暴力破解Oracle数据库密码

一、验证不能通过修改用户的password实现登录不知道密码的用户

[oracle@node1 ~]$ sqlplus / as sysdba

SQL*Plus: Release 11.2.0.3.0 Production on Mon Nov 7 12:22:46 2011

Copyright (c) 1982, 2011, Oracle.  All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Data Mining,
Oracle Database Vault and Real Application Testing options

SQL> grant create session to xff identified by xifenfei;

Grant succeeded.

SQL> conn xff/xifenfei
Connected.
SQL> conn / as sysdba
Connected.
SQL> grant create session to chf identified by xifenfei;

Grant succeeded.

SQL> conn chf/xifenfei
Connected.

SQL> conn / as sysdba
Connected.
SQL> desc user$
 Name                                      Null?    Type
 ----------------------------------------- -------- ----------------------------
 USER#                                     NOT NULL NUMBER
 NAME                                      NOT NULL VARCHAR2(30)
 TYPE#                                     NOT NULL NUMBER
 PASSWORD                                           VARCHAR2(30)
 DATATS#                                   NOT NULL NUMBER
 TEMPTS#                                   NOT NULL NUMBER
 CTIME                                     NOT NULL DATE
 PTIME                                              DATE
 EXPTIME                                            DATE
 LTIME                                              DATE
 RESOURCE$                                 NOT NULL NUMBER
 AUDIT$                                             VARCHAR2(38)
 DEFROLE                                   NOT NULL NUMBER
 DEFGRP#                                            NUMBER
 DEFGRP_SEQ#                                        NUMBER
 ASTATUS                                   NOT NULL NUMBER
 LCOUNT                                    NOT NULL NUMBER
 DEFSCHCLASS                                        VARCHAR2(30)
 EXT_USERNAME                                       VARCHAR2(4000)
 SPARE1                                             NUMBER
 SPARE2                                             NUMBER
 SPARE3                                             NUMBER
 SPARE4                                             VARCHAR2(1000)
 SPARE5                                             VARCHAR2(1000)
 SPARE6                                             DATE

SQL> select name,password from user$ where name in('XFF','CHF');

NAME                           PASSWORD
------------------------------ ------------------------------
CHF                            F3CF2F0CB35CB6CA
XFF                            1B60F4BFF1DAB500

SQL> alter user xff identified by values 'F3CF2F0CB35CB6CA';

User altered.

SQL> select name,password from user$ where name in('XFF','CHF');

NAME                           PASSWORD
------------------------------ ------------------------------
CHF                            F3CF2F0CB35CB6CA
XFF                            F3CF2F0CB35CB6CA

SQL> conn xff/xifenfei
ERROR:
ORA-01017: 用户名/口令无效; 登录被拒绝


Warning: You are no longer connected to ORACLE.
SQL> conn chf/xifenfei
Connected.

SQL> conn / as sysdba
Connected.
SQL> alter user xff identified by values '1B60F4BFF1DAB500';

User altered.

SQL> conn xff/xifenfei
Connected.

注:这个实验使用11g证明,其实10g也是同样的结果;在oracle 9i中可以通过修改password的values值实现登录

二、使用orabf破解数据库密码
1、修改数据库密码

SQL> conn / as sysdba
Connected.
SQL> alter user xff identified by xff01;

User altered.

SQL> alter user chf identified by chf00; 

User altered.

SQL> select name,password from user$ where name in('XFF','CHF');

NAME                           PASSWORD
------------------------------ ------------------------------
CHF                            05BD6F8AB28BD8CA
XFF                            A51B3879056B3DDD

2、orabf使用

C:\Users\XIFENFEI\Downloads\orabf-v0.7.6>orabf

orabf v0.7.6, (C)2005 orm@toolcrypt.org
---------------------------------------

usage: orabf [hash]:[username] [options]

options:
-c [num]  complexity: a number in [1..6] or a filename
   -      read words from stdin
   [file] read words from file
   1      numbers
   2      alpha
   3      alphanum
   4      standard oracle (alpha)(alpha,num,_,#,$)... (default)
   5      entire keyspace (' '..'~')
   6      custom (charset read from first line of file: charset.orabf)
-m [num]  max pwd len: must be in the interval [1..14] (default: 14)
-n [num]  min pwd len: must be in the interval [1..14] (default: 1)
-r        resume: tries to resume a previous session


C:\Users\XIFENFEI\Downloads\orabf-v0.7.6>orabf A51B3879056B3DDD:XFF

orabf v0.7.6, (C)2005 orm@toolcrypt.org
---------------------------------------
Trying default passwords...done

Starting brute force session using charset:
#$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_

press 'q' to quit. any other key to see status

current password: D9X50
9229361 passwords tried. elapsed time 00:00:13. t/s:697938

current password: HI0QJ
18967617 passwords tried. elapsed time 00:00:27. t/s:698403

current password: OB#QD
34743632 passwords tried. elapsed time 00:00:49. t/s:698844

password found: XFF:XFF01

55826385 passwords tried. elapsed time 00:01:19. t/s:704047


C:\Users\XIFENFEI\Downloads\orabf-v0.7.6>orabf 05BD6F8AB28BD8CA:CHF -c 3 -n 4 -m 6

orabf v0.7.6, (C)2005 orm@toolcrypt.org
---------------------------------------
Trying default passwords...done

Starting brute force session using charset:
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ

press 'q' to quit. any other key to see status

password found: CHF:CHF00

22647601 passwords tried. elapsed time 00:00:31. t/s:719113

说明:-c 6不能正常运行,不清楚是不是因为我的win 7系统原因导致

三、使用ops_sse2破解数据库密码
1、sys用户的password

SQL> select password from user$ where name='SYS';

PASSWORD
------------------------------
18698BFD1A045BCC

2、ops_sse2使用

C:\Users\XIFENFEI\Downloads\ops_SIMD_win32>ops_sse2
Oracle passwords (DES) solver 0.3 (SSE2) -- Dennis Yurichev <dennis@conus.info>
Compiled @ Apr  5 2011 12:13:15
Demo version, supporting only SYS usernames.
Usage:

  ops_sse2.exe --hashlist=filename.txt
    [--min=min_password_length] [--max=max_password_length]
    [--first_symbol_charset=characters] [--charset=characters]
    [--results=filename.txt]

hashlist file format:
username:hash:comment_or_SID

By default, results are dumped to stdout.
This can be changed by setting --results option

Default values:
  min_password_length=1
  max_password_length=8
  first_symbol_charset=ABCDEFGHIJKLMNOPQRSTUVWXYZ
  charset=ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789#$_

#ops_file.txt内容
SYS:18698BFD1A045BCC:xff

C:\Users\XIFENFEI\Downloads\ops_SIMD_win32>ops_sse2 --hashlist=ops_file.txt --min=6  --charset=CDEFNHITX
Oracle passwords (DES) solver 0.3 (SSE2) -- Dennis Yurichev <dennis@conus.info>
Compiled @ Apr  5 2011 12:13:15
Demo version, supporting only SYS usernames.
username=SYS: 1 unsolved hash(es) left
Checking 6-symbol passwords for username SYS
overall progress=  0%
username=SYS: 1 unsolved hash(es) left
Checking 7-symbol passwords for username SYS
overall progress= 98% / time remaining:
time elapsed: 12s, ~ 1160449 passwords/hashes per second
username=SYS: 1 unsolved hash(es) left
Checking 8-symbol passwords for username SYS
overall progress= 91% / time remaining: 8s
time elapsed: 1m31s, ~ 1248875 passwords/hashes per second
SYS/xff: Found password: XIFENFEI
SYS:XIFENFEI:xff

说明:Demo version只能使用于破解sys用户的密码,而且秘密长度不能超过8.

综合说明的试验,虽然都有缺陷,但是相对而已还是orabf破解更加的给力点
orabf-v0.7.6下载
ops_SIMD_win32
ops_SIMD_linux86

参考:忘记oracle 用户密码怎么办?

ORA-600 [12235]

今天早上例行对各个区域数据库服务器进行检查,发现内蒙古电信的数据库服务器出现ORA-600 [12235]错误
一、错误现象

alert_txzldb.log日志:
Sun Nov  6 09:34:57 2011
Errors in file /opt/oracle/admin/txzldb/bdump/txzldb_ora_8253.trc:
ORA-00600: internal error code, arguments: [12235], [], [], [], [], [], [], []
txzldb_ora_8253.trc内容:
Oracle program name: oracle@database.localdomain
*** 2011-11-06 09:34:57.530
ksedmp: internal or fatal error
ORA-00600: internal error code, arguments: [12235], [], [], [], [], [], [], []
Current SQL information unavailable - no session.
----- Call Stack Trace -----
calling              call     entry                argument values in hex      
location             type     point                (? means dubious value)     
-------------------- -------- -------------------- ----------------------------
ksedmp()+269         call     ksedst()+0           0 ? 0 ? 0 ? 0 ? 0 ? 0 ?
ksfdmp()+14          call     ksedmp()+0           3 ? BFFFECA0 ? 98584A4 ?
                                                   AD58F60 ? 3 ? A4B929C ?
kgeriv()+188         call     ksfdmp()+0           AD58F60 ? 3 ?
kgesiv()+113         call     kgeriv()+0           AD58F60 ? 0 ? 2FCB ? 0 ?
                                                   BFFFED0C ?
ksesic0()+39         call     kgesiv()+0           AD58F60 ? 0 ? 2FCB ? 0 ?
                                                   BFFFED0C ? 2FCB ? 0 ?
                                                   BFFFED0C ?
opirip()+519         call     ksesic0()+0          2FCB ? AD5903C ? BFFFF6AC ?
                                                   FFFFFFFF ? BFFFF814 ? 1 ?
opidrv()+462         call     opirip()+0           32 ? 0 ? 0 ?
sou2o()+25           call     opidrv()+0           32 ? 0 ? 0 ?
main()+355           call     sou2o()+0            BFFFF814 ? 32 ? 0 ? 0 ?
                                                   BFFFF840 ? 0 ?
__libc_start_main()  call     main()+0             1 ? BFFFF894 ? BFFFF89C ?
+161                                               96DFD4 ? 1 ? 8208E40 ?
 
--------------------- Binary Stack Dump ---------------------
 
========== FRAME [1] (ksedmp()+269 -> ksedst()+0) ==========
Dump of memory from 0xBFFFEB64 to 0xBFFFEC64
BFFFEB60          BFFFEC64 0820B6F8 00000000      [d..... .....]
BFFFEB70 00000000 00000000 00000000 00000000  [................]
        Repeat 2 times
………………

二、数据库版本

SQL> select * from v$version;

BANNER
----------------------------------------------------------------
Oracle9i Enterprise Edition Release 9.2.0.4.0 - Production
PL/SQL Release 9.2.0.4.0 - Production
CORE    9.2.0.3.0       Production
TNS for Linux: Version 9.2.0.4.0 - Production
NLSRTL Version 9.2.0.4.0 - Production

三、mos信息
根据mos的建议,这个错误可以忽略,不用过多关注

ORA-600 [12235] "Oracle process has no purpose in life !" [ID 33174.1]
ERROR:            
  ORA-600 [12235] [a] [b] 1[/c] [d] [e]

VERSIONS:
  versions 7.0 to 9.2

DESCRIPTION:      
  This error shows up when Oracle detects an Oracle defunct process.
  When an Oracle process starts up, it reads data from the SGA that defines
  what type of process it should become.
  If the process does not locate any valid customization data, it reports 
  ORA-600 [12235] and exits.
  On a heavily loaded system, ORA-600 [12235] may be a symptom that the server 
  process was too slow in starting. That is, the process that initiated the 
  new server may timeout waiting for the new process to start and abandon the 
  new server request.  In the new server process it is possible that the new 
  server reaches the code to customize its operation before the os request to 
  kill the process is actioned.  The messages "ksbsrv: No startup 
  acknowledgement from forked process ..." and "Timed out trying to start 
  shared server ..." may be reported to trace and alert files.

SUGGESTIONS:
  Ignore the error.
  One of the most common reasons for this error to be reported is that 
  someone typed 'oracle' manually at the OS prompt.
  If this error is reported regularly and appears not to be explained
  by comments made in this note, contact Oracle Support Services.

四、错误重现
根据mos中的讲述,在系统级别执行oracle,也会出现该错误提示,使用oracle重现结果

[oracle@database ~]$ oracle
[oracle@database ~]$ oracle
[oracle@database ~]$ tail  $ORACLE_BASE/admin/$ORACLE_SID/bdump/alert_$ORACLE_SID.log
Mon Nov  7 11:10:25 2011
Errors in file /opt/oracle/admin/txzldb/bdump/txzldb_ora_27108.trc:
ORA-00600: internal error code, arguments: [12235], [], [], [], [], [], [], []
Mon Nov  7 11:10:27 2011
Errors in file /opt/oracle/admin/txzldb/bdump/txzldb_ora_1281.trc:
ORA-00600: internal error code, arguments: [12235], [], [], [], [], [], [], []