Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 67 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Oracle Default Password Auditing Tool

This page hosts a simple command line tool that can be used to check if any default users are installed in your database and more importantly whether those default users still have their default passwords set to known values. The tool was originally created by Marcel-Jan Krijgsman who works for Transfer Solutions in Holland and he has kindly allowed me to host this tool here on my site.

The Problem

This is a command line based tool for checking Oracle default users and their passwords in your database. The problem of default users and passwords is well known for most software applications but is a particularly large problem for Oracle databases and associated products and features. There are literally hundreds of known default users and passwords. This tool includes a list of 474 known users (recently updated to include 600 default Oracle users) and their passwords. Why is this an issue? well simply because quite often these users get installed into a database. They come from Oracle supplied scripts, from well known third party business applications and tools and also from books, documentation and papers. Some software insists on having a certain user created with a certain password. If you happen to run this software (I am talking generally here) and do not know how to change the password or the supplier insists it cannot be changed then you have problems. This can also be exacerbated when these default users have excess privileges. Guessing usernames and their passwords is the simplest way to access your data for a hacker, malicious employee or even a bored employee. You owe it to your business to use a tool like this regularly.

Authorship and Credit

The original scripts and the original default password list were created by Marcel-Jan Krijgsman who works for Transfer Solutions. All updates and modifications to the check tool have been done by Pete Finnigan - details are listed below - The default password list was substantially updated by Pete Finnigan to include about 600 Default Oracle users recently - Nov 2004. Any update suggestions, problems, please email default@petefinnigan.com in the first instance.

The files

Before we discuss how the scripts and tool works lets run through the files that are included in the download package. These are as follows:

  • osp_install.sql:
  • This script is used to install the complete package. It first installs the user, then the table, the package and data. It does this by running the previous install scripts.

  • osp_install_user.sql:
  • This script creates a database user called ORAPROBE that owns the table and package procedure used. The script prompts for a password and also a default and temporary tablespace.

  • osp_install_pack.sql:
  • This script creates the main database package procedure OSP_PACK that is used to run the checks.

  • osp_install_tab.sql:
  • This script creates the database table that is used to hold the details of each default user.

  • osp_install_data.sql:
  • This script installs the data that lists each default user and the details for them. The script is derived from the spreadsheet mentioned above.

  • osp_exec.sql:
  • This is the main function. This script is run in SQL*Plus as the ORAPROBE user account. The script first creates the name of the spool file for capturing the output then spools to it before calling the OSP_PACK.DEFAULT_PASS_CHECK procedure to check for all of the default users in the table created from the spreadsheet.

  • osp_exec_accounts.sql:
  • This script is called by osp_exec.sql and this script actually runs the package procedure.

  • readme.txt:
  • A file that describes the files in the archive. The same contents as this list here.

  • Oracle default password hashes.xls:
  • This is a spreadsheet of known Oracle default users and their passwords. This list was derived by Marcle-Jan from a list compiled by Justin Williams. The original sources are indicated by Marcel-Jan in the spreadsheet. The spreadsheet also includes a username, password, security level (based on the privileges of the user), hash and also a description of the user. The final column also includes an SQL statement that can be used to install the list into an Oracle database as part of this tool.

Output Files

The tool creates two output files. The first is osp_exec.lis which simply defines the file name, the second records the details of the run. The filename is of the form osp_accounts_sans.us.oracle.com_200410261150. The first part is fixed the second part identifies the database instance and the last part is the date. This means that multiple runs will give separate output files.

How Does It work

The set of scripts written by Marcel-Jan are quite simple to use and also quite simple in concept. The default passwords and usernames are loaded into a database table in the database being checked. The package procedure created simply loops through all the users in the database and compares to see if they exist in the list of default users and then compares the password hashes to see if there is a match. If there is the fact is reported and details of the default user are emitted.

Download the scripts here

The Oracle default password check scripts can be downloaded here.

The latest version is available from this page on this web site. The scripts are free and the author accepts no responsibility for their use or any issues arising from the use of these scripts.

Change history

This is a brief change history for this set of scripts

  • 1.0 - First release
  • 1.1 - readme.txt added to the archive
  • 1.2 - changes to archive contents
    • a - New MS Excel spreadsheet updated to include 596 default accounts
    • b - OSP_ACCOUNTS table altered to represent hash_value column as varchar2(30)
    • c - New data file added with 596 default accounts
  • 1.3 - Changed the create user script to allow passwords encased in quotes
  • 1.4 - Updated the Excel spreadsheet and data install script for the SAP users.
  • 1.5 - Corrections and additions to the list
    • a - updated 21 default accounts to remove trailing spaces in the data creation scripts
    • b - added 2 new default users to the data scripts and spreadsheets

Sample Session

Here is a sample session of running these scripts to show you how the tools work. The test was run against a 9.2.0.1 database on Windows XP.

Connected to:
Personal Oracle9i Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production

SQL> @\petefinnigan.com\password\marcel-jan\osp_exec.sql
*********************************************
*                                           *
*  Welcome to the Oracle Security Probe     *
*                                           *
*********************************************

Connectstring (destination database): sans
Password of oraprobe?: ********
Connected.
Oracle accounts with default passwords
======================================

Username: SYS
Password: CHANGE_ON_INSTALL
-----------------------------------------------
WARNING! The password of SYS is a default password. It is well known to hackers

Additional information:
SYS is Oracle's most powerful database management account. It allows to read,
change and destroy all data in your database.


Username: SYSTEM
Password: MANAGER
-----------------------------------------------
WARNING! The password of SYSTEM is a default password. It is well known to
hackers

Additional information:
SYSTEM is Oracle's database management account. It allows to read, change and
destroy all data in your database.


Username: SCOTT
Password: TIGER
-----------------------------------------------
WARNING! The password of SCOTT is a default password. It is well known to
hackers

Additional information:
This is a training account. It should not be available in a production
environment.


Username: DBSNMP
Password: DBSNMP
-----------------------------------------------
WARNING! The password of DBSNMP is a default password. It is well known to
hackers

Additional information:
DBSNMP is an account for the Oracle Intelligent Agent. Under certain
circumstances it allows to read passwords from memory.


Username: QS_ES
Password: CHANGE_ON_INSTALL
Status: EXPIRED & LOCKED(TIMED)
-----------------------------------------------
WARNING! The password of QS_ES is a default password. It is well known to
hackers

Additional information:
This is a training account. It should not be available in a production
environment.


Username: WMSYS
Password: WMSYS
Status: LOCKED
-----------------------------------------------
WARNING! The password of WMSYS is a default password. It is well known to
hackers

Additional information:



Username: ORDSYS
Password: ORDSYS
Status: EXPIRED & LOCKED
-----------------------------------------------
WARNING! The password of ORDSYS is a default password. It is well known to
hackers

Additional information:
The account ORDSYS (Oracle Time Series) has a limited number of risky system
privileges, amongst which those to use external libraries and run code on the
operating system.


Username: ORDPLUGINS
Password: ORDPLUGINS
Status: EXPIRED & LOCKED
-----------------------------------------------
WARNING! The password of ORDPLUGINS is a default password. It is well known to
hackers

Additional information:
ORDPLUGINS is an administrative account for Oracle Time Series.


Username: MDSYS
Password: MDSYS
Status: EXPIRED & LOCKED
-----------------------------------------------
WARNING! The password of MDSYS is a default password. It is well known to
hackers

Additional information:
The account MDSYS (Oracle Spatial administrator) has DBA-like privileges, which
allow to read, change and destroy all data in your database.


Username: CTXSYS
Password: CHANGE_ON_INSTALL
Status: EXPIRED & LOCKED
-----------------------------------------------
WARNING! The password of CTXSYS is a default password. It is well known to
hackers

Additional information:
CTXSYS (Oracle Text/Intermedia Text/Context option) is an account with DBA
privileges and therefor allows to read, change and destroy all data in your
database.


Username: XDB
Password: CHANGE_ON_INSTALL
Status: EXPIRED & LOCKED
-----------------------------------------------
WARNING! The password of XDB is a default password. It is well known to hackers

Additional information:



Username: WKSYS
Password: CHANGE_ON_INSTALL
Status: EXPIRED & LOCKED
-----------------------------------------------
WARNING! The password of WKSYS is a default password. It is well known to
hackers

Additional information:
WKSYS is an administrative account of Oracle9iAS Ultrasearch.


Username: WKPROXY
Password: CHANGE_ON_INSTALL
Status: EXPIRED & LOCKED
-----------------------------------------------
WARNING! The password of WKPROXY is a default password. It is well known to
hackers

Additional information:
WKPROXY is an administrative account of Oracle9iAS Ultrasearch.


Username: ODM
Password: ODM
Status: EXPIRED & LOCKED
-----------------------------------------------
WARNING! The password of ODM is a default password. It is well known to hackers

Additional information:



Username: ODM_MTR
Password: 
Status: EXPIRED & LOCKED
-----------------------------------------------
WARNING! The password of ODM_MTR is a default password. It is well known to
hackers

Additional information:



Username: OLAPSYS
Password: MANAGER
Status: EXPIRED & LOCKED
-----------------------------------------------
WARNING! The password of OLAPSYS is a default password. It is well known to
hackers

Additional information:
OLAPSYS is an administrative account for the OLAP Services option.


Username: RMAN
Password: RMAN
Status: EXPIRED & LOCKED
-----------------------------------------------
WARNING! The password of RMAN is a default password. It is well known to
hackers

Additional information:
RMAN is an account for the Oracle Recovery Manager. This account might be
misused to write unwanted changes to the database to the backups.


Username: QS_CS
Password: CHANGE_ON_INSTALL
Status: EXPIRED & LOCKED
-----------------------------------------------
WARNING! The password of QS_CS is a default password. It is well known to
hackers

Additional information:
This is a training account. It should not be available in a production
environment.


Username: QS_CB
Password: CHANGE_ON_INSTALL
Status: EXPIRED & LOCKED
-----------------------------------------------
WARNING! The password of QS_CB is a default password. It is well known to
hackers

Additional information:
This is a training account. It should not be available in a production
environment.


Username: QS_CBADM
Password: CHANGE_ON_INSTALL
Status: EXPIRED & LOCKED
-----------------------------------------------
WARNING! The password of QS_CBADM is a default password. It is well known to
hackers

Additional information:
This is a training account. It should not be available in a production
environment.


Username: QS_OS
Password: CHANGE_ON_INSTALL
Status: EXPIRED & LOCKED
-----------------------------------------------
WARNING! The password of QS_OS is a default password. It is well known to
hackers

Additional information:
This is a training account. It should not be available in a production
environment.


Username: HR
Password: CHANGE_ON_INSTALL
Status: EXPIRED & LOCKED
-----------------------------------------------
WARNING! The password of HR is a default password. It is well known to hackers

Additional information:
This is a training account. It should not be available in a production
environment.


Username: OE
Password: CHANGE_ON_INSTALL
Status: EXPIRED & LOCKED
-----------------------------------------------
WARNING! The password of OE is a default password. It is well known to hackers

Additional information:
This is a training account. It should not be available in a production
environment.


Username: PM
Password: CHANGE_ON_INSTALL
Status: EXPIRED & LOCKED
-----------------------------------------------
WARNING! The password of PM is a default password. It is well known to hackers

Additional information:
This is a training account. It should not be available in a production
environment.


Username: SH
Password: CHANGE_ON_INSTALL
Status: EXPIRED & LOCKED
-----------------------------------------------
WARNING! The password of SH is a default password. It is well known to hackers

Additional information:
This is a training account. It should not be available in a production
environment.


Username: QS_ADM
Password: CHANGE_ON_INSTALL
Status: EXPIRED & LOCKED
-----------------------------------------------
WARNING! The password of QS_ADM is a default password. It is well known to
hackers

Additional information:
This is a training account. It should not be available in a production
environment.


Username: QS
Password: CHANGE_ON_INSTALL
Status: EXPIRED & LOCKED
-----------------------------------------------
WARNING! The password of QS is a default password. It is well known to hackers

Additional information:
This is a training account. It should not be available in a production
environment.


Username: QS_WS
Password: CHANGE_ON_INSTALL
Status: EXPIRED & LOCKED
-----------------------------------------------
WARNING! The password of QS_WS is a default password. It is well known to
hackers

Additional information:
This is a training account. It should not be available in a production
environment.


SQL>