Cryptohaze.com

[aliby]

Hey there,

Was curious if you had considered adding support for Oracle hashes (10g and lower)? The hash format is: DES($salt.$pass), where $salt = the account name/username.

Thanks!

[Bitweasil]

DES takes a 56 bit input...

Can you provide me a link to an implementation or details?

[aliby]

Whoops, may have spoke too soon/misunderstood, but here goes:

http://www.red-database-security.com/wh ... words.html

And to quote/paraphrase this post: http://groups.google.com/group/comp.dat ... 7a977fb6ed

Implementation:
1. Upshift password, convert to 16bits per character, and place result left justified in an 80 byte array of zeros.
2. Using DES in cipher block feedback mode compute the CBC checksum for the 80 byte password array using a fixed secret password (you can find it in the code if you look hard enough). The result is used as the key for the next step ignoring parity bits to produce the a 56 bit key from the CBC.
3. Upshift password, and convert to 16bits per character, and place result left justified in an 80 byte array of zeros.
4. Using DES in cipher block feedback mode compute the CBC checksum for the 80 byte username array using the key generate in step 2.
5. Convert the CBC checksum from step 4 into a printable string with the obvious algorithm.

And a few more resources:

http://jchblue.blogspot.com/2010/04/ora ... rithm.html
http://freeworld.thc.org/papers/thc-orakelsniffert.pdf

[Bitweasil]

Eewwww...

Yeah, I'll see what I can hammer out. Some working C source would be quite useful if you had time to write it up.

[Sc00bz]

This might help it has working php code although I cheated by using mcrypt_encrypt(MCRYPT_DES, ..., 'cbc', ...)

http://www.tobtu.com/oracle.php

[aliby]

Thanks Sc00bz for the code and Bitweasil for trying to implement it

Oh, also, apparently HashKill has support for what they call "oracle-old," which is the 10G and lower algorithim. Latest source is available here: http://www.gat3way.eu/hashkill/index.php?page=download. I've attached the source of the oracle-old plugin, in case it might help.

Unfortunately I don't have a CUDA enabled Linux box at the moment, and I can't seem to get HashKill to compile on my Mac. Oh, that, and I just like the Cryptohaze-Multiforcer better :-p

Thanks guys!

[Bitweasil]

Sweet. I'll see what I can do with it once I get the framework a bit better sorted out.

[aliby]

So, after finally getting around to configuring Backtrack on a Linux box with an NVIDIA card in it, I realized/found out that hashkill does NOT in fact use CUDA for the oracle-old plugin. It ends up using the CPU instead.

So, if you could implement this, that would be awesome (as I've got a nice list of Oracle hashes sitting here that need breaking...)

Thanks!

[Bitweasil]

What file format do you have them in?

It looks like it should be fairly straightforward to implement. I've got a DES engine.

[aliby]

Currently they're set up as $username:$hash (which in Oracle's hashing algorithm means $salt:$hash) in a text file. Fortunately, with CPU-based hybrid dictionary and markov attacks, I have gotten 32% of the passwords cracked so far (using a combination of PasswordsPro and Hashkill).

I would love to increase that percentage using some GPU power