Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 24 visitors online    

Pete Finnigan's Oracle security weblog


Home » Archives » February 2008 » A default password script and a cracker helper script

[Previous entry: "PeteFinnigan.com Limited becomes UK partner for Sentrigo Hedgehog"] [Next entry: "Oracle security conferences, illness and ...."]

02/07/2008: "A default password script and a cracker helper script"

Post to del.icio.us   Post to Furl   Digg!

I subscribe to the pentest list on security focus and a recent thread around Oracle password crackers threw up links to a couple of small scripts that are worth a mention simply to keep a record of them here.

The first is a default password script that uses a similar style to the one I originally wrote for pentest and that Mark took over. It also uses the contents of my Oracle default password list from this site. For completeness i would also include the contents of the Oracle default password check script.

The twist is that it generates an alter script that is then run at the end that prompts you for a password for each default user found. The script is called Oracle-chngdef.sql and is available from the US military stigs site. A sample output from a test system here generated:

set verify off
alter user CTXSYS identified by &CTXSYS;
alter user DBSNMP identified by &DBSNMP;
alter user HR identified by &HR;
alter user HR identified by &HR;
alter user MDSYS identified by &MDSYS;
alter user ODM identified by &ODM;
alter user ODM_MTR identified by &ODM_MTR;
alter user OE identified by &OE;
alter user OLAPSYS identified by &OLAPSYS;
alter user ORDPLUGINS identified by &ORDPLUGINS;
alter user ORDSYS identified by &ORDSYS;
alter user OUTLN identified by &OUTLN;
alter user PM identified by ±
alter user QS identified by &QS;
alter user QS_ADM identified by &QS_ADM;
alter user QS_CB identified by &QS_CB;
alter user QS_CBADM identified by &QS_CBADM;
alter user QS_CS identified by &QS_CS;
alter user QS_ES identified by &QS_ES;
alter user QS_OS identified by &QS_OS;
alter user QS_WS identified by &QS_WS;
alter user RMAN identified by &RMAN;
alter user SH identified by &SH;
alter user WKPROXY identified by &WKPROXY;
alter user WKSYS identified by &WKSYS;
alter user WMSYS identified by &WMSYS;
alter user XDB identified by &XDB;

The second script is a helper script by Marco Ivaldi to run check_pwd and to parse out the results at the end of the run. Its a simple shell script and it simply removes all the additional text generated by the cracker. I have a similar manual process that i use on orabf or worauthbf depending on which I used at the time. I use cygwin for a command line so that I have access to a bash shell on Windows. The script is called oracrack.


February 2008
SMTWTFS
     12
3456789
10111213141516
17181920212223
242526272829 

About

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Search weblog

Home and Archives

Weblog Home
Weblog Archives

Recommended reading

Oracle Security Step-by-Step (Version 2.0)

Useful links

Home
Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Other useful blogs

Web Development
SQL Server Security

Syndication - Feeds

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.0

Other Links


Valid XHTML 1.0!