Nmap Development mailing list archives
Re: Script suggestion - oracle
From: David Fifield <david () bamsoftware com>
Date: Thu, 4 Oct 2012 08:22:18 -0700
On Thu, Oct 04, 2012 at 09:48:43AM +0200, Martin Holst Swende wrote:
On 09/30/2012 05:46 AM, Dhiru Kholia wrote:I have authored JtR and Ettercap plug-ins to exploit the cryptographic flaw in Oracle Database authentication protocol. See http://www.openwall.com/lists/john-users/2012/09/29/2 s ✗ ../run/john -fo:o5logon -t Benchmarking: Oracle O5LOGON protocol [32/64]... DONE Raw: 748982 c/s real, 754370 c/s virtual This is ~2.5X faster than Marcel's tool (http://marcel.vandewaters.nl/oracle/security/cryptographic-flaws-in-oracle-database-authentication-protocol). oracle-brute.nse script is failing for me. I have sent an email to Patrik (along with .pcap files) to debug the issue. Once this is sorted out, I will try to figure out how do to stealth attack against Oracle databases.I'd suggest that the we just modify the oracle-enum-users to dump out the salt and auth_vfr_data in a format which can be consumed by john, instead of actually adding password cracking. That is the same approach as in http-domino-enum-users, where the script output tells the user what jtr --format to use for the hashes. /Martin
Good idea, I agree with this. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Script suggestion - oracle Martin Holst Swende (Oct 04)
- Re: Script suggestion - oracle David Fifield (Oct 04)
- Re: Script suggestion - oracle Dhiru Kholia (Oct 04)
- Re: Script suggestion - oracle Richard Miles (Oct 04)
- Re: Script suggestion - oracle Dhiru Kholia (Oct 04)
- <Possible follow-ups>
- Re: Script suggestion - oracle Dhiru Kholia (Oct 06)
- Re: Script suggestion - oracle Dhiru Kholia (Oct 06)
- Re: Script suggestion - oracle Patrik Karlsson (Oct 06)
- Re: Script suggestion - oracle Richard Miles (Oct 10)
- Re: Script suggestion - oracle Abuse 007 (Oct 10)
- Re: Script suggestion - oracle Dhiru Kholia (Oct 06)
- Re: Script suggestion - oracle Richard Miles (Oct 10)
- Re: Script suggestion - oracle David Fifield (Oct 04)
- Re: Script suggestion - oracle Richard Miles (Oct 10)