|
||
|
Title: find out weak passwords best practices Post by Pete Finnigan on Nov 21st, 2005, 2:10pm Hi, I want to write a small script in SQL, eventually perl, java or C, to find out weak passwords. My first try is to look in dba_users and try connect user/user for each user. also connect user/resu Since it is highly critical, my script should display only "Warning : weak password" and not the found password. It should be easy to use, but should not be easily overused to gain illegal access to the database. So a bruteforce engine does not seem to be appropriate, imho. I will not download some "unsupported-by-oracle" binary to do that, because it could be make the whole system even more unsecure than before, and will never be approved by the customer. Thanks for your advises Laurent |
||
|
Title: Re: find out weak passwords best practices Post by Pete Finnigan on Nov 21st, 2005, 4:44pm Laurent, Instead of looking for users with password=usercode why don't you create a password policy (look at $ORACLE_HOME/rdbms/admin/utlpwdmg.sql) that rejects weak passwords: password=usercode, password=resu, etc. After defining a password policy you have to expire the passwords to force people to change their passwords. If creating a password policy is not a solution to you then let me know as I can provide you with a Perl (using DBD/DBI modules) script to check for weak passwords. Ivan |
||
|
Title: Re: find out weak passwords best practices Post by Pete Finnigan on Nov 21st, 2005, 4:49pm a password policy is definitely a must, thanks for the reminder. However, we have over 600 databases here and your perl script will be greatly appreciated ! Regards, Laurent tl30@zkb.ch |
||
|
Title: Re: find out weak passwords best practices Post by Pete Finnigan on Nov 21st, 2005, 5:02pm I'd suggest not performing a connect attempt for each user lest you lock them out. Even if it doesn't this'll just confuse the audit trail (and possibly hide attempted breakins). When you say, "I will not download some `unsupported-by-oracle` binary" I take it that means you can't use a commercial/free Oracle password cracker. If you can, NGSSQuirreL http://www.ngssoftware.com/squirrelora.htmsupports the option for _not_ showing the password if cracked - we added this for those using the tool for Sarbanes Oxley compliance. HTH, David Litchfield |
||
|
Title: Re: find out weak passwords best practices Post by Pete Finnigan on Nov 21st, 2005, 5:20pm thanks david, I will try to suggest this software to my customer in alternative to a perl script |
||
|
Title: Re: find out weak passwords best practices Post by Pete Finnigan on Nov 22nd, 2005, 8:07am David, your advise not to try connection is sound. If I want to write a script that compare hashes how should I start ? I could imagine the following : 1) select databasename, username, password in every databases 2) create user identified by user in a database created for this special purpose 3) compare the hashes and reveal weak database/users 4) create user identified by "dictionary word" 5) compare the hashes ... Or what is the best way to see if user1/user1 matches user1/BBE7786A584F9103 without trying the connection? I am using AIX and I am not allowed try "external software" on my pc |
||
|
Title: Re: find out weak passwords best practices Post by Pete Finnigan on Nov 22nd, 2005, 4:14pm one more try, feedback welcome : declare cursor c1 is select username u from dba_users where username=upper(username); cursor c2 is select upper(username) u from dba_users group by upper(username),password having count(*)>1; begin for r in c1 loop execute immediate 'create user "'||lower(r.u)||'" identified by "'||r.u||'"'; end loop; for r in c2 loop dbms_output.put_line('WARNING: '||r.u||' has a default password'); end loop; for r in c1 loop execute immediate 'drop user "'||lower(r.u)||'"'; end loop; end; / WARNING: DIP has a default password WARNING: OUTLN has a default password WARNING: USER1 has a default password WARNING: CTXSYS has a default password WARNING: EXFSYS has a default password WARNING: GASTON has a default password WARNING: TSMSYS has a default password I am using the concatenation and uppercase property of the algorythm to make that test. |
||
|
Title: Re: find out weak passwords best practices Post by Pete Finnigan on Dec 23rd, 2005, 4:45am Why don't you take a look at the scanner PeteF wrote in 2001 while still at Pentest Limited? It will check for default usernames/passwords based on auditing the hashvalues in dba_users against a pre-tabulated set of username/hashvalue pairs. It's available at http://www.pentest.co.uk/sql/scanner.sql If you update it with the list of username/password/passwordhash values from this site (Tools/Default Password List) you will pretty much have a tool to audit for default passwords. The benefit is that this is an audit that does not try repeated logon or create and drop users, actions that ought to be audited (by oracle db auditing features) in a production database. So you will not set off any alarms !!!! The script further has the benefit of being self-contained, i.e. it doesn't need 'write' access to the database - and it is written in pl/sql so you can review it to make sure it's not doing anything "funny". Oh, BTW it does a few other checks - you can disable those. |
||
|
Title: Re: find out weak passwords best practices Post by Pete Finnigan on Dec 23rd, 2005, 8:06am thanks for the hint, but I have another approach. If the users are ADAMS ANONYMOUS BLAKE CLARK CTXSYS DBSNMP DIP DMSYS EXFSYS HR JONES MDDATA MDSYS MGMT_VIEW ODM ODM_MTR OE OLAPSYS ORDPLUGINS ORDSYS OUTLN PERFSTAT PM QS QS_ADM QS_CB QS_CBADM QS_CS QS_ES QS_OS QS_WS SCOTT SH SI_INFORMTN_SCHEMA TSMSYS WK_TEST WKPROXY WKSYS WMSYS XDB, they must be locked, so I do not care of their password. I am looking to check in the database for "weak" password. Ok, username=password is the weakest, but my method is so slow that I cannot check millions of password for each user. I would like to write a much much much faster gethash(username,password), similar to orabf, but in plsql for example. Than I would be able to compare passwords. This is all what my function is about. David advise about NGS sounds wise, but if NGS can do it, I should also be able to do it. For the moment, I do not have the time to write my own algorythm, so I simply checking username=password with my doubious code above... Cheers Laurent PS: well, the code above revealed default password for DIP, but in my productive script, I check only for lock_date is null
|
||
|
Powered by YaBB 1 Gold - SP 1.4! Forum software copyright © 2000-2004 Yet another Bulletin Board |