Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 58 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Pete Finnigan's Oracle security weblog


Home » Archives » August 2005 » Hashattack - Oracle password tool update to version 2.0

[Previous entry: "A good page describing Oradebug"] [Next entry: "New TNS protocol full client available for testing listener security"]

Hashattack - Oracle password tool update to version 2.0

August 11th, 2005 by Pete


Josh Wright has just informed us via a thread on my Oracle security forum titled "hashattack a dictionary attack tool for Oracle" that he has updated the tool to version 2.0.

This tool can be used to pre-compute password hashes for an Oracle database user so that a simple repeatable check can be made for weak passwords. This tool is very useful for default accounts such as SYS or SYSTEM or application accounts that would be checked regularly.

Version 2.0 has had some improvements added based on a discussion on my forum. Thanks to Gary for suggestions.

The changes (stolen from Josh’s change log ..:-) ) are:-

"2005-08-11 - 0.2.0
+ Improvements implemented following suggestions from Pete Finnigan and
gamyers in the "hashattack a dictionary attack tool for Oracle" thread at
www.petefinnigan.com.
+ Creates a profile called "HASHATTACK_PROFILE" to limit sessions_per_user,
connect_time, idle_time, failed_login_attempts, password_reuse_max and
password_verify_function to appropriate values. This is necessary because
the default profile should have constraints applied that will hinder
hashattack's performance. You have applied limits to the default profile,
right?
+ Added a check to see if the temp account exists before creating.
+ Properly quoted passwords for alter user syntax.
+ Re-wrote how passwords are collected from the filesystem; instead of
multiple UTL_FILE calls for each word, build an external table that turns
into a database table via CTAS statement, and read words from a cursor."


I have updated my Oracle Security Tools page to include a link to version 2.0.

August 2005
SMTWTFS
 123456
78910111213
14151617181920
21222324252627
28293031   

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Weblog Home
Weblog Archives


Home
Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Web Development
SQL Server Security

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.0


Valid XHTML 1.0!