50 visitors online
Call: +44 (0)7759 277220
Blog

# Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

## Red Database Security has released a standalone Oracle password cracker

Red Database Security has just let me know that they have released a stand alone Oracle password cracker using Eric Youngs DES Encryption library. There are two downloads available. The first is oracle_checkpwd.zip (704KB) which includes the libraries and also a default password list. The second is checkpwd_big.zip (4.7MB) which again includes the libraries and binary and a 1.5 million word dictionary. The tool can be used as follows:

C:\petefinnigan.com\alex\password cracker>checkpwdCheckpwd 1.00 - (c) 2005 by Red Database-Security GmbHusage: checkpwd <-quiet> for example: checkpwd -quiet system/manager@mydbserver default_passwords.txt or: checkpwd SCOTT:F894844C34402B67 default_passwords.txt

you can connect to the database and get the password hash from there or supply it on the command line. Here is a sample run:

SQL> alter user scott identified by zztop;User altered.SQL> select username,password from dba_users 2 where username='SCOTT';USERNAME PASSWORD------------------------------ ------------------------SCOTT C602545F6676B420SQL>

The password hash can be then be used as input to the tool:

C:\petefinnigan.com\alex\big_password_check>checkpwd SCOTT:C602545F6676B420 password_list.txtCheckpwd 1.00 - (c) 2005 by Red Database-Security GmbHopening weak password list filereading weak passwords listchecking passwordsSCOTT has weak password zztopDone. Summary: Passwords checked : 1543885 Weak passwords found : 1 Elapsed time (min:sec) : 0:11 Passwords / second : 140353

It is quite fast at 140,000 passwords per second but not as fast as those crackers in commercially tools available but is leagues better than using PL/SQL based tools to audit passwords with. I will add links to these tools on my Oracle Security Tools page.

• PFCLScan

Simply connect PFCLScan to your Oracle database and it will automatically discover the security issues that could make your Oracle database vulnerable to attack and to the potential loss of your data.

• PFCLObfuscate