This tool can be used to pre-compute password hashes for an Oracle database user so that a simple repeatable check can be made for weak passwords. This tool is very useful for default accounts such as SYS or SYSTEM or application accounts that would be checked regularly.
Version 2.0 has had some improvements added based on a discussion on my forum. Thanks to Gary for suggestions.
The changes (stolen from Josh’s change log ..:-) ) are:-
"2005-08-11 - 0.2.0
+ Improvements implemented following suggestions from Pete Finnigan and
gamyers in the "hashattack a dictionary attack tool for Oracle" thread at
+ Creates a profile called "HASHATTACK_PROFILE" to limit sessions_per_user,
connect_time, idle_time, failed_login_attempts, password_reuse_max and
password_verify_function to appropriate values. This is necessary because
the default profile should have constraints applied that will hinder
hashattack's performance. You have applied limits to the default profile,
+ Added a check to see if the temp account exists before creating.
+ Properly quoted passwords for alter user syntax.
+ Re-wrote how passwords are collected from the filesystem; instead of
multiple UTL_FILE calls for each word, build an external table that turns
into a database table via CTAS statement, and read words from a cursor."
I have updated my Oracle Security Tools page to include a link to version 2.0.