Penetration Testing: Dump Hashes from Oracle SQL

How to get password hashes from Oracle SQL RDBMS when you already got a privileged account

Pentestmonkey and others offer valuable know-how for penetration testers facing an Oracle database server. If one already got privileged access (>=11g) system password hashes can be dumped for cracking purposes. It is important to consider that those hashes are stored not only in the attribute „spare4“ but can be stored in e.g. „spare6“. So if one wants to dump all hashes using „SELECT name,spare4 FROM sys.user$“ for each account with an empty hash you should SELECT the other spare-attributes, too.