Discussion:
Oracle Application Express / Password hashes
Dhiru Kholia
2013-02-21 12:23:19 UTC
Permalink
I have to crack password hashes from an Oracle application (APEX). The
version is APEX 4.0.
Do you know a tool or another way to retrieve clear passwords from hashes ?
Please bring this topic to "john-users" mailing list. JtR folks might
be able to help you.
I was able to figure out the details of APEX 4.2.1 "default" hashing algorithm.

In short, stored hash = hashlib.md5(password + sgid + username).hexdigest()

I am posting a set of scripts to help in dumping APEX hashes from an
Oracle database and then subsequently cracking them using JtR-jumbo.

For step-by-step instructions, please see attached
README-apex-cracking.txt file.

✗ ../run/john -fo:dynamic_1 -t
Benchmarking: dynamic_1: md5($p.$s) (joomla) [128/128 SSE2 intrinsics
10x4x3]... DONE
Many salts: 14166K c/s real, 14166K c/s virtual
Only one salt: 10305K c/s real, 10305K c/s virtual

AFAIK commercial cracking tools (for APEX hashes) don't even come
close to JtR's speed ;)
--
Dhiru
magnum
2013-02-28 22:15:20 UTC
Permalink
Post by Dhiru Kholia
I was able to figure out the details of APEX 4.2.1 "default" hashing algorithm.
In short, stored hash = hashlib.md5(password + sgid + username).hexdigest()
I am posting a set of scripts to help in dumping APEX hashes from an
Oracle database and then subsequently cracking them using JtR-jumbo.
For step-by-step instructions, please see attached
README-apex-cracking.txt file.
Things like this are good to have documented. I suppose you could commit this to bleeding (and even to unstable btw) - the README in doc/ and apex2john.py in run/. The dump-apex-hashes.sql I'm not sure... maybe that too in doc? Or unused? Maybe we need another directory?

If nothing else you could inline dump-apex-hashes.sql after a scissors line in the readme.

magnum
Dhiru Kholia
2013-03-02 09:50:29 UTC
Permalink
Post by magnum
Post by Dhiru Kholia
I am posting a set of scripts to help in dumping APEX hashes from an
Oracle database and then subsequently cracking them using JtR-jumbo.
Things like this are good to have documented. I suppose you could commit this to bleeding (and even to unstable btw) - the README in doc/ and apex2john.py in run/. The dump-apex-hashes.sql I'm not sure... maybe that too in doc? Or unused? Maybe we need another directory?
I have pushed a commit to bleeding-jumbo,

commit 6079c48488d2247b48155c642f55bb8889ba630a
Author: Dhiru Kholia <dhiru-cxoSlKxDwOJWk0Htik3J/***@public.gmane.org>
Date: Sat Mar 2 15:02:18 2013 +0530

Information on cracking Oracle APEX hashes


If it looks OK, I can push it to unstable-jumbo too.
--
Dhiru
magnum
2013-03-02 10:32:15 UTC
Permalink
Post by Dhiru Kholia
Post by magnum
Post by Dhiru Kholia
I am posting a set of scripts to help in dumping APEX hashes from an
Oracle database and then subsequently cracking them using JtR-jumbo.
Things like this are good to have documented. I suppose you could commit this to bleeding (and even to unstable btw) - the README in doc/ and apex2john.py in run/. The dump-apex-hashes.sql I'm not sure... maybe that too in doc? Or unused? Maybe we need another directory?
I have pushed a commit to bleeding-jumbo,
commit 6079c48488d2247b48155c642f55bb8889ba630a
Date: Sat Mar 2 15:02:18 2013 +0530
Information on cracking Oracle APEX hashes
If it looks OK, I can push it to unstable-jumbo too.
--
Dhiru
Looks fine. I cherry-picked it to unstable.

magnum

Loading...