 11g Courseware for the 11g New Features course
says that the new has algorithm used is
SHA-1 which uses a 160 bit key.
Passwords in 11g are:
- case sensitive
- salted , not as it was with the old hash function,
- can contain special characters, also other than ‘$’, ‘_’ and ‘#’.
- can be up to 50 characters ¦ 30 bytes long (will be 30 characters) bytes semantics used
=;-)
Hi Lutz,
Thanks for your reply. I meant SHA-1 but said AES..:-(,
I didnt mean to suggest that you are safe at 41 days, i meant the opposite, if you have an 8 character password and your life time for the password is 60 days you are doomed if someone attacks it. Also you are right, the times quoted are maximums, the passwoord could fall under brute force quicker than the maximum.
cheers
Pete
Yesterday The Hackers’ Choice organization published a paper that shows how to break into an Oracle 10g database very easily. —–
http://www.thc.org/thc-orakel/thc-orakelsniffert.pdf
Link is not available
Hi Soumen,
you can find the document now here:
http://freeworld.thc.org/thc-orakel/
Best regards,
L.H.
=;-)
Hi Pete, I have lost my oracle password in my office, I can’t manage the database again, because only me know the system password, how to open or see my lost password without formatting my computer server
Please reply to my email directly …
Thx