Pete Finnigan's Oracle Security Forum - Oracle password cracker written in PL/SQL

Forum

Home/Forum

Welcome, Guest. Please Login. Apr 19^th, 2024, 3:07pm News: If you would like to register contact the forum admin
Home \| Help \| Search \| Members \| Login

   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security tools (Moderator: Pete Finnigan)
   Oracle password cracker written in PL/SQL

« Previous topic | Next topic »

Pages: 1

Reply | Notify of replies | Send Topic | Print

Author

Topic: Oracle password cracker written in PL/SQL (Read 34729 times)

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Oracle password cracker written in PL/SQL
« on: Oct 1^st, 2008, 9:39am »

Quote | Modify

Hi Guys,

I have just released a free Oracle password cracker written completely in PL/SQL on my website. The reason for doing this is to try and encourage people to "test" passwords for strength in their own databases. I am not seeing any real improvements in password strength generally across the industry over the last 8 years.

It is not the intention to replace the fast C based crackers such as woraauthbf but instead to suppliment it. In my experience I find that people have not covered the bases yet, that is they still have passwords set to usernames, passwords set to defaults and also extremely weak passwords.

I often suggest to people to download binary based crackers but there is often a reticence to do this. Hence I decided to create a PL/SQL based one. This way there is no excuse, its a SQL script that can be run in SQL*Plus and also its going to find the core issues anyway before you need a faster cracker.

Some details on how it works and what it does are included in the page http://www.petefinnigan.com/oracle_password_cracker.htm for the cracker. You can also download it from the same page.

hope its useful

cheers

Pete

IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Oracle password cracker written in PL/SQL
« Reply #1 on: Oct 29^th, 2008, 8:46pm »

Quote | Modify

We just ran your latest version of this tool in a non-production instance. We have 247 accounts and it took about 5 hours for the script to run. We had a few accounts cracked with default passwords (which we'll change!) but no cracks for dictionary words or through brute force. Are the dictionary words used for the dictionary crack attempt limited to the 47 words in the script? What about the brute force crack; how is that working? Would you recommend pointing to an extenal dictionary file with compiled hashes for both dictionary and brute force crack attempts? Thanks!

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Oracle password cracker written in PL/SQL
« Reply #2 on: Nov 5^th, 2008, 4:40pm »

Quote | Modify

Hi,

Sorry for the delay, I have been working abroad for the last few days.

The dictionary included with the cracker is simple. You can easily extend it using any dictionary you can find on the net. An alternate solution is to read in the dictionary from a table in the database.

Pre-compiling hashes is not really practical in this case. That is what rainbow tools do in essence.

The brute force is only to 4 characters and that part is what took the most of your five hours. This tool is no where near as fast as tools such as woraauthbf and it is not intended to be as I have stated previously the main focus of this tool is to get people to find the basics, i.e. password=username, password=default, password=dictionary word. It is intended to get people to do the checks without the need of a binary tool. You should, once you have started the process with this cracker at some point move to a much faster tool such as woraauthbf.

You can change the brute force by changing the number of characters it brute forces to.

hope this helps

cheers

Pete

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Oracle password cracker written in PL/SQL
« Reply #3 on: Nov 13^th, 2008, 12:05pm »

Quote | Modify

Hi,

I tried to use this cracker but I had some errors from SQLPLUS :

SQL> start cracker-v2.0.sql
from sys.user$
*
ERROR at line 295:
ORA-06550: line 295, column 12:
PL/SQL: ORA-00942: table or view does not exist
ORA-06550: line 289, column 3:
PL/SQL: SQL Statement ignored
ORA-06550: line 305, column 7:
PLS-00364: loop index variable 'LV_USER' use is invalid
ORA-06550: line 305, column 4:
PL/SQL: Statement ignored
ORA-06550: line 310, column 7:
PLS-00364: loop index variable 'LV_USER' use is invalid
ORA-06550: line 310, column 4:
PL/SQL: Statement ignored
ORA-06550: line 330, column 8:
PLS-00364: loop index variable 'LV_USER' use is invalid
ORA-06550: line 330, column 4:
PL/SQL: Statement ignored
ORA-06550: line 334, column 32:
PLS-00364: loop index variable 'LV_USER' use is invalid
ORA-06550: line 334, column 4:
PL/SQL: Statement ignored
ORA-06550: line 335, column 36:
PLS-00364: loop index variable 'LV_USER' use is invalid
ORA-06550: line 335, column 4:
PL/SQL: Statement ignored

is it due to my version ? :

Oracle9i Release 9.2.0.1.0 - Production
PL/SQL Release 9.2.0.1.0 - Production
CORE 9.2.0.1.0 Production
TNS for Linux: Version 9.2.0.1.0 - Production
NLSRTL Version 9.2.0.1.0 - Production

Regard

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Oracle password cracker written in PL/SQL
« Reply #4 on: Nov 24^th, 2008, 9:42am »

Quote | Modify

Hi,

could you help me please ?

regards

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Oracle password cracker written in PL/SQL
« Reply #5 on: Nov 24^th, 2008, 10:37am »

Quote | Modify

Hi,

Thanks for your post. Sorry for the delay, I have been working abroad and had no internet access.

The problem is simply permissions. Normally, you only need two permissions to run this cracker, this is CREATE SESSION and also SELECT on SYS.USER$:

SQL> select * from user_role_privs;

no rows selected

SQL> select * from user_sys_privs;

USERNAME PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
CRACKER CREATE SESSION NO

1 row selected.

SQL> select * from user_tab_privs;

GRANTEE OWNER
------------------------------ ------------------------------
TABLE_NAME GRANTOR
------------------------------ ------------------------------
PRIVILEGE GRA HIE
---------------------------------------- --- ---
CRACKER SYS
USER$ SYS
SELECT NO NO

1 row selected.

SQL> @cracker-v2.0.sql
cracker: Release 1.0.4.0.0 - Beta on Mon Nov 24 10:32:51 2008
Copyright (c) 2008 PeteFinnigan.com Limited. All rights reserved.

T Username Password CR FL STA
=======================================================

U "SYS" [ORACLE1 ] DI CR OP
U "SYSTEM" [ORACLE1 ] DI CR OP
U "OUTLN" [OUTLN ] DE CR EL
U "DIP" [DIP ] DE CR EL
U "TSMSYS" [TSMSYS ] PU CR EL
U "ORACLE_OCM" [ORACLE_OCM ] PU CR EL
U "XDB" [CHANGE_ON_INSTALL ] DE CR EL
R "GLOBAL_AQ_USER_ROLE [GL-EX {GLOBAL} ] GE CR OP
U "DBSNMP" [ORACLE1 ] DI CR OP
U "WMSYS" [WMSYS ] DE CR EL
U "EXFSYS" [EXFSYS ] DE CR EL
U "CTXSYS" [CHANGE_ON_INSTALL ] DE CR EL
U "XS$NULL" [ ] -- -- EL
U "ANONYMOUS" [IMP {anonymous} ] IM CR EL
R "SPATIAL_WFS_ADMIN" [SPATIAL_WFS_ADMIN ] PU CR OP
U "ORDSYS" [ORDSYS ] DE CR EL
U "ORDPLUGINS" [ORDPLUGINS ] DE CR EL
U "SI_INFORMTN_SCHEMA" [SI_INFORMTN_SCHEMA ] DE CR EL
U "MDSYS" [MDSYS ] DE CR EL
U "OLAPSYS" [ ] -- -- EL
U "MDDATA" [MDDATA ] DE CR EL
U "HR" [CHANGE_ON_INSTALL ] DE CR EL
U "SPATIAL_WFS_ADMIN_U [SPATIAL_WFS_ADMIN_US] PU CR EL
R "WFS_USR_ROLE" [WFS_USR_ROLE ] PU CR OP
R "SPATIAL_CSW_ADMIN" [SPATIAL_CSW_ADMIN ] PU CR OP
U "SPATIAL_CSW_ADMIN_U [SPATIAL_CSW_ADMIN_US] PU CR EL
R "CSW_USR_ROLE" [CSW_USR_ROLE ] PU CR OP
U "WKSYS" [CHANGE_ON_INSTALL ] DE CR EL
U "WKPROXY" [CHANGE_ON_INSTALL ] DE CR EL
U "WK_TEST" [WK_TEST ] DE CR EL
U "SYSMAN" [ORACLE1 ] DI CR OP
U "MGMT_VIEW" [ ] -- -- OP
U "FLOWS_FILES" [ ] -- -- EL
U "APEX_PUBLIC_USER" [ ] -- -- EL
U "FLOWS_030000" [ ] -- -- EL
U "OWBSYS" [OWBSYS ] PU CR EL
R "OWB$CLIENT" [S ] BF CR OP
R "OWB_DESIGNCENTER_VI [S ] BF CR OP
U "SCOTT" [TIGER ] DE CR EG
U "AB" [AB ] PU CR OP
U "OE" [CHANGE_ON_INSTALL ] DE CR EL
U "IX" [CHANGE_ON_INSTALL ] DE CR EL
U "SH" [CHANGE_ON_INSTALL ] DE CR EL
U "PM" [CHANGE_ON_INSTALL ] DE CR EL
U "BI" [CHANGE_ON_INSTALL ] DE CR EL
U "PETE" [PETE ] DE CR OP
U "BILL" [BILL ] PU CR OP
U "A" [A ] PU CR OP
U "B" [B ] PU CR OP
U "C" [C ] PU CR OP
U "RES_TEST" [RES_TEST ] PU CR OP
U "XX" [123456 ] DI CR OP
U "ORASCAN" [ORASCAN ] PU CR OP
U "IMPOSS" [IMP {imposs123456789] IM CR OP
U "D" [ ] -- -- OP
U "P1" [P1 ] PU CR OP
U "P2" [P2 ] PU CR OP
U "CRACKER" [CRACKER ] PU CR OP

INFO: Number of crack attempts = [59963]
INFO: Elapsed time = [4.24 Seconds]
INFO: Cracks per second = [14140]

PL/SQL procedure successfully completed.

SQL>

So simply do:

GRANT SELECT ON SYS.USER$ TO {USER} and
GRANT CREATE SESSION TO {USER}

Hope this helps

cheers

Pete

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Oracle password cracker written in PL/SQL
« Reply #6 on: Dec 2^nd, 2008, 3:48pm »

Quote | Modify

Hi Pete,

it's the heart of my problem !!
my privileges are insufficient, this the reason why I would like to find admin password !! It's an old DB and I would like to delete undotbs1 because of its size > 10Go. Manufacturer does not maintain this system but it have to work yet !!

SQL> GRANT SELECT ON SYS.USER$ TO ab_svr;
GRANT SELECT ON SYS.USER$ TO ab_svr
*
ERROR at line 1:
ORA-00942: table or view does not exist

SQL> GRANT CREATE SESSION TO ab_svr;
GRANT CREATE SESSION TO ab_svr
*
ERROR at line 1:
ORA-01031: insufficient privileges

thank

Fabrice

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Oracle password cracker written in PL/SQL
« Reply #7 on: Dec 3^rd, 2008, 10:20pm »

Quote | Modify

What privileges do you have ?
Someone (presumably) has access to the server the database is running on and can log in as oracle and connect with the / AS SYSDBA syntax.
Once that's done they can reset the password.

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Oracle password cracker written in PL/SQL
« Reply #8 on: Dec 8^th, 2008, 9:34am »

Quote | Modify

Hello Pete,

My privileges are : (from DBA_TAB_PRIVS)

GRANTEE : ab_svr
OWNER : ab_admin (I have an access to ab_admin)
TABLE_NAME : several
GRANTOR : ab_static or ab_admin (I have an access too)
PRIVILEGE : SELECT, INSERT,UPDATE,DELETE.

Could you explain me the way to use / AS SYSDBA ??

Thank again

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Oracle password cracker written in PL/SQL
« Reply #9 on: Dec 8^th, 2008, 10:21pm »

Quote | Modify

System privileges would be more useful than tab privilieges. For example, if you have the ALTER USER system privilege you can simply reset the password (using ALTER USER).
To connect using "/ AS SYSDBA", log on to the server that the database is running on as the oracle user. If you don't have that password, the system administrator should be able to log in as root and change it. If it is a Windows server, a user with administrator privileges should work too.
Then, from a command prompt, try
sqlplus / as sysdba
That assumes there's only one instance running on that database.
As you can understand, a typical oracle user should NOT be able to access/change/crack passwords.

That isn't to say that they can't (especially if patching has been neglected), but the legitimate DBA should have more direct official routes to get things done.

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Oracle password cracker written in PL/SQL
« Reply #10 on: Apr 27^th, 2009, 4:07pm »

Quote | Modify

hey,
Question n°1:plz what is the meaning of PU CR OP BF EL DI .

Question n°2:i would like to post the result of your script in HTML page ,how can i do ?

thx .

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Oracle password cracker written in PL/SQL
« Reply #11 on: Apr 27^th, 2009, 9:21pm »

Quote | Modify

Hi,

PU = Password equals Username, i..e the password was cracked like this
CR = Cracked - I added this to post process with awk
OP = Open account status
BF = Brute Force - i.e. the password was cracked in brute force mode
EL = Expired Locked - its an account status
DI = Dictionary - it means that the password was cracked using a dictionary word.

HTML:- The easiest way would be to modify the output statements in the PL/SQL to output a HTML table.

cheers

Pete

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Oracle password cracker written in PL/SQL
« Reply #12 on: May 28^th, 2009, 6:33am »

Quote | Modify

Hi Pete,

I downloaded versions 1.4, 1.3 and 1.2. Version 1.4 is giving errors as below. BEGIN :debugv := 'OFF'; END;

*
ERROR at line 1:
ORA-06502: PL/SQL: numeric or value error: character string buffer too small
ORA-06512: at line 1

Version 1.3 does not give errors so I used that instead.

BTW, you mentioned another password checker, woraauthbf, can that be run as is as well, i.e. like running a UNIX script or a PL/SQL script.

Finally, does your copyright prohibit wrap(ping) your password cracker to a .plb 'coz the PL/SQL is readable in plain text. Incidentally, I tried a sample PL/SQL file and run a wrap on it then run the strings command and I can see the code in plain text so probably not something worth doing. In any case, may I obtain permission to convert the PL/SQL file into some binary form that can be executed from within SQL*Plus, at the moment, only know of using wrap.

Thanks in advance.

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Oracle password cracker written in PL/SQL
« Reply #13 on: May 28^th, 2009, 9:37am »

Quote | Modify

Hi,

Thanks for your post. I found this a strange one. I ran this on my own 11.1.0.7 database and it works fine:

Connected to:
Personal Oracle Database 11g Release 11.1.0.7.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> @cracker-v2.0.sql
cracker: Release 1.0.4.0.0 - Beta on Thu May 28 09:02:58 2009
Copyright (c) 2008 PeteFinnigan.com Limited. All rights reserved.

T Username Password CR FL STA
=======================================================

U "SYS" [ORACLE1 ] DI CR OP
U "SYSTEM" [ORACLE1 ] DI CR OP
U "OUTLN" [OUTLN ] DE CR EL
...

I did investigate the code though and there is an issue with the variable debugv being varchar2(2) whereas it should be length 3 to accomodate the word 'OFF'. I have fixed the code and updated the zip to version 1.5. The new code is available from http://www.petefinnigan.com/oracle_password_cracker.htm .

You cannot wrap a SQL*Plus script; you can only wrap database objects such as PROCEDURES, FUNCTIONS, PACKAGES {BODY}, TYPE {BODY}. This is why it didnt work. Also if you want to wrap it then wrap the testpwd.sql code available from http://www.petefinnigan.com/tools.htm as that is intended to be installed in the database BUT you will need to feed it with passwords.

Yes worauthbf by Laszlo is a cracker witten in C. There is a link on my tools page or in the blog. It is a binary. I wrote the PL/SQL script because people had issues using binaries in their organisations.

cheers

Pete

IP Logged

Pages: 1

Reply | Notify of replies | Send Topic | Print


« Previous topic \| Next topic »

PFCLScan
Simply connect PFCLScan to your Oracle database and it will automatically discover the security issues that could make your Oracle database vulnerable to attack and to the potential loss of your data.

Learn more
PFCLObfuscate
PFCLObfuscate is the only tool available that can automatically add license controls to your PL/SQL code. PFCLObfuscate protects your Intellectual Property invested in your PL/SQL database code.

Learn more
PFCLCode
PFCLCode is a tool to allow you to analyse your PL/SQL code for many different types of security issues. PFCLCode gives you a detailed review and reports and includes a powerful colour syntax highlighting code editor

Learn more
PFCLForensics
PFCLForensics is the only tool available to allow you to do a detailed live response of a breached Oracle database and to then go on and do a detailed forensic analysis of the data gathered.

Learn more
PFCLReselling
PeteFinnigan.com Limited has partnered with a small number of relevant companies to resell their products where they enhance or compliment what we do

Learn more
PFCLATK
PFCLATK is a toolkit that allows detailed pre-defined policy driven audit trails for your Oracle database. The toolkit also provides for a centralised audit trail and centralised activity reporting

Learn more
PFCLCookie
PFCLCookie is a useful tool to use to audit your websites for tracking cookies. Scan websites in a natural way using powerful browser driven scanner

Learn more
PFCLTraining
PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database, design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.

Learn more
PFCLServices
Choose PFCLServices to add PeteFinnigan.com Ltd to your team for your Oracle Security needs. We are experts in performing detailed security audits, data security design work and policy creation

Learn more
PFCLConsulting
Choose PFCLConsulting to ask PeteFinnigan.com Limited to set up and use our products on your behalf

Learn more
PFCLCustom
All of our software products can be customised at a number of levels. Choose this to see how our products can be part of your products and services

Learn more
PFCLCloud
Private cloud, public cloud, hybrid cloud or no cloud. Learn how all of our services, trainings and products will work in the cloud

Learn more
PFCLUserRights
PFCLUserRights allows you to create a very detailed view of database users rights. The focus of the reports is to allow you to decide what privileges and accounts to keep and which to remove.

Learn more
PFCLSTK
PFCLSTK is a toolkit application that allows you to provide database security easily to an existing database. PFCLSTK is a policy driven toolkit of PL/SQL that creates your security

Learn more
PFCLSFTK
PFCLSFTK is a toolkit that solves the problem of securing third party applications written in PL/SQL. It does this by creating a thin layer between the application and database and this traps SQL Injection attempts. This is a static firewall.

Learn more
PFCLSEO
PFCLSEO is a web scanner based on the PFCLScan technology so that a user can easily scan a website for technical SEO issues

Learn more