Auditing an Oracle database for security issues is very important. provides all of the information and tools that you will need Click here for details of Limited's detailed Oracle database security audit service Click here for details of Limited's Oracle Security Training Courses
There are 53 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Pete Finnigan's Oracle security weblog

Home » Archives » August 2005 » Hashattack - Oracle password tool update to version 2.0

[Previous entry: "A good page describing Oradebug"] [Next entry: "New TNS protocol full client available for testing listener security"]

Hashattack - Oracle password tool update to version 2.0

August 11th, 2005 by Pete

Josh Wright has just informed us via a thread on my Oracle security forum titled "hashattack a dictionary attack tool for Oracle" that he has updated the tool to version 2.0.

This tool can be used to pre-compute password hashes for an Oracle database user so that a simple repeatable check can be made for weak passwords. This tool is very useful for default accounts such as SYS or SYSTEM or application accounts that would be checked regularly.

Version 2.0 has had some improvements added based on a discussion on my forum. Thanks to Gary for suggestions.

The changes (stolen from Josh’s change log ..:-) ) are:-

"2005-08-11 - 0.2.0
+ Improvements implemented following suggestions from Pete Finnigan and
gamyers in the "hashattack a dictionary attack tool for Oracle" thread at
+ Creates a profile called "HASHATTACK_PROFILE" to limit sessions_per_user,
connect_time, idle_time, failed_login_attempts, password_reuse_max and
password_verify_function to appropriate values. This is necessary because
the default profile should have constraints applied that will hinder
hashattack's performance. You have applied limits to the default profile,
+ Added a check to see if the temp account exists before creating.
+ Properly quoted passwords for alter user syntax.
+ Re-wrote how passwords are collected from the filesystem; instead of
multiple UTL_FILE calls for each word, build an external table that turns
into a database table via CTAS statement, and read words from a cursor."

I have updated my Oracle Security Tools page to include a link to version 2.0.

August 2005

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Weblog Home
Weblog Archives

Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Web Development
SQL Server Security

Atom 0.3 FEED
Powered by gm-rss 2.0.0

Valid XHTML 1.0!