Re: Oracle Application Express / Password hashes

[Per Thorsheim <per () thorsheim net>]

Passwords are stored as salted MD5 values according to 
programming4.us/database/8126.aspx

What you need after extracting the hash values is to use a password 
cracker that handles Oracle specific salted MD5. Both John the Ripper & 
Hashcat can do that:

www.hashcat.net
www.openwall.com/john/

Both have forums where you can ask for help. There are also commercial 
services on top of these freeeware tools to help you out, eventually to 
speed up the process.

Best regards,
Per Thorsheim
http://securitynirvana.blogspot.com/



Den 20.02.2013 12:34, skrev Guillaume Lopes:
> Hello all,
>
> I have to crack password hashes from an Oracle application (APEX). The
> version is APEX 4.0.
>
> I have found documentation saying that password hashes are the
> concatenation of the username, the password and the security groupd id
> since APEX 3.0.
>
> Do you know a tool or another way to retrieve clear passwords from hashes ?
>
> I tried to use Repscan but the free trial seems to have a bug.
>
> Regards,
> Guillaume


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------