Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "12.2 is Available For Download For Linux And Solaris"] [Next entry: "Validating The Length Of An Oracle Database Hashed password?"]

Default Password Hashes for 11g Oracle Database



I often get Oracle Security related questions from people randomly sent to my inbox or occasionally on Social media and less on on this sites forum. I get questions on average probably 4 times per week in these ways. I try and answer some of them or point the poster in the right direction and at least respond. It may take some time though as I am a very busy person. I also think that some questions are generally interesting and worthy of a blog post.

So, this week Priya K R emailed me and said that they looked at my Oracle Default Password List Page BUT where were the 11g default password hashes? Could I point to a list of 11g default password hashes.

There is not a list as the password algorithms have now changed a few times in the versions of Oracle released. In the versions from Oracle 6 until 10g (and continuing onto 12c but in parallel with others) was the DES based password hash algorithm. This is a hash (one way function) but using the DES encryption algorithm. In 11g R1 there was a new SHA1 algorithm added; this also required a SALT to be used to make each password hash different. So is a user used the password MIKE in one database the hash would be different to a password of MIKE in a different database. There is also the difference that in the DES algorithm the username is effectively the SALT as the username and password are concatenated; in 11gR1 the hash is only of the password. There is a third new algorithm in 12.1.0.2 based on SHA2 and other looping concepts to make the algorithm slow to reject password cracking. Finally since 12.1.0.1 there is also a HTTP Digest which by default is MD5.

So, there is no list of password hashes for 11g because the hashes should be different BUT if a database starts from a SEED then in this case where the passwords are the same in the SEED then the 11g hashes can be the same in every database built from the SEED until its changed. the SALT matters. There is a view in the database under the SYS schema called DBA_USERS_WITH_DEFPWD:


SQL> desc dba_users_with_defpwd
Name Null? Type
----------------------------------------- -------- ----------------------------
USERNAME NOT NULL VARCHAR2(30)


This view can test default passwords that exit in a database. If a user has a default password then in MOST cases bit 16 is set to 16 in the account status; there are some cases where this flag may not have been set yet. Running a query shows some users with a default password in my 11.2.0.4 database:


SQL> select * from dba_users_with_defpwd;

USERNAME
------------------------------
MDSYS
PETE
SPATIAL_WFS_ADMIN_USR
CTXSYS
OLAPSYS
OUTLN
SPATIAL_CSW_ADMIN_USR
ORACLE_OCM
MDDATA
ORDPLUGINS
ORDSYS
APPQOSSYS
ORDDATA
XDB
SI_INFORMTN_SCHEMA
WMSYS


This also has issues. As you can see the user PETE supposedly has a default password. The user PETE may be a default in some application supported by Oracle. The view DBA_USERS_WITH_DEFPWD uses a base table DEFAULT_PWD$ that holds details of default passwords:


SQL> desc default_pwd$
Name Null? Type
----------------------------------------- -------- ----------------------------
USER_NAME VARCHAR2(128)
PWD_VERIFIER VARCHAR2(512)
PV_TYPE NUMBER


And there are 843 of them in my 11.2.0.4 database:


SQL> select count(*) from default_pwd$;

COUNT(*)
----------
843
SQL>


Some applications may have default accounts that have the same names as users that are not defaults. In my case my name is PETE and I created the account PETE with a password of PETE so it shows up BUT it is for sure not a default user in my database. The code of the view also reveals some details:


SQL> select text from dba_views where view_name='DBA_USERS_WITH_DEFPWD'
SQL> /

TEXT
--------------------------------------------------------------------------------
SELECT DISTINCT u.name
FROM SYS.user$ u, SYS.default_pwd$ dp
WHERE
(u.type# = 1
AND bitand(u.astatus, 16) = 16
AND dp.pv_type >= 0
) OR
(u.type# = 1
AND u.password = dp.pwd_verifier
AND u.name = dp.user_name
AND dp.pv_type = 0)


This view text also reveals that DES password hashes are checked if the default user has not had the flag set when the default password was changed to a default - the SYS.USER$.PASSWORD column. Again not a perfect solution if the DES password has been removed by forcing a later protocol to be used.

We could also test for default passwords using a password cracker. In this case we do not consider the flag to be set on account_status, if it was set when the default password was changed to a default and we can also consider 11g passwords that are defaults. To do this we need a list of default passwords. The list mentioned at the start of this post was created many years ago and was the biggest list at the time. Since that time I have done a lot of searching for Oracle default passwords and I have installed all versions (or got hold of existing versions) of Oracle from 6 through to 12c and search sample seed databases, non-seed databases, software installed on the server, documents and files. I have found thousands of username/password pairs - over 8000 in fact and from these I have extracted a distinct list of known default passwords; some 1450 or so passwords. I have not used the pairs or considered hashes. These passwords have been added to PFCLScan our commercial database security scanner and also to a free PL/SQL based password cracker that we use in our training classes on how to perform a security audit of an Oracle database. A sample execution is shown here:


SQL> @cracker-v2.8.sql
PL/SQL cracker: Release 2.8.0.0.0 - Production on Tue Mar 14 18:12:00 2017
Copyright (c) 2008 - 2015 PeteFinnigan.com Limited. All rights reserved.

T [Username ] [Password (10g) ] [Password (11g) ] FL ST
================================================================================================================

U [SYS ] [ORACLE1 ] [oracle1 ] DI OP
U [SYSTEM ] [ORACLE1 ] [oracle1 ] DI OP
U [OUTLN ] [OUTLN ] [outln ] PU EL
U [ORACLE_OCM ] [OCM_3XP1R3D ] [OCM_3XP1R3D ] DE EL
U [APPQOSSYS ] [APPQOSSYS ] [APPQOSSYS ] PU EL
U [WMSYS ] [WMSYS ] [wmsys ] PU EL
U [XS$NULL ] [ ] [ ] -- EL
U [CTXSYS ] [CHANGE_ON_INSTALL ] [change_on_install ] DE EL
U [XDB ] [CHANGE_ON_INSTALL ] [change_on_install ] DE EL
U [ORDSYS ] [ORDSYS ] [ordsys ] PU EL
U [ORDDATA ] [ORDDATA ] [orddata ] PU EL
U [ORDPLUGINS ] [ORDPLUGINS ] [ordplugins ] PU EL
U [SI_INFORMTN_SCHEMA ] [SI_INFORMTN_SCHEMA ] [si_informtn_schema ] PU EL
U [MDSYS ] [MDSYS ] [mdsys ] PU EL
U [OLAPSYS ] [NO_PASSWORD ] [no_password ] DE EL
U [MDDATA ] [MDDATA ] [MDDATA ] PU EL
U [SPATIAL_WFS_ADMIN_USR ] [SPATIAL_WFS_ADMIN_USR ] [spatial_wfs_admin_usr ] PU EL
U [SPATIAL_CSW_ADMIN_USR ] [SPATIAL_CSW_ADMIN_USR ] [spatial_csw_admin_usr ] PU EL
U [OWBSYS ] [TEMP ] [TEMP ] DE EL
U [OWBSYS_AUDIT ] [TEMP ] [TEMP ] DE EL
R [OWB$CLIENT ] [S ] [s ] DE OP
U [USER05 ] [ ] [ ] -- OP
U [ORABLOG ] [ORABLOG ] [orablog ] PU LO
U [FRED ] [FRED ] [fred ] PU OP
U [BILL ] [BILL ] [bill ] PU OP
U [JIM ] [JIM ] [jim ] PU OP
U [USER01 ] [ ] [ ] -- OP
U [USER02 ] [ ] [ ] -- OP
U [USER03 ] [ ] [ ] -- OP
U [USER04 ] [ ] [ ] -- OP
U [LOG4 ] [LOG4 ] [log4 ] PU OP
U [USER06 ] [ ] [ ] -- OP
U [USER07 ] [ ] [ ] -- OP
U [BACK01 ] [BACK01 ] [back01 ] PU EG
U [BATCH01 ] [BATCH01 ] [batch01 ] PU OP
U [FEED01 ] [FEED01 ] [feed01 ] PU OP
U [DEV01 ] [DEV01 ] [dev01 ] PU OP
U [DEV02 ] [DEV02 ] [dev02 ] PU OP
U [DEV03 ] [DEV03 ] [dev03 ] PU OP
U [RISK01 ] [RISK01 ] [risk01 ] PU OP
U [ILO ] [ILO ] [ilo ] PU OP
U [PETE ] [PETE ] [pete ] PU OP
U [ERIC ] [ERIC ] [eric ] PU OP
U [JSON ] [JSON ] [json ] PU OP
U [PFTEST ] [PFTEST ] [pftest ] PU OP
U [CORE ] [CORE ] [core ] PU OP
U [TKT_DEV ] [TKT_DEV ] [TKT_DEV ] PU OP
U [TKT_TEST ] [TKT_TEST ] [TKT_TEST ] PU OP
U [TKT ] [TKT ] [TKT ] PU OP
U [SEED ] [SEED ] [seed ] PU OP
U [EMIL ] [EMIL ] [emil ] PU OP
U [ZULIA ] [ZULIA ] [zulia ] PU OP
U [ORABLOG_SCHEMA ] [ORABLOG_SCHEMA ] [orablog_schema ] PU OP
U [FACADM ] [FACADM ] [facadm ] PU EG
U [USERGRANT1 ] [USERGRANT1 ] [usergrant1 ] PU OP
U [USERGRANT2 ] [USERGRANT2 ] [usergrant2 ] PU OP
U [USERGRANT3 ] [USERGRANT3 ] [usergrant3 ] PU OP
U [UU ] [UU ] [uu ] PU OP
U [ORABLOGDBA ] [ORABLOGDBA ] [orablogdba ] PU OP
U [dev.xx();-- ] [ ] [ ] -- OP
U [SQL92 ] [SQL92 ] [sql92 ] PU OP
U [HH ] [HH ] [hh ] PU OP
U [SHAREDDBA ] [IMP {--locked--} ] [ ] IM OP
U [DBACLIENT1 ] [DBACLIENT1 ] [dbaclient1 ] PU OP
U [DBACLIENT2 ] [DBACLIENT2 ] [dbaclient2 ] PU OP
U [BOF_SCHEMA ] [BOF_SCHEMA ] [bof_schema ] PU OP
U [VU ] [ ] [ ] -- OP
U [VA ] [ ] [ ] -- OP
U [VB ] [ ] [ ] -- OP
U [CCADMIN ] [CCADMIN ] [ccadmin ] PU OP
U [CCKEY ] [ ] [ ] -- OP
U [SFTK ] [SFTK ] [sftk ] PU OP
U [DEV ] [ ] [ ] -- OP
U [ATK ] [ATK ] [atk ] PU OP
U [ATKD ] [ATKD ] [atkd ] PU OP
R [ATK_ADMIN ] [ATK_ADMIN ] [atk_admin ] PU OP
R [ATK_REPORT ] [ATK_REPORT ] [atk_report ] PU OP
U [ATKA ] [ATKA ] [atka ] PU OP
U [ATKR ] [ATKR ] [atkr ] PU OP
U [DBAUSER ] [ ] [ ] -- OP


INFO: Number of crack attempts = [45495]
INFO: Elapsed cracking time = [.67 Seconds]
INFO: Total elapsed time = [.67 Seconds]
INFO: Cracks per second = [67900]

PL/SQL procedure successfully completed.

SQL>


The output shows whether the account is a User or a Role and also shows the name, DES password, 11g password and also how it was cracked - DE= DEFAULT, BF=Brute Force, DI=Dictionary Word, PU= Password=Username. Again the problem is that if a non default user has a default password it will show up. We also have a script called use_any-11.sql that extracts permissions at a summary level for all users / Oracle users (defaults) or customer users. A sample is shown here:


SQL> @use_anl-11



use.sql: Release 2.2.0.0.0 - Production on Tue Mar 14 18:15:54 2017
Copyright (c) 2007, 2009, 2016 PeteFinnigan.com Limited. All rights reserved.

OUTPUT FLAG [A|O|C] [A]: O
NUMBER OF USERS [200]:

Typ Rol RSO Sys Ob Tab PL USER
================================================================================
ADM 58 200 10 1018 1483 SYS
ADM 3 5 218 167 7 SYSTEM
DEF 1 3 1 3 1 OUTLN
DEF 0 1 59 0 6 ORACLE_OCM
DEF 0 3 11 4 0 APPQOSSYS
DEF 3 30 14 44 52 WMSYS
DEF 2 9 53 50 141 CTXSYS
DEF 3 10 501 32 79 XDB
DEF 1 1 1046 5 87 ORDSYS
DEF 0 1 0 73 0 ORDDATA
DEF 0 0 5 0 10 ORDPLUGINS
DEF 0 1 0 0 0 SI_INFORMTN_SCHEMA
DEF 2 20 24 129 254 MDSYS
DEF 2 13 44 126 89 OLAPSYS
DEF 2 1 0 0 0 MDDATA
DEF 3 8 268 0 0 SPATIAL_WFS_ADMIN_USR
DEF 3 8 144 0 0 SPATIAL_CSW_ADMIN_USR
DEF 10 22 44 1 0 OWBSYS
DEF 0 2 0 0 0 OWBSYS_AUDIT
DEF 0 0 0 0 0 XS$NULL
================================================================================
Typ Rol RSO Sys Ob Tab PL USER

PL/SQL procedure successfully completed.

For updates please visit http://www.petefinnigan.com/use.sql

SQL>


We can combine the output for both and compare cracked passwords to users that are actually defaults.

Nothing is perfect in checking default passwords but the issue is really not just defaults but also all weak passwords; there should be none. Also default passwords are just the start; its OK to recognise default passwords or weak passwords BUT we also need to design profiles, life times, verify functions, enforce password changes, encrypted connections (ssl, ssh, etc) and much more. A weak password is simple to spot but it is harder to enforce strong passwords.

Good luck.