暴力破解Oracle数据库密码

一、验证不能通过修改用户的password实现登录不知道密码的用户

[oracle@node1 ~]$ sqlplus / as sysdba    SQL*Plus: Release 11.2.0.3.0 Production on Mon Nov 7 12:22:46 2011    Copyright (c) 1982, 2011, Oracle.  All rights reserved.       Connected to : Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production With the Partitioning, Oracle Label Security, OLAP, Data Mining, Oracle Database Vault and Real Application Testing options    SQL> grant create session to xff identified by xifenfei;    Grant succeeded.    SQL> conn xff/xifenfei Connected. SQL> conn / as sysdba Connected. SQL> grant create session to chf identified by xifenfei;    Grant succeeded.    SQL> conn chf/xifenfei Connected.    SQL> conn / as sysdba Connected. SQL> desc user $   Name                                      Null ?    Type   ----------------------------------------- -------- ----------------------------   USER #                                     NOT NULL NUMBER   NAME                                      NOT NULL VARCHAR2(30)   TYPE#                                     NOT NULL NUMBER   PASSWORD                                           VARCHAR2(30)   DATATS#                                   NOT NULL NUMBER   TEMPTS#                                   NOT NULL NUMBER   CTIME                                     NOT NULL DATE   PTIME                                              DATE   EXPTIME                                            DATE   LTIME                                              DATE   RESOURCE$                                 NOT NULL NUMBER   AUDIT$                                             VARCHAR2(38)   DEFROLE                                   NOT NULL NUMBER   DEFGRP#                                            NUMBER   DEFGRP_SEQ#                                        NUMBER   ASTATUS                                   NOT NULL NUMBER   LCOUNT                                    NOT NULL NUMBER   DEFSCHCLASS                                        VARCHAR2(30)   EXT_USERNAME                                       VARCHAR2(4000)   SPARE1                                             NUMBER   SPARE2                                             NUMBER   SPARE3                                             NUMBER   SPARE4                                             VARCHAR2(1000)   SPARE5                                             VARCHAR2(1000)   SPARE6                                             DATE    SQL> select name , password from user $ where name in ( 'XFF' , 'CHF' );    NAME                           PASSWORD ------------------------------ ------------------------------ CHF                            F3CF2F0CB35CB6CA XFF                            1B60F4BFF1DAB500    SQL> alter user xff identified by values 'F3CF2F0CB35CB6CA' ;    User altered.    SQL> select name , password from user $ where name in ( 'XFF' , 'CHF' );    NAME                           PASSWORD ------------------------------ ------------------------------ CHF                            F3CF2F0CB35CB6CA XFF                            F3CF2F0CB35CB6CA    SQL> conn xff/xifenfei ERROR: ORA-01017: 用户名/口令无效; 登录被拒绝       Warning: You are no longer connected to ORACLE. SQL> conn chf/xifenfei Connected.    SQL> conn / as sysdba Connected. SQL> alter user xff identified by values '1B60F4BFF1DAB500' ;    User altered.    SQL> conn xff/xifenfei Connected.

注：这个实验使用11g证明，其实10g也是同样的结果；在oracle 9i中可以通过修改password的values值实现登录

二、使用orabf破解数据库密码
1、修改数据库密码

SQL> conn / as sysdba Connected. SQL> alter user xff identified by xff01;    User altered.    SQL> alter user chf identified by chf00;     User altered.    SQL> select name , password from user $ where name in ( 'XFF' , 'CHF' );    NAME                           PASSWORD ------------------------------ ------------------------------ CHF                            05BD6F8AB28BD8CA XFF                            A51B3879056B3DDD

2、orabf使用

C:\Users\XIFENFEI\Downloads\orabf-v0.7.6>orabf    orabf v0.7.6, (C)2005 orm@toolcrypt.org ---------------------------------------    usage: orabf [ hash ]:[username] [options]    options: -c [num]  complexity: a number in [1..6] or a filename     -      read words from stdin     [ file ] read words from file     1      numbers     2      alpha     3      alphanum     4      standard oracle (alpha)(alpha,num,_, #,$)... (default)     5      entire keyspace ( ' ' .. '~' )     6      custom (charset read from first line of file : charset.orabf) -m [num]  max pwd len: must be in the interval [1..14] (default: 14) -n [num]  min pwd len: must be in the interval [1..14] (default: 1) -r        resume: tries to resume a previous session       C:\Users\XIFENFEI\Downloads\orabf-v0.7.6>orabf A51B3879056B3DDD:XFF    orabf v0.7.6, (C)2005 orm@toolcrypt.org --------------------------------------- Trying default passwords... done    Starting brute force session using charset: #$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_    press 'q' to quit. any other key to see status    current password: D9X50 9229361 passwords tried. elapsed time 00:00:13. t /s :697938    current password: HI0QJ 18967617 passwords tried. elapsed time 00:00:27. t /s :698403    current password: OB #QD 34743632 passwords tried. elapsed time 00:00:49. t /s :698844    password found: XFF:XFF01    55826385 passwords tried. elapsed time 00:01:19. t /s :704047       C:\Users\XIFENFEI\Downloads\orabf-v0.7.6>orabf 05BD6F8AB28BD8CA:CHF -c 3 -n 4 -m 6    orabf v0.7.6, (C)2005 orm@toolcrypt.org --------------------------------------- Trying default passwords... done    Starting brute force session using charset: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ    press 'q' to quit. any other key to see status    password found: CHF:CHF00    22647601 passwords tried. elapsed time 00:00:31. t /s :719113

说明：-c 6不能正常运行，不清楚是不是因为我的win 7系统原因导致

三、使用ops_sse2破解数据库密码
1、sys用户的password

SQL> select password from user $ where name = 'SYS' ;    PASSWORD ------------------------------ 18698BFD1A045BCC

2、ops_sse2使用

C:\Users\XIFENFEI\Downloads\ops_SIMD_win32>ops_sse2 Oracle passwords (DES) solver 0.3 (SSE2) -- Dennis Yurichev <dennis@conus.info> Compiled @ Apr  5 2011 12:13:15 Demo version, supporting only SYS usernames. Usage:       ops_sse2.exe --hashlist=filename.txt      [--min=min_password_length] [--max=max_password_length]      [--first_symbol_charset=characters] [--charset=characters]      [--results=filename.txt]    hashlist file format : username: hash :comment_or_SID    By default, results are dumped to stdout. This can be changed by setting --results option    Default values:    min_password_length=1    max_password_length=8    first_symbol_charset=ABCDEFGHIJKLMNOPQRSTUVWXYZ    charset=ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 #$_    #ops_file.txt内容 SYS:18698BFD1A045BCC:xff    C:\Users\XIFENFEI\Downloads\ops_SIMD_win32>ops_sse2 --hashlist=ops_file.txt --min=6  --charset=CDEFNHITX Oracle passwords (DES) solver 0.3 (SSE2) -- Dennis Yurichev <dennis@conus.info> Compiled @ Apr  5 2011 12:13:15 Demo version, supporting only SYS usernames. username=SYS: 1 unsolved hash (es) left Checking 6-symbol passwords for username SYS overall progress=  0% username=SYS: 1 unsolved hash (es) left Checking 7-symbol passwords for username SYS overall progress= 98% / time remaining: time elapsed: 12s, ~ 1160449 passwords /hashes per second username=SYS: 1 unsolved hash (es) left Checking 8-symbol passwords for username SYS overall progress= 91% / time remaining: 8s time elapsed: 1m31s, ~ 1248875 passwords /hashes per second SYS /xff : Found password: XIFENFEI SYS:XIFENFEI:xff

说明：Demo version只能使用于破解sys用户的密码，而且秘密长度不能超过8.

综合说明的试验，虽然都有缺陷，但是相对而已还是orabf破解更加的给力点
orabf-v0.7.6下载
ops_SIMD_win32
ops_SIMD_linux86