[20171229]hashcat破解oracle口令2.txt

--//前幾天學習使用hashcat破解oracle口令,今天做了一些深入學習,做一些補充.

1.環境:

SYS@book> @ &r/ver1
PORT_STRING VERSION BANNER
------------------------------ -------------- --------------------------------------------------------------------------------
x86_64/Linux 2.4.xx 11.2.0.4.0 Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production

SYS@book> column spare4 format a62
SYS@book> select NAME,SPARE4,PASSWORD from sys.user$ where name='SCOTT';

NAME SPARE4 PASSWORD
-------------------- -------------------------------------------------------------- ------------------------------
SCOTT S:54239BE4170EBBD3774EA9D03599088D331459353B8549A144E6FC622CDD 4A19A8DE4BA750F6

--//PASSWORD儲存是的10g以前的格式,儲存的口令是不區分大小寫的,利用這個特性先破解這個口令,然後在破解真正的口令,範圍就縮小許多.
--//透過這裡例子學習hashcat一些命令.

2.先破解10g格式口令:

hashcat64.exe --potfile-disable --force -a 3 -m 3100 4A19A8DE4BA750F6:SCOTT ?u?d?u?d?u?d

--//說明:--potfile-disable就是破解成功後不記錄到檔案hashcat.pot. --force主要是我使用版本驅動一些問題,只能加入這個引數.
--//前面的測試忘記加引數-a 3,後面的mask無效.報錯.

--// -a 引數說明:

- [ Attack Modes ] -

--//後面的格式?u?d?u?d?u?d,參考:我的破解格式 :大寫+數字+大寫+數字+大寫+數字

- [ Built-in Charsets ] -

? | Charset
===+=========
l | abcdefghijklmnopqrstuvwxyz
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
d | 0123456789
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
a | ?l?u?d?s
b | 0x00 - 0xff

R:\hashcat>hashcat64.exe --potfile-disable --force -a 3 -m 3100 4A19A8DE4BA750F6:SCOTT ?u?d?u?d?u?d
hashcat (v3.00-1-g67a8d97) starting...
OpenCL Platform #1: Advanced Micro Devices, Inc.
================================================
- Device #1: Turks, 766/1024 MB allocatable, 6MCU
- Device #2: Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz, skipped
WARNING: ADL_Overdrive6_TargetTemperatureData_Get is missing from ADL shared library.
Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Applicable Optimizers:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
Watchdog: Temperature abort trigger disabled
Watchdog: Temperature retain trigger disabled

4A19A8DE4BA750F6:SCOTT:B1O2K3

Session.Name...: hashcat
Status.........: Cracked
Input.Mode.....: Mask (?u?d?u?d?u?d) [6]
Hash.Target....: 4A19A8DE4BA750F6:SCOTT
Hash.Type......: Oracle H: Type (Oracle 7+)
Time.Started...: 0 secs
Speed.Dev.#1...: 10512.3 kH/s (14.10ms)
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 258048/17576000 (1.47%)
Rejected.......: 0/258048 (0.00%)
Restore.Point..: 0/67600 (0.00%)

Started: Fri Dec 29 11:17:34 2017
Stopped: Fri Dec 29 11:17:36 2017

3.繼續破解11g格式口令:
--//注意加密串後面20位作為slot,要在加密串偏移40的位置加入冒號,否者回報如下錯誤:
WARNING: Hashfile 'b.hash' on line 1 (54239BE4170EBBD3774EA9D03599088D331459353B8549A144E6FC622CDD): Line-length exception
Parsed Hashes: 1/1 (100.00%)
ERROR: No hashes loaded

R:\hashcat>hashcat64.exe --potfile-disable --force -a 3 -m 112 54239BE4170EBBD3774EA9D03599088D33145935:3B8549A144E6FC622CDD -1 Bb -2 oO -3 kK -4 123 ?1?4?2?4?3?4
hashcat (v3.00-1-g67a8d97) starting...

OpenCL Platform #1: Advanced Micro Devices, Inc.
================================================
- Device #1: Turks, 766/1024 MB allocatable, 6MCU
- Device #2: Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz, skipped

WARNING: ADL_Overdrive6_TargetTemperatureData_Get is missing from ADL shared library.
Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Applicable Optimizers:
* Zero-Byte
* Precompute-Init
* Precompute-Merkle-Demgard
* Early-Skip
* Not-Iterated
* Appended-Salt
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash
Watchdog: Temperature abort trigger disabled
Watchdog: Temperature retain trigger disabled

ATTENTION!
The wordlist or mask you are using is too small.
Therefore, hashcat is unable to utilize the full parallelization power of your device(s).
The cracking speed will drop.
Workaround:

INFO: approaching final keyspace, workload adjusted

54239be4170ebbd3774ea9d03599088d33145935:3b8549a144e6fc622cdd:b1O2k3

Session.Name...: hashcat
Status.........: Cracked
Input.Mode.....: Mask (?1?4?2?4?3?4) [6]
Hash.Target....: 54239be4170ebbd3774ea9d03599088d33145935:...
Hash.Type......: Oracle S: Type (Oracle 11+)
Time.Started...: 0 secs
Speed.Dev.#1...: 7211 H/s (0.05ms)
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 216/216 (100.00%)
Rejected.......: 0/216 (0.00%)

Started: Fri Dec 29 10:58:14 2017
Stopped: Fri Dec 29 10:58:16 2017

--//如果知道密碼其中幾位,也可以這樣錄入:
hashcat64.exe --potfile-disable --force -a 3 -m 112 54239BE4170EBBD3774EA9D03599088D33145935:3B8549A144E6FC622CDD b1?a2k?d

--//如果知道密碼是16進位制無法透過輸入,可以使用引數--hex-charset => Assume charset is given in hex
$ echo -n 123|xxd -c 16 -g4
0000000: 313233 123

hashcat64.exe --potfile-disable --force -a 3 -m 3100 4A19A8DE4BA750F6:SCOTT --hex-charset -1 313233 ?u?1?u?1?u?1

3.補充:
OWNER NAME NAMESPACE TYPE HASH_VALUE FULL_HASH_VALUE STATUS
------ ----------------- --------- ------ ---------- -------------------------------- -------------------
SCOTT USERS_USERNAME_L1 INDEX INDEX 2934347769 f6834aac7908d9d4184ee11daee697f9 UNKOWN

--//假設我現在要驗證FULL_HASH_VALUE的計算.
4 echo f6834aac7908d9d4184ee11daee697f9 | xxd -r -p | od -t x4
0000000 ac4a83f6 d4d90879 1de14e18 f997e6ae
0000020

--//拼接ac4a83f6 d4d90879 1de14e18 f997e6ae => ac4a83f6d4d908791de14e18f997e6ae
--//前面的學習已經知道加密串前面USERS_USERNAME_L1.SCOTT

R:\hashcat>hashcat64.exe --potfile-disable --force -a 3 -m 0 ac4a83f6d4d908791de14e18f997e6ae USERS_USERNAME_L1.SCOTT?b?b?b?b
hashcat (v3.00-1-g67a8d97) starting...

OpenCL Platform #1: Advanced Micro Devices, Inc.
================================================
- Device #1: Turks, 766/1024 MB allocatable, 6MCU
- Device #2: Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz, skipped

WARNING: ADL_Overdrive6_TargetTemperatureData_Get is missing from ADL shared library.
Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Applicable Optimizers:
* Zero-Byte
* Precompute-Init
* Precompute-Merkle-Demgard
* Meet-In-The-Middle
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash
Watchdog: Temperature abort trigger disabled
Watchdog: Temperature retain trigger disabled

ac4a83f6d4d908791de14e18f997e6ae:$HEX[55534552535f555345524e414d455f4c312e53434f545404000000]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Session.Name...: hashcat
Status.........: Cracked
Input.Mode.....: Mask (USERS_USERNAME_L1.SCOTT?b?b?b?b) [27]
Hash.Target....: ac4a83f6d4d908791de14e18f997e6ae
Hash.Type......: MD5
Time.Started...: 0 secs
Speed.Dev.#1...: 6467.3 kH/s (0.38ms)
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 89088/4294967296 (0.00%)
Rejected.......: 0/89088 (0.00%)
Restore.Point..: 0/4294967296 (0.00%)

Started: Fri Dec 29 11:24:00 2017
Stopped: Fri Dec 29 11:24:02 2017

--//後面補上04000000,這裡的04我推測是namespace
SYS@book> select distinct kglhdnsp,kglhdnsd,kglobtyd from x$kglob where KGLHDNSD='INDEX';
KGLHDNSP KGLHDNSD KGLOBTYD
---------- -------- ---------
4 INDEX INDEX

--//我還是無法猜出dblink的FULL_HASH_VALUE是如何計算的.不知道那位知道.
--//hashcat還有許多功能,比如使用規則等等.好複雜...比如使用字典:
R:\hashcat>cat d.dict
USERS_USERNAME_L1.SCOTT

hashcat64.exe --potfile-disable --force -a 6 -m 0 ac4a83f6d4d908791de14e18f997e6ae d.dict --hex-charset -1 00 -2 04 ?2?1?1?1

[20171229]hashcat破解oracle口令2.txt

相關文章