hashcat
advanced password recovery

aliby · 02-29-2012, 07:55 PM

Just wanted to see if there was any possibility of getting support for Oracle 10G and lower hashes implemented in oclHashCat/cudaHashCat. Oracle 10g uses the DES($salt.$pass) hash format, where $salt is the account username.

Thanks!

aliby · 02-29-2012, 11:38 PM

Just realized that DES takes a 56-bit input, so my understanding of the Oracle hashing algorithm wasn't 100% correct.

Here are a few good resources that describe the process correctly:

http://jchblue.blogspot.com/2010/04/orac...rithm.html
http://freeworld.thc.org/papers/thc-orakelsniffert.pdf
http://groups.google.com/group/comp.data...7a977fb6ed
http://www.red-database-security.com/whi...words.html

***atom*** · 03-01-2012, 10:21 AM

looks interessting. thanks for the resources. if there is more demand i definitely will add it.

aliby · 03-01-2012, 06:27 PM

Great thanks! :-)

point5 · 03-14-2012, 09:55 PM

I would also really like to have this feature!

***atom*** · 03-18-2012, 07:17 PM

@Hash-IT: Can you please add this to wiki?

***atom*** · 03-21-2012, 03:44 PM

OK, got the first version working!

That damn document from above -> http://freeworld.thc.org/papers/thc-orakelsniffert.pdf

I lost nearly a week till I realized that this block is invalid:

Quote:// first DES CBC
temp = DES_ENCODE(in[0], magic_number)
= DES_ENCODE(0x0053005900530048, 0x0123456789ABCDEF)
= 0x170453E89F8CDA7

See here:

Quote:root@thumbstone:~# xxd data
0000000: 0053 0059 0053 0048 .S.Y.S.H
root@thumbstone:~# openssl enc -e -in data -des -K 0123456789abcdef -iv 0 -nopad | xxd
0000000: 488f 689a b4f1 8f82 H.h.....

However, got it working. Some example output following.

Finds the pass:

Quote:root@sf:~/oclHashcat-lite-0.10# ./oclHashcat-lite64.bin -m 3100 C648972D2BE43FA4:SYS --pw-min 5 --quiet
C648972D2BE43FA4:SYS:H4X0R
root@sf:~/oclHashcat-lite-0.10#

Benchmark on hd7970 (stock clock):

Quote:root@sf:~/oclHashcat-lite-0.10# ./oclHashcat-lite64.bin -m 3100 aaaaaaaaaaaaaaaa:a --pw-min 7 -n 800 --gpu-loops 1024 --runtime 30
oclHashcat-lite v0.10 by atom starting...

** Valid keyfile for beta usage: atom (expires 08.03.2013)

GPU-Loops: 1024
GPU-Accel: 800
Password lengths range: 7 - 55
Platform: AMD compatible platform found
Watchdog: Temperature limit set to 90c
Device #1: Tahiti, 2935MB, 0Mhz, 32MCU
[s]tatus [p]ause [r]esume [q]uit =>
NOTE: Runtime limit reached, aborting...

Status.......: Aborted
Hash.Target..: AAAAAAAAAAAAAAAA:A
Hash.Type....: Oracle 7-10g
Time.Running.: 34 secs
Time.Left....: 3 mins, 14 secs
Plain.Mask...: ?1?2?2?2?2?2?2
Plain.Text...: ***AAAA
Plain.Length.: 7
Progress.....: 11744051200/78364164096 (14.99%)
Speed.GPU.#1.: 342.4M/s
HWMon.GPU.#1.: 99% GPU, 52c Temp

Started: Wed Mar 21 14:42:49 2012
Stopped: Wed Mar 21 14:43:24 2012

Kakoose · 03-22-2012, 11:41 AM

Looking good atom!

***atom*** · 03-22-2012, 07:29 PM

Did another optimization, 400 Mhash/s mark broken :-)

point5 · 05-03-2012, 03:26 AM

Any chance I can help test the 10g cracking?

hashcat advanced password recovery

hashcat
advanced password recovery