[Previous entry: "10gR2 the CONNECT role has finally been sanitized"] [Next entry: "slashdot discussion about Mary Ann Davidsons recent news article"]
Joshua Wright has provided a free tool to check Oracle accounts for common passwords
August 8th, 2005 by Pete
Post to del.icio.us
Post to Furl
Josh Wright who normally teaches the SECURITY 509: Securing Oracle that I wrote for SANS has written a useful tool called hashattack. This is a set of simple scripts that pre-computes the password hashes for a particular Oracle user such as SYS or SYSTEM. The scripts use a dictionary (you can provide your own) to pre-compute the hashes for a large list of possible passwords. You then can use the database table of password/hash combinations to check if the current password is set to a dictionary word. The list can then be used to check the password for the same user in any number of databases. So whilst it is time consuming to create the hash list once created it can be re0used to great effect.
I have added details of the tool on my Oracle security tools page and extra description there.
