Hi,
As far as i know there are no password Cracking Tool avilable for Oracle.
Oracle Doesnt uses Des or RC5 or some thing. Its more similer ot MD5 and
SHA. I feel u cant break in to oracle using password crakers. Here are some
other possibilies.
1. If ur are able to get into the system running oracle, try doing a ps for
sqlplus and in 60% cases u will get the sqlplus password in the process
list.
2. If u r sure that the version is 8i. Woooolla. There are many accounts (8
of them) to get in, and out of them atleast 2 are DBA.Sucess rate is around
80%
3. If u r sure that the database is used as a data repository for the
application, Check the application logs. In 40% cases application logs
givesup the database connection password and wonderfully 90% of the
application users do have DBA access.(I feel Developers love to give their
user all the previlages hi hi hi)
4. If you have physical access to the palace of the database, Just roam
around the server and the work area, In most cases there will be at leaset
one tape haveing the export dump some where easyly accessable. Get it and
recreate the database at your end.
5. If you have Physical access to the system running database then use
svrmgrl/connect internal and create a dba user or alter the existing user.
Sucess Rate is 90%.
6. Try using the latest listner bof attack and get into the system as the os
user oracle. then go thru the shell scripts and export scripts. (in most
cases u will find the export script starting with a 'exp' and ending with
'.sh' and it will be in /bin directory so that anyone can use it.).Dbas love
to write scripts with passwords in it and they never think abt os level
compromise as there are some politics always between a sysadmin and a dba.
:D
These are some methods thru which i was able to get into some oracle
systems. Any thing more do let me know. Can u help me ? Do any one have a
oracle root kit ??
Regards
OraEtM!!
If anything more Please let me know
>--- Andrew Rodnite <[Email Address Removed] wrote:
> > Hi All,
> >
> > Does anyone know of any Oracle Password cracking
> > utilities i.e.
> > programs similar to "Crack" or "John-the-Ripper" but
> > for Oracle. I
> > seem to recall sometime long ago someone posting a
> > PL/SQL package
> > that did something along these lines sometime ago.
> >
> > I called Oracle support they where not helpful and
> > mentioned that the
> > password encription algorithm was proprietory.
> >
> > In any case any pointers to any documentation as to
> > what is being used
> > to encrypt the password (eg. DES etc.) would be
> > greatly appreciated.
> >
> > I will summarize.
> >
> > Thanks,
> > Andrew T. Rodnite
> > Unix and Oracle Security Analyst
> > Maxim Group
> > (612) 310-9080
> > [Email Address Removed] >
> >
> > --------
> > Oracle documentation is here:
> > http://tahiti.oracle.com/pls/tahiti/tahiti.homepage
> > To unsubscribe: send a blank email to
> > oracledba-[Email Address Removed] > To subscribe: send a blank email to
> > oracledba-[Email Address Removed] > Visit the list archive:
> > http://www.LAZYDBA.com/odbareadmail.pl
> > Tell yer mates about http://www.farAwayJobs.com
> > By using this list you agree to these
> > terms:http://www.lazydba.com/legal.html
> >
>
>
>__________________________________________________
>Do You Yahoo!?
>Make international calls for as low as $.04/minute with Yahoo! Messenger
>http://phonecard.yahoo.com/
>
>--------
>Oracle documentation is here:
>http://tahiti.oracle.com/pls/tahiti/tahiti.homepage
>To unsubscribe: send a blank email to oracledba-[Email Address Removed] subscribe: send a blank email to oracledba-[Email Address Removed] the list archive: http://www.LAZYDBA.com/odbareadmail.pl
>Tell yer mates about http://www.farAwayJobs.com
>By using this list you agree to these
>terms:http://www.lazydba.com/legal.html
>
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
Oracle LazyDBA home page