Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Designing application and code to use the minimum privileges"] [Next entry: "Oracle Security Masterclass slides available"]

A new Oracle Password cracker that runs inside the database



I wrote an Oracle password cracker completely in PL/SQL some time ago and have been using it on Oracle Database Security audits as a good starting point to test the strength of Oracle database passwords. Of course I will not abandon tools such as Laszlo Toth's excellent woraauthbf as the sheer speed from it is necessary to check true password strength.

So why write a tool completely in PL/SQL?

A number of reasons really. I wanted to have a tool that just runs and checks the basics without extracting password hashes, usernames etc from the database. I know checkpwd connects to the database and also that woraauthbf will do so soon as well (I am writing some OCI code for Laszlo to allow this, just not much time recently to complete it..:-( )

Any binary based tool, is well a binary.... it needs an Oracle client that works out of the box, the instant client often requires some tweaking to make it work. If the tool doesnt connect to the database you need to gather the usernames/hashes first. Just running with no dependancies is attractive.

In the olden days before C based crackers were freely available the only free Oracle passwords crackers were PL/SQL based (the most popular was the bear dang one that did brute force checks and the Adam Martin one that did a dictionary attack) but they all used the ALTER USER command to alter the users password in the database for each password guess and then compared the hash generated. This has a number of issues, the first is that the database is altered (any security tool should not alter the software or data being checked), any password management would become locked or would need to be removed, any triggers, audit etc would be affected.....more.....

I wanted to see if its possible to write a PL/SQL based password cracked in PL/SQL that doesnt use ALTER USER commands but actually implements the encryption routines so that any password can be checked. Also I wanted the tool to be an anonymous block in PL/SQL so that it can be run from any client with no external or internal dependancies in the database.

Let's take a look at it running and then discuss it:



SQL> @cracker-v2.0.sql
cracker: Release 2.0.1.0.0 - Alpha on Fri Aug 29 16:28:24 2008
Copyright (c) 2008 PeteFinnigan.com Limited. All rights reserved.

T Username Password CR FL STA
=======================================================

U SYS [ORACLE1 ] DI CR OP
U SYSTEM [ORACLE1 ] DI CR OP
U OUTLN [OUTLN ] DE CR EL
U DIP [DIP ] DE CR EL
U TSMSYS [TSMSYS ] PU CR EL
U ORACLE_OCM [ORACLE_OCM ] PU CR EL
U XDB [CHANGE_ON_INSTALL ] DE CR EL
R GLOBAL_AQ_USER_ROLE [GL-EX {GLOBAL} ] GE CR OP
U DBSNMP [ORACLE1 ] DI CR OP
U WMSYS [WMSYS ] DE CR EL
U EXFSYS [EXFSYS ] DE CR EL
U CTXSYS [CHANGE_ON_INSTALL ] DE CR EL
U XS$NULL [ ] -- -- EL
U ANONYMOUS [IMP {anonymous} ] IM CR EL
R SPATIAL_WFS_ADMIN [SPATIAL_WFS_ADMIN ] PU CR OP
U ORDSYS [ORDSYS ] DE CR EL
U ORDPLUGINS [ORDPLUGINS ] DE CR EL
U SI_INFORMTN_SCHEMA [SI_INFORMTN_SCHEMA ] DE CR EL
U MDSYS [MDSYS ] DE CR EL
U OLAPSYS [ ] -- -- EL
U MDDATA [MDDATA ] DE CR EL
U HR [CHANGE_ON_INSTALL ] DE CR EL
U SPATIAL_WFS_ADMIN_US [SPATIAL_WFS_ADMIN_US] PU CR EL
R WFS_USR_ROLE [WFS_USR_ROLE ] PU CR OP
R SPATIAL_CSW_ADMIN [SPATIAL_CSW_ADMIN ] PU CR OP
U SPATIAL_CSW_ADMIN_US [SPATIAL_CSW_ADMIN_US] PU CR EL
R CSW_USR_ROLE [CSW_USR_ROLE ] PU CR OP
U WKSYS [CHANGE_ON_INSTALL ] DE CR EL
U WKPROXY [CHANGE_ON_INSTALL ] DE CR EL
U WK_TEST [WK_TEST ] DE CR EL
U SYSMAN [ORACLE1 ] DI CR OP
U MGMT_VIEW [ ] -- -- OP
U FLOWS_FILES [ ] -- -- EL
U APEX_PUBLIC_USER [ ] -- -- EL
U FLOWS_030000 [ ] -- -- EL
U OWBSYS [OWBSYS ] PU CR EL
R OWB$CLIENT [S ] BF CR OP
R OWB_DESIGNCENTER_VIE [S ] BF CR OP
U SCOTT [TIGER ] DE CR OP
U OE [CHANGE_ON_INSTALL ] DE CR EL
U IX [CHANGE_ON_INSTALL ] DE CR EL
U SH [CHANGE_ON_INSTALL ] DE CR EL
U PM [CHANGE_ON_INSTALL ] DE CR EL
U BI [CHANGE_ON_INSTALL ] DE CR EL
U PETE [PETE ] DE CR OP
U BILL [BILL ] PU CR OP
U A [A ] PU CR OP
U B [B ] PU CR OP
U C [C ] PU CR OP
U RES_TEST [RES_TEST ] PU CR OP
U P1 [P1 ] PU CR OP
U P2 [P2 ] PU CR OP
U XX [123456 ] DI CR OP
U ORASCAN [ORASCAN ] PU CR OP
U IMPOSS [IMP {imposs123456789] IM CR OP
U D [ ] -- -- OP


INFO: Number of crack attempts = [4344517]
INFO: Elapsed time = [328.94 Seconds]
INFO: Cracks per second = [13200]

PL/SQL procedure successfully completed.

SQL>




The script runs fairly fast for a PL/SQL script, its no where near as fast as a C based approach but thats not its intention. My intention was to have a script that runs fast enough to check:


  • username=password

  • password=known default

  • password=simple word

  • known hash but not cracked

  • simple brute force



What do the columns mean? - the first means 'U'ser or 'R'ole, the second is the name, the third the cracked password, if its an impossible password it says so, if its EXTERNAL or GLOBAL it says so and also if we know its a default hash but don't know the password it says. The CR column defines the mode of being cracked, PU => pass=username, DE => default password, DI => dictionary word, BF => brute force, IM => impossible password. The FL column is CRacked or not, the final colum is the account status.

The release code will include more account analysis.

Then the idea is to output the relevant input for worauthbf. The key aim of this script is to allow people to easily check their databases for the worst sins that can be aimed at passwords, i.e. very simple passwords. I am starting to see a number of sites cracking passwords for their databases in an attempt to strengthen passwords. This sqlplus script will make that process much easier.

The speed is not bad, between 13,000 and 16,000 hashes per second, its not the 1.2Million hashes per second with woraauthbf BUT remember that i am testing on a laptop, this code will actually run on your production database server, thats not as easy to do with a binary based approach and also its not the intention to replace woraauthbf, its an attempt to get people to test the basics more easily.

If anyone would like this script then I will release the code next week after I have tidied it up and added some extra bits I want to add. So please watch out for a post next week with the code in it.

There has been 3 Comments posted on this article


September 22nd, 2008 at 06:35 pm

Stephen Andert says:

This looks like a cool program. Any updates on when you will be posting it?

cracker-v2.0.sql

Thanks



September 29th, 2008 at 12:39 pm

Oscar says:

Hi Pete
add me to the list (of people who are interested).
Thanks



September 30th, 2008 at 06:23 am

Rama says:

Hi Pete,

I am also interested in this program.

Thank you,
Rama Nalam