Call: +44 (0)1904 557620 Call
Forum

Welcome, Guest. Please Login.
Mar 29th, 2024, 8:48am
News: If you would like to register contact the forum admin
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security
(Moderator: Pete Finnigan)
   find out weak passwords best practices
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: find out weak passwords best practices  (Read 11156 times)
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
find out weak passwords best practices
« on: Nov 21st, 2005, 2:10pm »
Quote | Modify

Hi,
I want to write a small script in SQL, eventually perl, java or C, to find out weak passwords.
 
My first try is to look in dba_users and try  
connect user/user
for each user. also connect user/resu  
 
Since it is highly critical, my script should display only "Warning : weak password" and not the found password. It should be easy to use, but should not be easily overused to gain illegal access to the database. So a bruteforce engine does not seem to be appropriate, imho. I will not download some "unsupported-by-oracle" binary to do that, because it could be make the whole system even more unsecure than before, and will never be approved by the customer.  
 
Thanks for your advises
Laurent
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: find out weak passwords best practices
« Reply #1 on: Nov 21st, 2005, 4:44pm »
Quote | Modify

Laurent,
 
Instead of looking for users with password=usercode why don't you create a password policy (look at $ORACLE_HOME/rdbms/admin/utlpwdmg.sql) that rejects weak passwords: password=usercode, password=resu, etc.
After defining a password policy you have to expire the passwords to force people to change their passwords.  
If creating a password policy is not a solution to you then let me know as I can provide you with a Perl (using DBD/DBI modules) script to check for weak passwords.
 
Ivan
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: find out weak passwords best practices
« Reply #2 on: Nov 21st, 2005, 4:49pm »
Quote | Modify

a password policy is definitely a must, thanks for the reminder. However, we have over 600 databases here and your perl script will be greatly appreciated !
 
Regards,
Laurent
tl30@zkb.ch
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: find out weak passwords best practices
« Reply #3 on: Nov 21st, 2005, 5:02pm »
Quote | Modify

I'd suggest not performing a connect attempt for each user lest you lock them out. Even if it doesn't this'll just confuse the audit trail (and possibly hide attempted breakins).  
When you say, "I will not download some `unsupported-by-oracle` binary" I take it that means you can't use a commercial/free Oracle password cracker. If you can, NGSSQuirreL http://www.ngssoftware.com/squirrelora.htmsupports the option for _not_ showing the password if cracked - we added this for those using the tool for Sarbanes Oxley compliance.
HTH,
David Litchfield
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: find out weak passwords best practices
« Reply #4 on: Nov 21st, 2005, 5:20pm »
Quote | Modify

thanks david, I will try to suggest this software to my customer in alternative to a perl script
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: find out weak passwords best practices
« Reply #5 on: Nov 22nd, 2005, 8:07am »
Quote | Modify

David, your advise not to try connection is sound.
 
If I want to write a script that compare hashes how should I start ?
 
I could imagine the following :
 
1) select databasename, username, password in every databases
2) create user identified by user in a database created for this special purpose
3) compare the hashes and reveal weak database/users
4) create user identified by "dictionary word"
5) compare the hashes
...
 
Or what is the best way to see if
 
user1/user1 matches user1/BBE7786A584F9103  
 
without trying the connection?
 
I am using AIX and I am not allowed try "external software" on my pc  
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: find out weak passwords best practices
« Reply #6 on: Nov 22nd, 2005, 4:14pm »
Quote | Modify

one more try, feedback welcome :
 
declare
    cursor c1 is select username u from dba_users where username=upper(username);
    cursor c2 is select upper(username) u from dba_users group by upper(username),password having count(*)>1;
begin
    for r in c1 loop
   execute immediate 'create user "'||lower(r.u)||'" identified by "'||r.u||'"';
    end loop;
    for r in c2 loop
   dbms_output.put_line('WARNING: '||r.u||' has a default password');
    end loop;
    for r in c1 loop
   execute immediate 'drop user "'||lower(r.u)||'"';
    end loop;
end;
/
 
WARNING: DIP has a default password
WARNING: OUTLN has a default password
WARNING: USER1 has a default password
WARNING: CTXSYS has a default password
WARNING: EXFSYS has a default password
WARNING: GASTON has a default password
WARNING: TSMSYS has a default password
 
 
I am using the concatenation and uppercase property of the algorythm to make that test.
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: find out weak passwords best practices
« Reply #7 on: Dec 23rd, 2005, 4:45am »
Quote | Modify

Why don't you take a look at the scanner PeteF wrote in 2001 while still at Pentest Limited?
 
It will check for default usernames/passwords based on auditing the hashvalues in dba_users against a pre-tabulated set of username/hashvalue pairs.
 
It's available at http://www.pentest.co.uk/sql/scanner.sql
 
If you update it with the list of username/password/passwordhash values from this site (Tools/Default Password List) you will pretty much have a tool to audit for default passwords.
 
The benefit is that this is an audit that does not try repeated logon or create and drop users, actions that ought to be audited (by oracle db auditing features) in a production database.  
So you will not set off any alarms !!!!
 
The script further has the benefit of being self-contained, i.e. it doesn't need 'write' access to the database - and it is written in pl/sql so you can review it to make sure it's not doing anything "funny".
 
Oh, BTW it does a few other checks - you can disable those.
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: find out weak passwords best practices
« Reply #8 on: Dec 23rd, 2005, 8:06am »
Quote | Modify

thanks for the hint, but I have another approach.
 
If the users are ADAMS ANONYMOUS BLAKE CLARK CTXSYS DBSNMP DIP DMSYS EXFSYS HR JONES MDDATA MDSYS MGMT_VIEW ODM ODM_MTR OE OLAPSYS ORDPLUGINS ORDSYS OUTLN PERFSTAT PM QS QS_ADM QS_CB QS_CBADM QS_CS QS_ES QS_OS QS_WS SCOTT SH SI_INFORMTN_SCHEMA TSMSYS WK_TEST WKPROXY WKSYS WMSYS XDB, they must be locked, so I do not care of their password.
 
I am looking to check in the database for "weak" password. Ok, username=password is the weakest, but my method is so slow that I cannot check millions of password for each user.  
 
I would like to write a much much much faster gethash(username,password), similar to orabf, but in plsql for example. Than I would be able to compare passwords. This is all what my function is about. David advise about NGS sounds wise, but if NGS can do it, I should also be able to do it.  
 
For the moment, I do not have the time to write my own algorythm, so I simply checking username=password with my doubious code above...
 
Cheers
Laurent  
 
 
PS: well, the code above revealed default password for DIP, but in my productive script, I check only for lock_date is null
 
 
declare
    cursor c1 is select username u from dba_users where username=upper(username) and LOCK_DATE is null;
    cursor c2 is select upper(username) u from dba_users group by upper(username),password having count(*)>1;
begin
    begin
   execute immediate 'create profile verifynull limit PASSWORD_VERIFY_FUNCTION null';
    exception
   when others then
  dbms_output.put_line(sqlerrm);
  dbms_output.put_line(' received while creating profile verifynull');
    end;
    for r in c1 loop
   begin
  execute immediate 'create user "'||lower(r.u)||'" identified by "'||r.u||'" profile verifynull account lock';
   exception
  when others then
      dbms_output.put_line(sqlerrm);
      dbms_output.put_line(' received while creating user '||lower(r.u));
   end;
    end loop;
    for r in c2 loop
   dbms_output.put_line('FATAL: '||r.u||' has a default password');
    end loop;
    for r in c1 loop
   begin
  execute immediate 'drop user "'||lower(r.u)||'"';
   exception
  when others then
      dbms_output.put_line(sqlerrm);
      dbms_output.put_line(' received while dropping user '||lower(r.u));
   end;
    end loop;
    begin
   execute immediate 'drop profile verifynull';
    exception
   when others then
  dbms_output.put_line(sqlerrm);
  dbms_output.put_line(' received while dropping profile verifynull');
    end;
end;
/
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board
  • PFCLScan PFCLScan

    Simply connect PFCLScan to your Oracle database and it will automatically discover the security issues that could make your Oracle database vulnerable to attack and to the potential loss of your data.

  • PFCL Obfuscate PFCLObfuscate

    PFCLObfuscate is the only tool available that can automatically add license controls to your PL/SQL code. PFCLObfuscate protects your Intellectual Property invested in your PL/SQL database code.

  • PFCLCode PFCLCode

    PFCLCode is a tool to allow you to analyse your PL/SQL code for many different types of security issues. PFCLCode gives you a detailed review and reports and includes a powerful colour syntax highlighting code editor

  • PFCLForensics PFCLForensics

    PFCLForensics is the only tool available to allow you to do a detailed live response of a breached Oracle database and to then go on and do a detailed forensic analysis of the data gathered.

  • Products We resell PFCLReselling

    PeteFinnigan.com Limited has partnered with a small number of relevant companies to resell their products where they enhance or compliment what we do

  • PFCLATK PFCLATK

    PFCLATK is a toolkit that allows detailed pre-defined policy driven audit trails for your Oracle database. The toolkit also provides for a centralised audit trail and centralised activity reporting

  • PFCLCookie PFCLCookie

    PFCLCookie is a useful tool to use to audit your websites for tracking cookies. Scan websites in a natural way using powerful browser driven scanner

  • PFCL Training PFCLTraining

    PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database, design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.

  • PFCL Services PFCLServices

    Choose PFCLServices to add PeteFinnigan.com Ltd to your team for your Oracle Security needs. We are experts in performing detailed security audits, data security design work and policy creation

  • PFCLConsulting PFCLConsulting

    Choose PFCLConsulting to ask PeteFinnigan.com Limited to set up and use our products on your behalf

  • PFCLCustom PFCLCustom

    All of our software products can be customised at a number of levels. Choose this to see how our products can be part of your products and services

  • PFCLCloud PFCLCloud

    Private cloud, public cloud, hybrid cloud or no cloud. Learn how all of our services, trainings and products will work in the cloud

  • PFCLUserRights PFCLUserRights

    PFCLUserRights allows you to create a very detailed view of database users rights. The focus of the reports is to allow you to decide what privileges and accounts to keep and which to remove.

  • PFCLSTK PFCLSTK

    PFCLSTK is a toolkit application that allows you to provide database security easily to an existing database. PFCLSTK is a policy driven toolkit of PL/SQL that creates your security

  • PFCLSFTK PFCLSFTK

    PFCLSFTK is a toolkit that solves the problem of securing third party applications written in PL/SQL. It does this by creating a thin layer between the application and database and this traps SQL Injection attempts. This is a static firewall.

  • PFCLSEO PFCLSEO

    PFCLSEO is a web scanner based on the PFCLScan technology so that a user can easily scan a website for technical SEO issues