How to decrypt an Oracle password using John the Ripper and checkpwd

Learn how to decrypt an Oracle password with Oracle password crackers like John the Ripper and checkpwd in this tip from an Oracle security expert.

How can I decrypt the user's password in Oracle 10g which is already in an encrypted format?

It can be a bit tricky to decrypt an Oracle password . Before we head down this road, you may want to consider alternate ways of accomplishing your goals. Determining if you can access the schema by logging in as a privileged user and simply changing the password to a known value will save you hours of work. If that is not possible or unfeasible, you may want to try getting in via another, standard account (check for default passwords) and attempt privilege escalation. If that doesn't work, we still have options in 10g.

In Oracle 10g and all previous versions, the password is not encrypted at all. It is simply a DES hash that is salted with the username, both of which can be found quite easily in the DBA_USERS view. DES strength is based more on the length of the hashed password than the complexity (which is hobbled by the passwords being converted to capital letters, and there are also some special characters that cannot be used). In Oracle 11g, if backwards compatibility is not necessary, SHA-1 is used exclusively, uses an unlisted salt, and is a much harder nut to crack.

Unfortunately, hashing is a one-way trip. When your password is authenticated, your plain text password isn't compared. Instead, your submission is run through the same hashing algorithm, and the results are compared. If the hash of your submission and the stored hash match, you are authenticated. This means that there is no recovering of keys to unencryptthe password; the most effective method of cracking the hash is to guess the password. Luckily, these days we can generate a lot of guesses per second.

Your best bet is to use one of the very effective Oracle password crackers available, such as Red-Database-Security.com's Checkpwd or John the Ripper. Both are free and work on nearly every platform/OS. CheckPwd uses a dictionary attack and given the dictionary files available (you can always tailor your own as well), it is very effective. John the Ripper has both dictionary and brute force attacks. A well-crafted dictionary attack is often very productive and amazingly fast because of its focused nature. If brute force is used on a modern desktop system, it will crack passwords under six characters in anywhere from a few minutes to a couple of hours. Any password over eight characters will take a few days.

I hope this helps you out, and I wish you the best of luck!

Dig Deeper on Oracle database administration