Oracle Default Password Auditing Tool
This page hosts a simple command line tool that can be used to check if any default users are installed in your database and more importantly whether those default users still have their default passwords set to known values. The tool was originally created by Marcel-Jan Krijgsman who works for Transfer Solutions in Holland and he has kindly allowed me to host this tool here on my site.
The Problem
This is a command line based tool for checking Oracle default users and their passwords in your database. The problem of default users and passwords is well known for most software applications but is a particularly large problem for Oracle databases and associated products and features. There are literally hundreds of known default users and passwords. This tool includes a list of 474 known users (recently updated to include 600 default Oracle users) and their passwords. Why is this an issue? well simply because quite often these users get installed into a database. They come from Oracle supplied scripts, from well known third party business applications and tools and also from books, documentation and papers. Some software insists on having a certain user created with a certain password. If you happen to run this software (I am talking generally here) and do not know how to change the password or the supplier insists it cannot be changed then you have problems. This can also be exacerbated when these default users have excess privileges. Guessing usernames and their passwords is the simplest way to access your data for a hacker, malicious employee or even a bored employee. You owe it to your business to use a tool like this regularly.
Authorship and Credit
The original scripts and the original default password list were created by Marcel-Jan Krijgsman who works for Transfer Solutions. All updates and modifications to the check tool have been done by Pete Finnigan - details are listed below - The default password list was substantially updated by Pete Finnigan to include about 600 Default Oracle users recently - Nov 2004. Any update suggestions, problems, please email default@petefinnigan.com in the first instance.
The files
Before we discuss how the scripts and tool works lets run through the files that are included in the download package. These are as follows:
- osp_install.sql: This script is used to install the complete package. It first installs the user, then the table, the package and data. It does this by running the previous install scripts.
- osp_install_user.sql: This script creates a database user called ORAPROBE that owns the table and package procedure used. The script prompts for a password and also a default and temporary tablespace.
- osp_install_pack.sql: This script creates the main database package procedure OSP_PACK that is used to run the checks.
- osp_install_tab.sql: This script creates the database table that is used to hold the details of each default user.
- osp_install_data.sql: This script installs the data that lists each default user and the details for them. The script is derived from the spreadsheet mentioned above.
- osp_exec.sql: This is the main function. This script is run in SQL*Plus as the ORAPROBE user account. The script first creates the name of the spool file for capturing the output then spools to it before calling the OSP_PACK.DEFAULT_PASS_CHECK procedure to check for all of the default users in the table created from the spreadsheet.
- osp_exec_accounts.sql: This script is called by osp_exec.sql and this script actually runs the package procedure.
- readme.txt: A file that describes the files in the archive. The same contents as this list here.
- Oracle default password hashes.xls: This is a spreadsheet of known Oracle default users and their passwords. This list was derived by Marcel-Jan from a list compiled by Justin Williams. The original sources are indicated by Marcel-Jan in the spreadsheet. The spreadsheet also includes a username, password, security level (based on the privileges of the user), hash and also a description of the user. The final column also includes an SQL statement that can be used to install the list into an Oracle database as part of this tool.
Output Files
The tool creates two output files. The first is osp_exec.lis which simply defines the file name, the second records the details of the run. The filename is of the form osp_accounts_sans.us.oracle.com_200410261150. The first part is fixed the second part identifies the database instance and the last part is the date. This means that multiple runs will give separate output files.
How Does It work
The set of scripts written by Marcel-Jan are quite simple to use and also quite simple in concept. The default passwords and usernames are loaded into a database table in the database being checked. The package procedure created simply loops through all the users in the database and compares to see if they exist in the list of default users and then compares the password hashes to see if there is a match. If there is the fact is reported and details of the default user are emitted.
Download the scripts here
The Oracle default password check scripts can be downloaded here.
The latest version is available from this page on this web site. The scripts are free and the author accepts no responsibility for their use or any issues arising from the use of these scripts.
Change history
This is a brief change history for this set of scripts
- 1.0 - First release
- 1.1 - readme.txt added to the archive
- 1.2 - changes to archive contents
- a - New MS Excel spreadsheet updated to include 596 default accounts
- b - OSP_ACCOUNTS table altered to represent hash_value column as varchar2(30)
- c - New data file added with 596 default accounts
- 1.3 - Changed the create user script to allow passwords encased in quotes
- 1.4 - Updated the Excel spreadsheet and data install script for the SAP users.
- 1.5 - Corrections and additions to the list
- a - updated 21 default accounts to remove trailing spaces in the data creation scripts
- b - added 2 new default users to the data scripts and spreadsheets
Sample Session
Here is a sample session of running these scripts to show you how the tools work. The test was run against a 9.2.0.1 database on Windows XP.
Connected to: Personal Oracle9i Release 9.2.0.1.0 - Production With the Partitioning, OLAP and Oracle Data Mining options JServer Release 9.2.0.1.0 - Production SQL> @\petefinnigan.com\password\marcel-jan\osp_exec.sql ********************************************* * * * Welcome to the Oracle Security Probe * * * ********************************************* Connectstring (destination database): sans Password of oraprobe?: ******** Connected. Oracle accounts with default passwords ====================================== Username: SYS Password: CHANGE_ON_INSTALL ----------------------------------------------- WARNING! The password of SYS is a default password. It is well known to hackers Additional information: SYS is Oracle's most powerful database management account. It allows to read, change and destroy all data in your database. Username: SYSTEM Password: MANAGER ----------------------------------------------- WARNING! The password of SYSTEM is a default password. It is well known to hackers Additional information: SYSTEM is Oracle's database management account. It allows to read, change and destroy all data in your database. Username: SCOTT Password: TIGER ----------------------------------------------- WARNING! The password of SCOTT is a default password. It is well known to hackers Additional information: This is a training account. It should not be available in a production environment. Username: DBSNMP Password: DBSNMP ----------------------------------------------- WARNING! The password of DBSNMP is a default password. It is well known to hackers Additional information: DBSNMP is an account for the Oracle Intelligent Agent. Under certain circumstances it allows to read passwords from memory. Username: QS_ES Password: CHANGE_ON_INSTALL Status: EXPIRED & LOCKED(TIMED) ----------------------------------------------- WARNING! The password of QS_ES is a default password. It is well known to hackers Additional information: This is a training account. It should not be available in a production environment. Username: WMSYS Password: WMSYS Status: LOCKED ----------------------------------------------- WARNING! The password of WMSYS is a default password. It is well known to hackers Additional information: Username: ORDSYS Password: ORDSYS Status: EXPIRED & LOCKED ----------------------------------------------- WARNING! The password of ORDSYS is a default password. It is well known to hackers Additional information: The account ORDSYS (Oracle Time Series) has a limited number of risky system privileges, amongst which those to use external libraries and run code on the operating system. Username: ORDPLUGINS Password: ORDPLUGINS Status: EXPIRED & LOCKED ----------------------------------------------- WARNING! The password of ORDPLUGINS is a default password. It is well known to hackers Additional information: ORDPLUGINS is an administrative account for Oracle Time Series. Username: MDSYS Password: MDSYS Status: EXPIRED & LOCKED ----------------------------------------------- WARNING! The password of MDSYS is a default password. It is well known to hackers Additional information: The account MDSYS (Oracle Spatial administrator) has DBA-like privileges, which allow to read, change and destroy all data in your database. Username: CTXSYS Password: CHANGE_ON_INSTALL Status: EXPIRED & LOCKED ----------------------------------------------- WARNING! The password of CTXSYS is a default password. It is well known to hackers Additional information: CTXSYS (Oracle Text/Intermedia Text/Context option) is an account with DBA privileges and therefor allows to read, change and destroy all data in your database. Username: XDB Password: CHANGE_ON_INSTALL Status: EXPIRED & LOCKED ----------------------------------------------- WARNING! The password of XDB is a default password. It is well known to hackers Additional information: Username: WKSYS Password: CHANGE_ON_INSTALL Status: EXPIRED & LOCKED ----------------------------------------------- WARNING! The password of WKSYS is a default password. It is well known to hackers Additional information: WKSYS is an administrative account of Oracle9iAS Ultrasearch. Username: WKPROXY Password: CHANGE_ON_INSTALL Status: EXPIRED & LOCKED ----------------------------------------------- WARNING! The password of WKPROXY is a default password. It is well known to hackers Additional information: WKPROXY is an administrative account of Oracle9iAS Ultrasearch. Username: ODM Password: ODM Status: EXPIRED & LOCKED ----------------------------------------------- WARNING! The password of ODM is a default password. It is well known to hackers Additional information: Username: ODM_MTR Password: UNKNOWN Status: EXPIRED & LOCKED ----------------------------------------------- WARNING! The password of ODM_MTR is a default password. It is well known to hackers Additional information: Username: OLAPSYS Password: MANAGER Status: EXPIRED & LOCKED ----------------------------------------------- WARNING! The password of OLAPSYS is a default password. It is well known to hackers Additional information: OLAPSYS is an administrative account for the OLAP Services option. Username: RMAN Password: RMAN Status: EXPIRED & LOCKED ----------------------------------------------- WARNING! The password of RMAN is a default password. It is well known to hackers Additional information: RMAN is an account for the Oracle Recovery Manager. This account might be misused to write unwanted changes to the database to the backups. Username: QS_CS Password: CHANGE_ON_INSTALL Status: EXPIRED & LOCKED ----------------------------------------------- WARNING! The password of QS_CS is a default password. It is well known to hackers Additional information: This is a training account. It should not be available in a production environment. Username: QS_CB Password: CHANGE_ON_INSTALL Status: EXPIRED & LOCKED ----------------------------------------------- WARNING! The password of QS_CB is a default password. It is well known to hackers Additional information: This is a training account. It should not be available in a production environment. Username: QS_CBADM Password: CHANGE_ON_INSTALL Status: EXPIRED & LOCKED ----------------------------------------------- WARNING! The password of QS_CBADM is a default password. It is well known to hackers Additional information: This is a training account. It should not be available in a production environment. Username: QS_OS Password: CHANGE_ON_INSTALL Status: EXPIRED & LOCKED ----------------------------------------------- WARNING! The password of QS_OS is a default password. It is well known to hackers Additional information: This is a training account. It should not be available in a production environment. Username: HR Password: CHANGE_ON_INSTALL Status: EXPIRED & LOCKED ----------------------------------------------- WARNING! The password of HR is a default password. It is well known to hackers Additional information: This is a training account. It should not be available in a production environment. Username: OE Password: CHANGE_ON_INSTALL Status: EXPIRED & LOCKED ----------------------------------------------- WARNING! The password of OE is a default password. It is well known to hackers Additional information: This is a training account. It should not be available in a production environment. Username: PM Password: CHANGE_ON_INSTALL Status: EXPIRED & LOCKED ----------------------------------------------- WARNING! The password of PM is a default password. It is well known to hackers Additional information: This is a training account. It should not be available in a production environment. Username: SH Password: CHANGE_ON_INSTALL Status: EXPIRED & LOCKED ----------------------------------------------- WARNING! The password of SH is a default password. It is well known to hackers Additional information: This is a training account. It should not be available in a production environment. Username: QS_ADM Password: CHANGE_ON_INSTALL Status: EXPIRED & LOCKED ----------------------------------------------- WARNING! The password of QS_ADM is a default password. It is well known to hackers Additional information: This is a training account. It should not be available in a production environment. Username: QS Password: CHANGE_ON_INSTALL Status: EXPIRED & LOCKED ----------------------------------------------- WARNING! The password of QS is a default password. It is well known to hackers Additional information: This is a training account. It should not be available in a production environment. Username: QS_WS Password: CHANGE_ON_INSTALL Status: EXPIRED & LOCKED ----------------------------------------------- WARNING! The password of QS_WS is a default password. It is well known to hackers Additional information: This is a training account. It should not be available in a production environment. SQL>