[20171229]hashcat破解oracle口令2.txt

[20171229]hashcat破解oracle口令2.txt

--//前几天学习使用hashcat破解oracle口令,今天做了一些深入学习,做一些补充.

1.环境:

SYS@book> @ &r/ver1
PORT_STRING                    VERSION        BANNER
------------------------------ -------------- --------------------------------------------------------------------------------
x86_64/Linux 2.4.xx            11.2.0.4.0     Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production

SYS@book> column spare4 format a62
SYS@book> select NAME,SPARE4,PASSWORD from sys.user$ where name='SCOTT';

NAME                 SPARE4                                                         PASSWORD
-------------------- -------------------------------------------------------------- ------------------------------
SCOTT                S:54239BE4170EBBD3774EA9D03599088D331459353B8549A144E6FC622CDD 4A19A8DE4BA750F6

--//PASSWORD保存是的10g以前的格式,保存的口令是不区分大小写的,利用这个特性先破解这个口令,然后在破解真正的口令,范围就缩小许多.
--//通过这里例子学习hashcat一些命令.

2.先破解10g格式口令:

hashcat64.exe --potfile-disable --force -a 3 -m 3100 4A19A8DE4BA750F6:SCOTT ?u?d?u?d?u?d

--//说明:--potfile-disable就是破解成功后不记录到文件hashcat.pot. --force主要是我使用版本驱动一些问题,只能加入这个参数.
--//前面的测试忘记加参数-a 3,后面的mask无效.报错.

--// -a 参数说明:

- [ Attack Modes ] -

  # | Mode
===+======
  0 | Straight
  1 | Combination
  3 | Brute-force
  6 | Hybrid Wordlist + Mask
  7 | Hybrid Mask + Wordlist

--//后面的格式?u?d?u?d?u?d,参考:我的破解格式 :大写+数字+大写+数字+大写+数字

- [ Built-in Charsets ] -

  ? | Charset
===+=========
  l | abcdefghijklmnopqrstuvwxyz
  u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
  d | 0123456789
  s |  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
  a | ?l?u?d?s
  b | 0x00 - 0xff

R:\hashcat>hashcat64.exe --potfile-disable --force -a 3 -m 3100 4A19A8DE4BA750F6:SCOTT ?u?d?u?d?u?d
hashcat (v3.00-1-g67a8d97) starting...
OpenCL Platform #1: Advanced Micro Devices, Inc.
================================================
- Device #1: Turks, 766/1024 MB allocatable, 6MCU
- Device #2:         Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz, skipped
WARNING: ADL_Overdrive6_TargetTemperatureData_Get is missing from ADL shared library.
Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Applicable Optimizers:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
Watchdog: Temperature abort trigger disabled
Watchdog: Temperature retain trigger disabled

4A19A8DE4BA750F6:SCOTT:B1O2K3

Session.Name...: hashcat
Status.........: Cracked
Input.Mode.....: Mask (?u?d?u?d?u?d) [6]
Hash.Target....: 4A19A8DE4BA750F6:SCOTT
Hash.Type......: Oracle H: Type (Oracle 7+)
Time.Started...: 0 secs
Speed.Dev.#1...: 10512.3 kH/s (14.10ms)
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 258048/17576000 (1.47%)
Rejected.......: 0/258048 (0.00%)
Restore.Point..: 0/67600 (0.00%)

Started: Fri Dec 29 11:17:34 2017
Stopped: Fri Dec 29 11:17:36 2017

3.继续破解11g格式口令:
--//注意加密串后面20位作为slot,要在加密串偏移40的位置加入冒号,否者回报如下错误:
WARNING: Hashfile 'b.hash' on line 1 (54239BE4170EBBD3774EA9D03599088D331459353B8549A144E6FC622CDD): Line-length exception
Parsed Hashes: 1/1 (100.00%)
ERROR: No hashes loaded

R:\hashcat>hashcat64.exe --potfile-disable --force -a 3 -m 112 54239BE4170EBBD3774EA9D03599088D33145935:3B8549A144E6FC622CDD -1 Bb -2 oO -3 kK -4 123 ?1?4?2?4?3?4
hashcat (v3.00-1-g67a8d97) starting...

OpenCL Platform #1: Advanced Micro Devices, Inc.
================================================
- Device #1: Turks, 766/1024 MB allocatable, 6MCU
- Device #2:         Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz, skipped

WARNING: ADL_Overdrive6_TargetTemperatureData_Get is missing from ADL shared library.
Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Applicable Optimizers:
* Zero-Byte
* Precompute-Init
* Precompute-Merkle-Demgard
* Early-Skip
* Not-Iterated
* Appended-Salt
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash
Watchdog: Temperature abort trigger disabled
Watchdog: Temperature retain trigger disabled

ATTENTION!
  The wordlist or mask you are using is too small.
  Therefore, hashcat is unable to utilize the full parallelization power of your device(s).
  The cracking speed will drop.
  Workaround: https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#how_to_create_more_work_for_full_speed

INFO: approaching final keyspace, workload adjusted

54239be4170ebbd3774ea9d03599088d33145935:3b8549a144e6fc622cdd:b1O2k3

Session.Name...: hashcat
Status.........: Cracked
Input.Mode.....: Mask (?1?4?2?4?3?4) [6]
Hash.Target....: 54239be4170ebbd3774ea9d03599088d33145935:...
Hash.Type......: Oracle S: Type (Oracle 11+)
Time.Started...: 0 secs
Speed.Dev.#1...:     7211 H/s (0.05ms)
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 216/216 (100.00%)
Rejected.......: 0/216 (0.00%)

Started: Fri Dec 29 10:58:14 2017
Stopped: Fri Dec 29 10:58:16 2017

--//如果知道密码其中几位,也可以这样录入:
hashcat64.exe --potfile-disable --force -a 3 -m 112 54239BE4170EBBD3774EA9D03599088D33145935:3B8549A144E6FC622CDD b1?a2k?d

--//如果知道密码是16进制无法通过输入,可以使用参数--hex-charset => Assume charset is given in hex
$ echo -n 123|xxd -c 16 -g4
0000000: 313233                               123

hashcat64.exe --potfile-disable --force -a 3 -m 3100 4A19A8DE4BA750F6:SCOTT --hex-charset -1 313233  ?u?1?u?1?u?1

3.补充:
OWNER  NAME              NAMESPACE TYPE   HASH_VALUE FULL_HASH_VALUE                  STATUS
------ ----------------- --------- ------ ---------- -------------------------------- -------------------
SCOTT  USERS_USERNAME_L1 INDEX     INDEX  2934347769 f6834aac7908d9d4184ee11daee697f9 UNKOWN

--//假设我现在要验证FULL_HASH_VALUE的计算.
4 echo f6834aac7908d9d4184ee11daee697f9 | xxd -r -p | od -t x4
0000000 ac4a83f6 d4d90879 1de14e18 f997e6ae
0000020

--//拼接ac4a83f6 d4d90879 1de14e18 f997e6ae => ac4a83f6d4d908791de14e18f997e6ae
--//前面的学习已经知道加密串前面USERS_USERNAME_L1.SCOTT

R:\hashcat>hashcat64.exe --potfile-disable --force -a 3 -m 0 ac4a83f6d4d908791de14e18f997e6ae USERS_USERNAME_L1.SCOTT?b?b?b?b
hashcat (v3.00-1-g67a8d97) starting...

OpenCL Platform #1: Advanced Micro Devices, Inc.
================================================
- Device #1: Turks, 766/1024 MB allocatable, 6MCU
- Device #2:         Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz, skipped

WARNING: ADL_Overdrive6_TargetTemperatureData_Get is missing from ADL shared library.
Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Applicable Optimizers:
* Zero-Byte
* Precompute-Init
* Precompute-Merkle-Demgard
* Meet-In-The-Middle
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash
Watchdog: Temperature abort trigger disabled
Watchdog: Temperature retain trigger disabled

ac4a83f6d4d908791de14e18f997e6ae:$HEX[55534552535f555345524e414d455f4c312e53434f545404000000]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Session.Name...: hashcat
Status.........: Cracked
Input.Mode.....: Mask (USERS_USERNAME_L1.SCOTT?b?b?b?b) [27]
Hash.Target....: ac4a83f6d4d908791de14e18f997e6ae
Hash.Type......: MD5
Time.Started...: 0 secs
Speed.Dev.#1...:  6467.3 kH/s (0.38ms)
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 89088/4294967296 (0.00%)
Rejected.......: 0/89088 (0.00%)
Restore.Point..: 0/4294967296 (0.00%)

Started: Fri Dec 29 11:24:00 2017
Stopped: Fri Dec 29 11:24:02 2017

--//后面补上04000000,这里的04我推测是namespace
SYS@book> select distinct kglhdnsp,kglhdnsd,kglobtyd from x$kglob where KGLHDNSD='INDEX';
  KGLHDNSP KGLHDNSD KGLOBTYD
---------- -------- ---------
         4 INDEX    INDEX

--//我还是无法猜出dblink的FULL_HASH_VALUE是如何计算的.不知道那位知道.
--//hashcat还有许多功能,比如使用规则等等.好复杂...比如使用字典:
R:\hashcat>cat d.dict
USERS_USERNAME_L1.SCOTT

hashcat64.exe --potfile-disable --force -a 6 -m 0 ac4a83f6d4d908791de14e18f997e6ae d.dict --hex-charset -1 00 -2 04 ?2?1?1?1