From 00f249ea8566432e78edc7dafe36dfee6f5ddffb Mon Sep 17 00:00:00 2001 From: k4amos Date: Mon, 30 Dec 2024 14:33:08 +0100 Subject: [PATCH 1/2] o5logon format: Fix the bug with long Oracle passwords --- src/o5logon_fmt_plug.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/o5logon_fmt_plug.c b/src/o5logon_fmt_plug.c index 498f2d6b1f..cc1567d58c 100644 --- a/src/o5logon_fmt_plug.c +++ b/src/o5logon_fmt_plug.c @@ -72,6 +72,7 @@ static struct fmt_tests o5logon_tests[] = { {"$o5logon$A10D52C1A432B61834F4B0D9592F55BD0DA2B440AEEE1858515A646683240D24A61F0C9366C63E93D629292B7891F44A*878C0B92D61A594F2680", "m3ow00"}, {"$o5logon$52696131746C356643796B6D716F46474444787745543263764B725A6D756A69E46DE32AFBB33E385C6D9C7031F4F2B9*3131316D557239736A65", "123456"}, {"$o5logon$4336396C304B684638634450576B30397867704F54766D71494F676F5A5A386F09F4A10B5908B3ED5B1D6878A6C78751*573167557661774E7271", ""}, + {"$o5logon$4D04DBD23D103F05D9B57EB6EC14D83A0A468AB906EAC907D3A8C796573E5F34BC15F0ECBC9EAC0350A38A663A368233*442192E518F6F43D7CF7*D3963B6AAED39C231BD5C92A10C0F146CA4784D1503A9B97598B31D33406390B7CA4F8B3EE5406A54C1842E4E63D1220*192AB7C9BA21C883824CF3D5BA073AC1129FD841E0AF6DF522C7EBDC52783CB8B97B792BFB6D9D743C7F4376FF0E7F93", "password1234567890"}, {NULL} }; @@ -131,7 +132,7 @@ static int valid(char *ciphertext, struct fmt_main *self) if ((p = strtokm(NULL, "*"))) { /* client's encrypted password */ int len = hexlenu(p, &extra); - if (extra || len < 64 || len % 32 || len > 2 * PLAINTEXT_LENGTH + 16) + if (extra || len < 64 || len % 32 || len > 2 * PLAINTEXT_LENGTH + 32) goto err; if ((p = strtokm(NULL, "*")) == NULL) /* client's sesskey */ goto err; From eaf3d0fa7a1976e6f1c675ebf7d99bb657c05c61 Mon Sep 17 00:00:00 2001 From: k4amos Date: Mon, 30 Dec 2024 14:33:47 +0100 Subject: [PATCH 2/2] Add oracle2john.py --- run/oracle2john.py | 130 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) create mode 100755 run/oracle2john.py diff --git a/run/oracle2john.py b/run/oracle2john.py new file mode 100755 index 0000000000..7eb47838b5 --- /dev/null +++ b/run/oracle2john.py @@ -0,0 +1,130 @@ +#!/usr/bin/env python3 + +# This software is Copyright (c) 2024, k4amos +# and it is hereby released to the general public under the following terms: +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted. + +# --- + +# Utility to obtain a hash of ORACLE authentication (o5logon) that can be cracked with John +# This code does not support Oracle authentication with the key derivation function PBKDF2 +# +# Usage: ./oracle2john.py +# +# This script depends on Scapy (https://scapy.net) +# To install: pip install --user scapy + +import sys +import argparse +import re + +try: + import scapy.all as scapy +except ImportError: + print( + "\033[91m[Error] Scapy seems to be missing, run 'pip install --user scapy' to install it\033[0m", + file=sys.stderr, + ) + sys.exit(1) + + +def read_file(args, filename): + """ + Reads a PCAP file and extracts relevant Oracle authentication data (o5logon). + """ + auth_data = { + "server_auth_sesskey": None, + "auth_vfr_data": None, + "auth_password": None, + "client_auth_sesskey": None, + } + + packets = scapy.rdpcap(filename) + for packet in packets: + auth_data = process_packet(args, packet, auth_data) + + if None not in list(auth_data.values()): + # Format of the hash : $o5logon$ * * * + + print( + f'$o5logon${auth_data["server_auth_sesskey"]}*{auth_data["auth_vfr_data"]}*{auth_data["auth_password"]}*{auth_data["client_auth_sesskey"]}' + ) + + else: + # Format of the hash : $o5logon$ * + # This format can be cracked only if your Oracle version is affected by CVE-2012-3137 + + print( + f'$o5logon${auth_data["server_auth_sesskey"]}*{auth_data["auth_vfr_data"]}' + ) + + +def select_hexa(raw_string): + """ + Extracts the first valid hexadecimal string from the raw data. + """ + match_hexa = re.search( + "([A-Fa-f0-9]+)", raw_string.decode("ascii", errors="ignore").replace(" ", "") + ) + if match_hexa: + return match_hexa.group(1) + return None + + +def process_packet(args, packet, auth_data): + """ + Processes a packet and updates the auth_data dictionary with the extracted values. + """ + raw_data = bytes(packet) + + server_auth_sesskey_match = re.search( + rb"AUTH_SESSKEY([\s\S]+?)AUTH_VFR_DATA", raw_data + ) + if server_auth_sesskey_match: + auth_data["server_auth_sesskey"] = select_hexa( + server_auth_sesskey_match.group(1) + ) + + auth_vfr_data_match = re.search( + rb"AUTH_VFR_DATA([\s\S]+?)(AUTH_GLOBALLY_UNIQUE_DBID|$)", raw_data + ) + if auth_vfr_data_match: + auth_data["auth_vfr_data"] = select_hexa(auth_vfr_data_match.group(1)) + + auth_password_match = re.search(rb"AUTH_PASSWORD([\s\S]+?)AUTH_RTT", raw_data) + if auth_password_match: + auth_data["auth_password"] = select_hexa(auth_password_match.group(1)) + + client_auth_sesskey_match = re.search( + rb"AUTH_SESSKEY([\s\S]+?)AUTH_PASSWORD", raw_data + ) + if client_auth_sesskey_match: + auth_data["client_auth_sesskey"] = select_hexa( + client_auth_sesskey_match.group(1) + ) + + return auth_data + + +if __name__ == "__main__": + + parser = argparse.ArgumentParser( + formatter_class=argparse.RawDescriptionHelpFormatter, + epilog=""" + ### Utility to obtain a hash of ORACLE authentication (o5logon) that can be cracked with John + This code does not support Oracle authentication with the key derivation function PBKDF2 + Written by k4amos + + Usage: ./oracle2john.py + """, + ) + + parser.add_argument("file", type=str, nargs="+") + + parsed_args = parser.parse_args() + args = vars(parsed_args) + + for filename in args["file"]: + read_file(args, filename)