一、验证不能通过修改用户的password实现登录不知道密码的用户
[oracle@node1 ~]$ sqlplus /
as
sysdba
SQL*Plus: Release 11.2.0.3.0 Production
on
Mon Nov 7 12:22:46 2011
Copyright (c) 1982, 2011, Oracle.
All
rights reserved.
Connected
to
:
Oracle
Database
11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With
the Partitioning, Oracle Label Security, OLAP, Data Mining,
Oracle
Database
Vault
and
Real
Application Testing options
SQL>
grant
create
session
to
xff identified
by
xifenfei;
Grant
succeeded.
SQL> conn xff/xifenfei
Connected.
SQL> conn /
as
sysdba
Connected.
SQL>
grant
create
session
to
chf identified
by
xifenfei;
Grant
succeeded.
SQL> conn chf/xifenfei
Connected.
SQL> conn /
as
sysdba
Connected.
SQL>
desc
user
$
Name
Null
? Type
----------------------------------------- -------- ----------------------------
USER
#
NOT
NULL
NUMBER
NAME
NOT
NULL
VARCHAR2(30)
TYPE#
NOT
NULL
NUMBER
PASSWORD
VARCHAR2(30)
DATATS#
NOT
NULL
NUMBER
TEMPTS#
NOT
NULL
NUMBER
CTIME
NOT
NULL
DATE
PTIME
DATE
EXPTIME
DATE
LTIME
DATE
RESOURCE$
NOT
NULL
NUMBER
AUDIT$ VARCHAR2(38)
DEFROLE
NOT
NULL
NUMBER
DEFGRP# NUMBER
DEFGRP_SEQ# NUMBER
ASTATUS
NOT
NULL
NUMBER
LCOUNT
NOT
NULL
NUMBER
DEFSCHCLASS VARCHAR2(30)
EXT_USERNAME VARCHAR2(4000)
SPARE1 NUMBER
SPARE2 NUMBER
SPARE3 NUMBER
SPARE4 VARCHAR2(1000)
SPARE5 VARCHAR2(1000)
SPARE6
DATE
SQL>
select
name
,
password
from
user
$
where
name
in
(
'XFF'
,
'CHF'
);
NAME
PASSWORD
------------------------------ ------------------------------
CHF F3CF2F0CB35CB6CA
XFF 1B60F4BFF1DAB500
SQL>
alter
user
xff identified
by
values
'F3CF2F0CB35CB6CA'
;
User
altered.
SQL>
select
name
,
password
from
user
$
where
name
in
(
'XFF'
,
'CHF'
);
NAME
PASSWORD
------------------------------ ------------------------------
CHF F3CF2F0CB35CB6CA
XFF F3CF2F0CB35CB6CA
SQL> conn xff/xifenfei
ERROR:
ORA-01017: 用户名/口令无效; 登录被拒绝
Warning: You are
no
longer connected
to
ORACLE.
SQL> conn chf/xifenfei
Connected.
SQL> conn /
as
sysdba
Connected.
SQL>
alter
user
xff identified
by
values
'1B60F4BFF1DAB500'
;
User
altered.
SQL> conn xff/xifenfei
Connected.
|
注:这个实验使用11g证明,其实10g也是同样的结果;在Oracle 9i中可以通过修改password的values值实现登录
二、使用orabf破解数据库密码
1、修改数据库密码
SQL> conn /
as
sysdba
Connected.
SQL>
alter
user
xff identified
by
xff01;
User
altered.
SQL>
alter
user
chf identified
by
chf00;
User
altered.
SQL>
select
name
,
password
from
user
$
where
name
in
(
'XFF'
,
'CHF'
);
NAME
PASSWORD
------------------------------ ------------------------------
CHF 05BD6F8AB28BD8CA
XFF A51B3879056B3DDD
|
2、orabf使用
C:\Users\XIFENFEI\Downloads\orabf-v0.7.6>orabf
orabf v0.7.6, (C)2005 orm@toolcrypt.org
---------------------------------------
usage: orabf [
hash
]:[username] [options]
options:
-c [num] complexity: a number
in
[1..6] or a filename
-
read
words from stdin
[
file
]
read
words from
file
1 numbers
2 alpha
3 alphanum
4 standard oracle (alpha)(alpha,num,_,
#,$)... (default)
5 entire keyspace (
' '
..
'~'
)
6 custom (charset
read
from first line of
file
: charset.orabf)
-m [num] max
pwd
len: must be
in
the interval [1..14] (default: 14)
-n [num] min
pwd
len: must be
in
the interval [1..14] (default: 1)
-r resume: tries to resume a previous session
C:\Users\XIFENFEI\Downloads\orabf-v0.7.6>orabf A51B3879056B3DDD:XFF
orabf v0.7.6, (C)2005 orm@toolcrypt.org
---------------------------------------
Trying default passwords...
done
Starting brute force session using charset:
#$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_
press
'q'
to quit. any other key to see status
current password: D9X50
9229361 passwords tried. elapsed
time
00:00:13. t
/s
:697938
current password: HI0QJ
18967617 passwords tried. elapsed
time
00:00:27. t
/s
:698403
current password: OB
#QD
34743632 passwords tried. elapsed
time
00:00:49. t
/s
:698844
password found: XFF:XFF01
55826385 passwords tried. elapsed
time
00:01:19. t
/s
:704047
C:\Users\XIFENFEI\Downloads\orabf-v0.7.6>orabf 05BD6F8AB28BD8CA:CHF -c 3 -n 4 -m 6
orabf v0.7.6, (C)2005 orm@toolcrypt.org
---------------------------------------
Trying default passwords...
done
Starting brute force session using charset:
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
press
'q'
to quit. any other key to see status
password found: CHF:CHF00
22647601 passwords tried. elapsed
time
00:00:31. t
/s
:719113
|
说明:-c 6不能正常运行,不清楚是不是因为我的win 7系统原因导致
三、使用ops_sse2破解数据库密码
1、sys用户的password
SQL>
select
password
from
user
$
where
name
=
'SYS'
;
PASSWORD
------------------------------
18698BFD1A045BCC
|
2、ops_sse2使用
C:\Users\XIFENFEI\Downloads\ops_SIMD_win32>ops_sse2
Oracle passwords (DES) solver 0.3 (SSE2) -- Dennis Yurichev <dennis@conus.info>
Compiled @ Apr 5 2011 12:13:15
Demo version, supporting only SYS usernames.
Usage:
ops_sse2.exe --hashlist=filename.txt
[--min=min_password_length] [--max=max_password_length]
[--first_symbol_charset=characters] [--charset=characters]
[--results=filename.txt]
hashlist
file
format
:
username:
hash
:comment_or_SID
By default, results are dumped to stdout.
This can be changed by setting --results option
Default values:
min_password_length=1
max_password_length=8
first_symbol_charset=ABCDEFGHIJKLMNOPQRSTUVWXYZ
charset=ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
#$_
#ops_file.txt内容
SYS:18698BFD1A045BCC:xff
C:\Users\XIFENFEI\Downloads\ops_SIMD_win32>ops_sse2 --hashlist=ops_file.txt --min=6 --charset=CDEFNHITX
Oracle passwords (DES) solver 0.3 (SSE2) -- Dennis Yurichev <dennis@conus.info>
Compiled @ Apr 5 2011 12:13:15
Demo version, supporting only SYS usernames.
username=SYS: 1 unsolved
hash
(es) left
Checking 6-symbol passwords
for
username SYS
overall progress= 0%
username=SYS: 1 unsolved
hash
(es) left
Checking 7-symbol passwords
for
username SYS
overall progress= 98% /
time
remaining:
time
elapsed: 12s, ~ 1160449 passwords
/hashes
per second
username=SYS: 1 unsolved
hash
(es) left
Checking 8-symbol passwords
for
username SYS
overall progress= 91% /
time
remaining: 8s
time
elapsed: 1m31s, ~ 1248875 passwords
/hashes
per second
SYS
/xff
: Found password: XIFENFEI
SYS:XIFENFEI:xff
|
说明:Demo version只能使用于破解sys用户的密码,而且秘密长度不能超过8.
综合说明的试验,虽然都有缺陷,但是相对而已还是orabf破解更加的给力点