Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 36 visitors online    

Pete Finnigan's Oracle security weblog


Home » Archives » August 2005 » Red Database Security has released a standalone Oracle password cracker

[Previous entry: "New Online MD5 Hash Database"] [Next entry: "undocumented Oracle?"]

Red Database Security has released a standalone Oracle password cracker

August 22nd, 2005 by Pete

Post to del.icio.us   Post to Furl   Digg!

Red Database Security has just let me know that they have released a stand alone Oracle password cracker using Eric Youngs DES Encryption library. There are two downloads available. The first is http://www.red-database-security.com/software/oracle_checkpwd.zip (704KB) which includes the libraries and also a default password list. The second is http://www.red-database-security.com/software/oracle_checkpwd_big.zip (4.7MB) which again includes the libraries and binary and a 1.5 million word dictionary. The tool can be used as follows:


C:\petefinnigan.com\alex\password cracker>checkpwd
Checkpwd 1.00 - (c) 2005 by Red-Database-Security GmbH

usage: checkpwd <-quiet>
for example: checkpwd -quiet system/manager@mydbserver default_passwords.txt
or: checkpwd SCOTT:F894844C34402B67 default_passwords.txt


you can connect to the database and get the password hash from there or supply it on the command line. Here is a sample run:


SQL> alter user scott identified by zztop;

User altered.

SQL> select username,password from dba_users
2 where username='SCOTT';

USERNAME PASSWORD
------------------------------ ------------------------
SCOTT C602545F6676B420

SQL>


The password hash can be then be used as input to the tool:


C:\petefinnigan.com\alex\big_password_check>checkpwd SCOTT:C602545F6676B420 pass
word_list.txt
Checkpwd 1.00 - (c) 2005 by Red-Database-Security GmbH

opening weak password list file
reading weak passwords list
checking passwords
SCOTT has weak password zztop

Done. Summary:
Passwords checked : 1543885
Weak passwords found : 1
Elapsed time (min:sec) : 0:11
Passwords / second : 140353



It is quite fast at 140,000 passwords per second but not as fast as those crackers in commercially tools available but is leagues better than using PL/SQL based tools to audit passwords with. I will add links to these tools on my Oracle Security Tools page.


August 2005
SMTWTFS
 123456
78910111213
14151617181920
21222324252627
28293031   

About

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Search weblog

Home and Archives

Weblog Home
Weblog Archives

Recommended reading

Oracle Security Step-by-Step (Version 2.0)

Useful links

Home
Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Other useful blogs

Web Development
SQL Server Security

Syndication - Feeds

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.0

Other Links


Valid XHTML 1.0!