Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Welcome, Guest. Please Login.
Jan 22nd, 2019, 10:41am
News: If you would like to register contact the forum admin
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security
(Moderator: Pete Finnigan)
   find out weak passwords best practices
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: find out weak passwords best practices  (Read 9172 times)
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
find out weak passwords best practices
« on: Nov 21st, 2005, 2:10pm »
Quote | Modify

Hi,
I want to write a small script in SQL, eventually perl, java or C, to find out weak passwords.
 
My first try is to look in dba_users and try  
connect user/user
for each user. also connect user/resu  
 
Since it is highly critical, my script should display only "Warning : weak password" and not the found password. It should be easy to use, but should not be easily overused to gain illegal access to the database. So a bruteforce engine does not seem to be appropriate, imho. I will not download some "unsupported-by-oracle" binary to do that, because it could be make the whole system even more unsecure than before, and will never be approved by the customer.  
 
Thanks for your advises
Laurent
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: find out weak passwords best practices
« Reply #1 on: Nov 21st, 2005, 4:44pm »
Quote | Modify

Laurent,
 
Instead of looking for users with password=usercode why don't you create a password policy (look at $ORACLE_HOME/rdbms/admin/utlpwdmg.sql) that rejects weak passwords: password=usercode, password=resu, etc.
After defining a password policy you have to expire the passwords to force people to change their passwords.  
If creating a password policy is not a solution to you then let me know as I can provide you with a Perl (using DBD/DBI modules) script to check for weak passwords.
 
Ivan
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: find out weak passwords best practices
« Reply #2 on: Nov 21st, 2005, 4:49pm »
Quote | Modify

a password policy is definitely a must, thanks for the reminder. However, we have over 600 databases here and your perl script will be greatly appreciated !
 
Regards,
Laurent
tl30@zkb.ch
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: find out weak passwords best practices
« Reply #3 on: Nov 21st, 2005, 5:02pm »
Quote | Modify

I'd suggest not performing a connect attempt for each user lest you lock them out. Even if it doesn't this'll just confuse the audit trail (and possibly hide attempted breakins).  
When you say, "I will not download some `unsupported-by-oracle` binary" I take it that means you can't use a commercial/free Oracle password cracker. If you can, NGSSQuirreL http://www.ngssoftware.com/squirrelora.htmsupports the option for _not_ showing the password if cracked - we added this for those using the tool for Sarbanes Oxley compliance.
HTH,
David Litchfield
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: find out weak passwords best practices
« Reply #4 on: Nov 21st, 2005, 5:20pm »
Quote | Modify

thanks david, I will try to suggest this software to my customer in alternative to a perl script
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: find out weak passwords best practices
« Reply #5 on: Nov 22nd, 2005, 8:07am »
Quote | Modify

David, your advise not to try connection is sound.
 
If I want to write a script that compare hashes how should I start ?
 
I could imagine the following :
 
1) select databasename, username, password in every databases
2) create user identified by user in a database created for this special purpose
3) compare the hashes and reveal weak database/users
4) create user identified by "dictionary word"
5) compare the hashes
...
 
Or what is the best way to see if
 
user1/user1 matches user1/BBE7786A584F9103  
 
without trying the connection?
 
I am using AIX and I am not allowed try "external software" on my pc  
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: find out weak passwords best practices
« Reply #6 on: Nov 22nd, 2005, 4:14pm »
Quote | Modify

one more try, feedback welcome :
 
declare
    cursor c1 is select username u from dba_users where username=upper(username);
    cursor c2 is select upper(username) u from dba_users group by upper(username),password having count(*)>1;
begin
    for r in c1 loop
   execute immediate 'create user "'||lower(r.u)||'" identified by "'||r.u||'"';
    end loop;
    for r in c2 loop
   dbms_output.put_line('WARNING: '||r.u||' has a default password');
    end loop;
    for r in c1 loop
   execute immediate 'drop user "'||lower(r.u)||'"';
    end loop;
end;
/
 
WARNING: DIP has a default password
WARNING: OUTLN has a default password
WARNING: USER1 has a default password
WARNING: CTXSYS has a default password
WARNING: EXFSYS has a default password
WARNING: GASTON has a default password
WARNING: TSMSYS has a default password
 
 
I am using the concatenation and uppercase property of the algorythm to make that test.
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: find out weak passwords best practices
« Reply #7 on: Dec 23rd, 2005, 4:45am »
Quote | Modify

Why don't you take a look at the scanner PeteF wrote in 2001 while still at Pentest Limited?
 
It will check for default usernames/passwords based on auditing the hashvalues in dba_users against a pre-tabulated set of username/hashvalue pairs.
 
It's available at http://www.pentest.co.uk/sql/scanner.sql
 
If you update it with the list of username/password/passwordhash values from this site (Tools/Default Password List) you will pretty much have a tool to audit for default passwords.
 
The benefit is that this is an audit that does not try repeated logon or create and drop users, actions that ought to be audited (by oracle db auditing features) in a production database.  
So you will not set off any alarms !!!!
 
The script further has the benefit of being self-contained, i.e. it doesn't need 'write' access to the database - and it is written in pl/sql so you can review it to make sure it's not doing anything "funny".
 
Oh, BTW it does a few other checks - you can disable those.
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: find out weak passwords best practices
« Reply #8 on: Dec 23rd, 2005, 8:06am »
Quote | Modify

thanks for the hint, but I have another approach.
 
If the users are ADAMS ANONYMOUS BLAKE CLARK CTXSYS DBSNMP DIP DMSYS EXFSYS HR JONES MDDATA MDSYS MGMT_VIEW ODM ODM_MTR OE OLAPSYS ORDPLUGINS ORDSYS OUTLN PERFSTAT PM QS QS_ADM QS_CB QS_CBADM QS_CS QS_ES QS_OS QS_WS SCOTT SH SI_INFORMTN_SCHEMA TSMSYS WK_TEST WKPROXY WKSYS WMSYS XDB, they must be locked, so I do not care of their password.
 
I am looking to check in the database for "weak" password. Ok, username=password is the weakest, but my method is so slow that I cannot check millions of password for each user.  
 
I would like to write a much much much faster gethash(username,password), similar to orabf, but in plsql for example. Than I would be able to compare passwords. This is all what my function is about. David advise about NGS sounds wise, but if NGS can do it, I should also be able to do it.  
 
For the moment, I do not have the time to write my own algorythm, so I simply checking username=password with my doubious code above...
 
Cheers
Laurent  
 
 
PS: well, the code above revealed default password for DIP, but in my productive script, I check only for lock_date is null
 
 
declare
    cursor c1 is select username u from dba_users where username=upper(username) and LOCK_DATE is null;
    cursor c2 is select upper(username) u from dba_users group by upper(username),password having count(*)>1;
begin
    begin
   execute immediate 'create profile verifynull limit PASSWORD_VERIFY_FUNCTION null';
    exception
   when others then
  dbms_output.put_line(sqlerrm);
  dbms_output.put_line(' received while creating profile verifynull');
    end;
    for r in c1 loop
   begin
  execute immediate 'create user "'||lower(r.u)||'" identified by "'||r.u||'" profile verifynull account lock';
   exception
  when others then
      dbms_output.put_line(sqlerrm);
      dbms_output.put_line(' received while creating user '||lower(r.u));
   end;
    end loop;
    for r in c2 loop
   dbms_output.put_line('FATAL: '||r.u||' has a default password');
    end loop;
    for r in c1 loop
   begin
  execute immediate 'drop user "'||lower(r.u)||'"';
   exception
  when others then
      dbms_output.put_line(sqlerrm);
      dbms_output.put_line(' received while dropping user '||lower(r.u));
   end;
    end loop;
    begin
   execute immediate 'drop profile verifynull';
    exception
   when others then
  dbms_output.put_line(sqlerrm);
  dbms_output.put_line(' received while dropping profile verifynull');
    end;
end;
/
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright 2000-2004 Yet another Bulletin Board