Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Welcome, Guest. Please Login.
Nov 19th, 2017, 4:37am
News: Welcome to Pete Finnigan's Oracle security forum
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security tools
(Moderator: Pete Finnigan)
   Oracle password cracker written in PL/SQL
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: Oracle password cracker written in PL/SQL  (Read 7835 times)
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Oracle password cracker written in PL/SQL
« on: Oct 1st, 2008, 9:39am »
Quote | Modify

Hi Guys,  
 
I have just released a free Oracle password cracker written completely in PL/SQL on my website. The reason for doing this is to try and encourage people to "test" passwords for strength in their own databases. I am not seeing any real improvements in password strength generally across the industry over the last 8 years.  
 
It is not the intention to replace the fast C based crackers such as woraauthbf but instead to suppliment it. In my experience I find that people have not covered the bases yet, that is they still have passwords set to usernames, passwords set to defaults and also extremely weak passwords.  
 
I often suggest to people to download binary based crackers but there is often a reticence to do this. Hence I decided to create a PL/SQL based one. This way there is no excuse, its a SQL script that can be run in SQL*Plus and also its going to find the core issues anyway before you need a faster cracker.  
 
Some details on how it works and what it does are included in the page http://www.petefinnigan.com/oracle_password_cracker.htm for the cracker. You can also download it from the same page.  
 
hope its useful  
 
cheers  
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
dajama2k
PeteFinnigan.com Newbie
*





   
View Profile |

Gender: female
Posts: 1
Re: Oracle password cracker written in PL/SQL
« Reply #1 on: Oct 29th, 2008, 8:46pm »
Quote | Modify

We just ran your latest version of this tool in a non-production instance.  We have 247 accounts and it took about 5 hours for the script to run.  We had a few accounts cracked with default passwords (which we'll change!) but no cracks for dictionary words or through brute force.  Are the dictionary words used for the dictionary crack attempt limited to the 47 words in the script?  What about the brute force crack; how is that working?  Would you recommend pointing to an extenal dictionary file with compiled hashes for both dictionary and brute force crack attempts?  Thanks!
 
 
IP Logged
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Oracle password cracker written in PL/SQL
« Reply #2 on: Nov 5th, 2008, 4:40pm »
Quote | Modify

Hi,
 
Sorry for the delay, I have been working abroad for the last few days.
 
The dictionary included with the cracker is simple. You can easily extend it using any dictionary you can find on the net. An alternate solution is to read in the dictionary from a table in the database.  
 
Pre-compiling hashes is not really practical in this case. That is what rainbow tools do in essence.
 
The brute force is only to 4 characters and that part is what took the most of your five hours. This tool is no where near as fast as tools such as woraauthbf and it is not intended to be as I have stated previously the main focus of this tool is to get people to find the basics, i.e. password=username, password=default, password=dictionary word. It is intended to get people to do the checks without the need of a binary tool. You should, once you have started the process with this cracker at some point move to a much faster tool such as woraauthbf.
 
You can change the brute force by changing the number of characters it brute forces to.
 
hope this helps
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
ntrvdonett
PeteFinnigan.com Newbie
*



I love YaBB 1G - SP1!

   
View Profile |

Posts: 4
Re: Oracle password cracker written in PL/SQL
« Reply #3 on: Nov 13th, 2008, 12:05pm »
Quote | Modify

Hi,
 
I tried to use this cracker but I had some errors from SQLPLUS :  
 
SQL> start cracker-v2.0.sql
      from sys.user$
     *
ERROR at line 295:
ORA-06550: line 295, column 12:
PL/SQL: ORA-00942: table or view does not exist
ORA-06550: line 289, column 3:
PL/SQL: SQL Statement ignored
ORA-06550: line 305, column 7:
PLS-00364: loop index variable 'LV_USER' use is invalid
ORA-06550: line 305, column 4:
PL/SQL: Statement ignored
ORA-06550: line 310, column 7:
PLS-00364: loop index variable 'LV_USER' use is invalid
ORA-06550: line 310, column 4:
PL/SQL: Statement ignored
ORA-06550: line 330, column 8:
PLS-00364: loop index variable 'LV_USER' use is invalid
ORA-06550: line 330, column 4:
PL/SQL: Statement ignored
ORA-06550: line 334, column 32:
PLS-00364: loop index variable 'LV_USER' use is invalid
ORA-06550: line 334, column 4:
PL/SQL: Statement ignored
ORA-06550: line 335, column 36:
PLS-00364: loop index variable 'LV_USER' use is invalid
ORA-06550: line 335, column 4:
PL/SQL: Statement ignored
 
is it due to my version ? :  
 
Oracle9i Release 9.2.0.1.0 - Production
PL/SQL Release 9.2.0.1.0 - Production
CORE    9.2.0.1.0  Production
TNS for Linux: Version 9.2.0.1.0 - Production
NLSRTL Version 9.2.0.1.0 - Production
 
Regard
IP Logged
ntrvdonett
PeteFinnigan.com Newbie
*



I love YaBB 1G - SP1!

   
View Profile |

Posts: 4
Re: Oracle password cracker written in PL/SQL
« Reply #4 on: Nov 24th, 2008, 9:42am »
Quote | Modify

Hi,
 
could you help me please ?
 
regards
IP Logged
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Oracle password cracker written in PL/SQL
« Reply #5 on: Nov 24th, 2008, 10:37am »
Quote | Modify

Hi,  
 
Thanks for your post. Sorry for the delay, I have been working abroad and had no internet access.
 
The problem is simply permissions. Normally, you only need two permissions to run this cracker, this is CREATE SESSION and also SELECT on SYS.USER$:
 
SQL> select * from user_role_privs;
 
no rows selected
 
SQL> select * from user_sys_privs;
 
USERNAME        PRIVILEGE       ADM
------------------------------ ---------------------------------------- ---
CRACKER    CREATE SESSION       NO
 
1 row selected.
 
SQL> select * from user_tab_privs;
 
GRANTEE    OWNER
------------------------------ ------------------------------
TABLE_NAME      GRANTOR
------------------------------ ------------------------------
PRIVILEGE       GRA HIE
---------------------------------------- --- ---
CRACKER    SYS
USER$      SYS
SELECT          NO  NO
 
 
1 row selected.
 
SQL> @cracker-v2.0.sql
cracker: Release 1.0.4.0.0 - Beta on Mon Nov 24 10:32:51 2008
Copyright (c) 2008 PeteFinnigan.com Limited. All rights reserved.
 
T Username   Password     CR FL STA
=======================================================
 
U "SYS"      [ORACLE1   ] DI CR OP
U "SYSTEM"   [ORACLE1   ] DI CR OP
U "OUTLN"    [OUTLN     ] DE CR EL
U "DIP"      [DIP       ] DE CR EL
U "TSMSYS"   [TSMSYS    ] PU CR EL
U "ORACLE_OCM"    [ORACLE_OCM     ] PU CR EL
U "XDB"      [CHANGE_ON_INSTALL   ] DE CR EL
R "GLOBAL_AQ_USER_ROLE [GL-EX {GLOBAL} ] GE CR OP
U "DBSNMP"   [ORACLE1   ] DI CR OP
U "WMSYS"    [WMSYS     ] DE CR EL
U "EXFSYS"   [EXFSYS    ] DE CR EL
U "CTXSYS"   [CHANGE_ON_INSTALL   ] DE CR EL
U "XS$NULL"  [     ] -- -- EL
U "ANONYMOUS"     [IMP {anonymous}     ] IM CR EL
R "SPATIAL_WFS_ADMIN"  [SPATIAL_WFS_ADMIN   ] PU CR OP
U "ORDSYS"   [ORDSYS    ] DE CR EL
U "ORDPLUGINS"    [ORDPLUGINS     ] DE CR EL
U "SI_INFORMTN_SCHEMA" [SI_INFORMTN_SCHEMA  ] DE CR EL
U "MDSYS"    [MDSYS     ] DE CR EL
U "OLAPSYS"  [     ] -- -- EL
U "MDDATA"   [MDDATA    ] DE CR EL
U "HR"       [CHANGE_ON_INSTALL   ] DE CR EL
U "SPATIAL_WFS_ADMIN_U [SPATIAL_WFS_ADMIN_US] PU CR EL
R "WFS_USR_ROLE"  [WFS_USR_ROLE   ] PU CR OP
R "SPATIAL_CSW_ADMIN"  [SPATIAL_CSW_ADMIN   ] PU CR OP
U "SPATIAL_CSW_ADMIN_U [SPATIAL_CSW_ADMIN_US] PU CR EL
R "CSW_USR_ROLE"  [CSW_USR_ROLE   ] PU CR OP
U "WKSYS"    [CHANGE_ON_INSTALL   ] DE CR EL
U "WKPROXY"  [CHANGE_ON_INSTALL   ] DE CR EL
U "WK_TEST"  [WK_TEST   ] DE CR EL
U "SYSMAN"   [ORACLE1   ] DI CR OP
U "MGMT_VIEW"     [     ] -- -- OP
U "FLOWS_FILES"   [     ] -- -- EL
U "APEX_PUBLIC_USER"   [     ] -- -- EL
U "FLOWS_030000"  [     ] -- -- EL
U "OWBSYS"   [OWBSYS    ] PU CR EL
R "OWB$CLIENT"    [S    ] BF CR OP
R "OWB_DESIGNCENTER_VI [S    ] BF CR OP
U "SCOTT"    [TIGER     ] DE CR EG
U "AB"       [AB   ] PU CR OP
U "OE"       [CHANGE_ON_INSTALL   ] DE CR EL
U "IX"       [CHANGE_ON_INSTALL   ] DE CR EL
U "SH"       [CHANGE_ON_INSTALL   ] DE CR EL
U "PM"       [CHANGE_ON_INSTALL   ] DE CR EL
U "BI"       [CHANGE_ON_INSTALL   ] DE CR EL
U "PETE"     [PETE      ] DE CR OP
U "BILL"     [BILL      ] PU CR OP
U "A"   [A    ] PU CR OP
U "B"   [B    ] PU CR OP
U "C"   [C    ] PU CR OP
U "RES_TEST"      [RES_TEST  ] PU CR OP
U "XX"       [123456    ] DI CR OP
U "ORASCAN"  [ORASCAN   ] PU CR OP
U "IMPOSS"   [IMP {imposs123456789] IM CR OP
U "D"   [     ] -- -- OP
U "P1"       [P1   ] PU CR OP
U "P2"       [P2   ] PU CR OP
U "CRACKER"  [CRACKER   ] PU CR OP
 
 
INFO: Number of crack attempts = [59963]
INFO: Elapsed time = [4.24 Seconds]
INFO: Cracks per second = [14140]
 
PL/SQL procedure successfully completed.
 
SQL>
 
So simply do:
 
GRANT SELECT ON SYS.USER$ TO {USER} and
GRANT CREATE SESSION TO {USER}
 
Hope this helps
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
ntrvdonett
PeteFinnigan.com Newbie
*



I love YaBB 1G - SP1!

   
View Profile |

Posts: 4
Re: Oracle password cracker written in PL/SQL
« Reply #6 on: Dec 2nd, 2008, 3:48pm »
Quote | Modify

Hi Pete,
 
it's the heart of my problem !!
my privileges are insufficient, this the reason why I would like to find admin password !! It's an old DB and I would like to delete undotbs1 because of its size > 10Go. Manufacturer does not maintain this system but it have to work yet !!
 
SQL>  GRANT SELECT ON SYS.USER$ TO ab_svr;
 GRANT SELECT ON SYS.USER$ TO ab_svr
      *
ERROR at line 1:
ORA-00942: table or view does not exist
 
 
SQL>  GRANT CREATE SESSION TO ab_svr;
 GRANT CREATE SESSION TO ab_svr
*
ERROR at line 1:
ORA-01031: insufficient privileges
 
thank
 
Fabrice
IP Logged
gamyers
PeteFinnigan.com Junior Member
**



I love YaBB 1G - SP1!

   
View Profile |

Posts: 80
Re: Oracle password cracker written in PL/SQL
« Reply #7 on: Dec 3rd, 2008, 10:20pm »
Quote | Modify

What privileges do you have ?
Someone (presumably) has access to the server the database is running on and can log in as oracle and connect with the / AS SYSDBA syntax.
Once that's done they can reset the password.
IP Logged
ntrvdonett
PeteFinnigan.com Newbie
*



I love YaBB 1G - SP1!

   
View Profile |

Posts: 4
Re: Oracle password cracker written in PL/SQL
« Reply #8 on: Dec 8th, 2008, 9:34am »
Quote | Modify

Hello Pete,
 
My privileges are : (from DBA_TAB_PRIVS)
 
GRANTEE : ab_svr
OWNER : ab_admin (I have an access to ab_admin)
TABLE_NAME : several  
GRANTOR : ab_static or ab_admin (I have an access too)
PRIVILEGE : SELECT, INSERT,UPDATE,DELETE.
 
Could you explain me the way to use / AS SYSDBA ??
 
Thank again
IP Logged
gamyers
PeteFinnigan.com Junior Member
**



I love YaBB 1G - SP1!

   
View Profile |

Posts: 80
Re: Oracle password cracker written in PL/SQL
« Reply #9 on: Dec 8th, 2008, 10:21pm »
Quote | Modify

System privileges would be more useful than tab privilieges. For example, if you have the ALTER USER system privilege you can simply reset the password (using ALTER USER).
To connect using "/ AS SYSDBA", log on to the server that the database is running on as the oracle user. If you don't have that password, the system administrator should be able to log in as root and change it. If it is a Windows server, a user with administrator privileges should work too.
Then, from a command prompt, try  
sqlplus / as sysdba
That assumes there's only one instance running on that database.
As you can understand, a typical oracle user should NOT be able to access/change/crack passwords.  
 
That isn't to say that they can't (especially if patching has been neglected), but the legitimate DBA should have more direct official routes to get things done.
IP Logged
Mesli
PeteFinnigan.com Newbie
*



I love YaBB 1G - SP1!

   
View Profile |

Gender: male
Posts: 5
Re: Oracle password cracker written in PL/SQL
« Reply #10 on: Apr 27th, 2009, 4:07pm »
Quote | Modify

hey,
Question n1:plz what is the meaning of  PU CR OP BF EL DI .
 
Question n2:i would like to post the result of your script in HTML page ,how can i do ?
 
thx .
IP Logged
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Oracle password cracker written in PL/SQL
« Reply #11 on: Apr 27th, 2009, 9:21pm »
Quote | Modify

Hi,
 
PU = Password equals Username, i..e the password was cracked like this
CR = Cracked - I added this to post process with awk
OP = Open account status
BF = Brute Force - i.e. the password was cracked in brute force mode
EL = Expired Locked - its an account status
DI = Dictionary - it means that the password was cracked using a dictionary word.
 
HTML:- The easiest way would be to modify the output statements in the PL/SQL to output a HTML table.
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
newbie_01
PeteFinnigan.com Newbie
*



I love YaBB 1G - SP1!

   
View Profile |

Posts: 9
Re: Oracle password cracker written in PL/SQL
« Reply #12 on: May 28th, 2009, 6:33am »
Quote | Modify

Hi Pete,
 
I downloaded versions 1.4, 1.3 and 1.2. Version 1.4 is giving errors as below. BEGIN :debugv := 'OFF'; END;
 
*
ERROR at line 1:
ORA-06502: PL/SQL: numeric or value error: character string buffer too small
ORA-06512: at line 1
 
Version 1.3 does not give errors so I used that instead.
 
BTW, you mentioned another password checker, woraauthbf, can that be run as is as well, i.e. like running a UNIX script or a PL/SQL script.
 
Finally, does your copyright prohibit wrap(ping) your password cracker to a .plb 'coz the PL/SQL is readable in plain text. Incidentally, I tried a sample PL/SQL file and run a wrap on it then run the strings command and I can see the code in plain text so probably not something worth doing. In any case, may I obtain permission to convert the PL/SQL file into some binary form that can be executed from within SQL*Plus, at the moment, only know of using wrap.
 
Thanks in advance.
IP Logged
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Oracle password cracker written in PL/SQL
« Reply #13 on: May 28th, 2009, 9:37am »
Quote | Modify

Hi,
 
Thanks for your post. I found this a strange one. I ran this on my own 11.1.0.7 database and it works fine:
 
Connected to:
Personal Oracle Database 11g Release 11.1.0.7.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
 
SQL> @cracker-v2.0.sql
cracker: Release 1.0.4.0.0 - Beta on Thu May 28 09:02:58 2009
Copyright (c) 2008 PeteFinnigan.com Limited. All rights reserved.
 
T Username   Password     CR FL STA
=======================================================
 
U "SYS"      [ORACLE1   ] DI CR OP
U "SYSTEM"   [ORACLE1   ] DI CR OP
U "OUTLN"    [OUTLN     ] DE CR EL
...
 
I did investigate the code though and there is an issue with the variable debugv being varchar2(2) whereas it should be length 3 to accomodate the word 'OFF'. I have fixed the code and updated the zip to version 1.5. The new code is available from http://www.petefinnigan.com/oracle_password_cracker.htm .
 
You cannot wrap a SQL*Plus script; you can only wrap database objects such as PROCEDURES, FUNCTIONS, PACKAGES {BODY}, TYPE {BODY}.  This is why it didnt work. Also if you want to wrap it then wrap the testpwd.sql code available from http://www.petefinnigan.com/tools.htm as that is intended to be installed in the database BUT you will need to feed it with passwords.  
 
Yes worauthbf by Laszlo is a cracker witten in C. There is a link on my tools page or in the blog. It is a binary. I wrote the PL/SQL script because people had issues using binaries in their organisations.
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright 2000-2004 Yet another Bulletin Board