Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Information on cracking Oracle APEX hashes

  • Loading branch information...
commit 3a8351b4a9fc06a2fe5157d098054c47284522fa 1 parent f18a831
Dhiru Kholia kholia authored committed
61 doc/README.apex
View
@@ -0,0 +1,61 @@
+#!/usr/bin/python
+
+"""
+
+Dumping APEX hashes
+===================
+
+1. Automated Way
+
+C:\apex>sqlplus sys as sysdba
+
+SQL*Plus: Release 11.2.0.2.0 Production on Fri Feb 22 17:20:51 2013
+
+Copyright (c) 1982, 2010, Oracle. All rights reserved.
+
+Enter password:
+
+Connected to:
+Oracle Database 11g Express Edition Release 11.2.0.2.0 - Production
+
+SQL> @dump-apex-hashes.sql
+
+$ python apex2john.py apex-hashes.txt > apex-hashes-JtR
+
+$ john pex-hashes-JtR # use JtR-jumbo from https://github.com/magnumripper/JohnTheRipper/
+Loaded 1 password hash (dynamic_1: md5($p.$s) (joomla) [128/128 SSE2 intrinsics 10x4x3])
+password (?)
+guesses: 1 time: 0:00:00:00 DONE (Thu Feb 21 17:33:43 2013) c/s: 375 trying: 123456 - boomer
+
+2. Manual Way
+
+SQL> alter session set current_schema = APEX_040200;
+
+Session altered.
+
+SQL> select user_name,web_password2,security_group_id from wwv_flow_fnd_user;
+
+USER_NAME
+--------------------------------------------------------------------------------
+WEB_PASSWORD2
+--------------------------------------------------------------------------------
+SECURITY_GROUP_ID
+-----------------
+ADMIN
+F96D32CBB2FBE17732C3BBAB91C14F3A
+10
+
+NOTE: dump-apex-hashes.sql script is in src/unused directory
+
+"""
+
+import hashlib
+
+username = "ADMIN"
+sgid = "10"
+password = "password"
+
+# APEX 4.2.1 algorithm
+print username, sgid, password, hashlib.md5(password + sgid + username).hexdigest()
+
+# should print "f96d32cbb2fbe17732c3bbab91c14f3a" which is the actual hash
27 run/apex2john.py
View
@@ -0,0 +1,27 @@
+#!/usr/bin/env python
+
+import sys
+
+def process_file(filename):
+ with open(filename, "r") as f:
+ for line in f.readlines():
+ data = line.split(',')
+
+ try:
+ username, apexhash, sgid = data
+ except:
+ continue
+
+ username = username.rstrip().lstrip()
+ apexhash = apexhash.rstrip().lstrip()
+ sgid = sgid.rstrip().lstrip()
+
+ print "$dynamic_1$%s$%s" % (apexhash, sgid + username)
+
+if __name__ == "__main__":
+ if len(sys.argv) < 2:
+ print >>sys.stderr, "Usage: %s <apex-hashes.txt file(s)>" % sys.argv[0]
+ sys.exit(-1)
+
+ for i in range(1, len(sys.argv)):
+ process_file(sys.argv[i])
1  src/unused/apex-hashes-JtR
View
@@ -0,0 +1 @@
+$dynamic_1$F96D32CBB2FBE17732C3BBAB91C14F3A$10ADMIN
1  src/unused/apex-hashes.txt
View
@@ -0,0 +1 @@
+ADMIN ,F96D32CBB2FBE17732C3BBAB91C14F3A , 10
13 src/unused/dump-apex-hashes.sql
View
@@ -0,0 +1,13 @@
+set colsep ','
+set echo off
+set feedback off
+set linesize 1000
+set pagesize 0
+set sqlprompt ''
+set trimspool on
+set headsep off
+set termout off
+alter session set current_schema = APEX_040200;
+spool "apex-hashes.txt"
+select user_name,web_password2,security_group_id from wwv_flow_fnd_user;
+spool off
Please sign in to comment.
Something went wrong with that request. Please try again.