Penetration Testing mailing list archives
Re: Oracle Application Express / Password hashes
From: Per Thorsheim <per () thorsheim net>
Date: Wed, 20 Feb 2013 13:58:46 +0100
Passwords are stored as salted MD5 values according to programming4.us/database/8126.aspx
What you need after extracting the hash values is to use a password cracker that handles Oracle specific salted MD5. Both John the Ripper & Hashcat can do that:
www.hashcat.net www.openwall.com/john/Both have forums where you can ask for help. There are also commercial services on top of these freeeware tools to help you out, eventually to speed up the process.
Best regards, Per Thorsheim http://securitynirvana.blogspot.com/ Den 20.02.2013 12:34, skrev Guillaume Lopes:
Hello all, I have to crack password hashes from an Oracle application (APEX). The version is APEX 4.0. I have found documentation saying that password hashes are the concatenation of the username, the password and the security groupd id since APEX 3.0. Do you know a tool or another way to retrieve clear passwords from hashes ? I tried to use Repscan but the free trial seems to have a bug. Regards, Guillaume
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review BoardProve to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Oracle Application Express / Password hashes Guillaume Lopes (Feb 20)
- Re: Oracle Application Express / Password hashes Per Thorsheim (Feb 20)