Pete Finnigan's Oracle Security Forum - find out weak passwords best practices

Forum

Home/Forum

Welcome, Guest. Please Login. Nov 21^st, 2024, 5:05pm News: Welcome to Pete Finnigan's Oracle security forum
Home \| Help \| Search \| Members \| Login

   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security (Moderator: Pete Finnigan)
   find out weak passwords best practices

« Previous topic | Next topic »

Pages: 1

Reply | Notify of replies | Send Topic | Print

Author

Topic: find out weak passwords best practices (Read 11479 times)

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

find out weak passwords best practices
« on: Nov 21^st, 2005, 2:10pm »

Quote | Modify

Hi,
I want to write a small script in SQL, eventually perl, java or C, to find out weak passwords.

My first try is to look in dba_users and try
connect user/user
for each user. also connect user/resu

Since it is highly critical, my script should display only "Warning : weak password" and not the found password. It should be easy to use, but should not be easily overused to gain illegal access to the database. So a bruteforce engine does not seem to be appropriate, imho. I will not download some "unsupported-by-oracle" binary to do that, because it could be make the whole system even more unsecure than before, and will never be approved by the customer.

Thanks for your advises
Laurent

IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: find out weak passwords best practices
« Reply #1 on: Nov 21^st, 2005, 4:44pm »

Quote | Modify

Laurent,

Instead of looking for users with password=usercode why don't you create a password policy (look at $ORACLE_HOME/rdbms/admin/utlpwdmg.sql) that rejects weak passwords: password=usercode, password=resu, etc.
After defining a password policy you have to expire the passwords to force people to change their passwords.
If creating a password policy is not a solution to you then let me know as I can provide you with a Perl (using DBD/DBI modules) script to check for weak passwords.

Ivan

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: find out weak passwords best practices
« Reply #2 on: Nov 21^st, 2005, 4:49pm »

Quote | Modify

a password policy is definitely a must, thanks for the reminder. However, we have over 600 databases here and your perl script will be greatly appreciated !

Regards,
Laurent
tl30@zkb.ch

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: find out weak passwords best practices
« Reply #3 on: Nov 21^st, 2005, 5:02pm »

Quote | Modify

I'd suggest not performing a connect attempt for each user lest you lock them out. Even if it doesn't this'll just confuse the audit trail (and possibly hide attempted breakins).
When you say, "I will not download some `unsupported-by-oracle` binary" I take it that means you can't use a commercial/free Oracle password cracker. If you can, NGSSQuirreL http://www.ngssoftware.com/squirrelora.htmsupports the option for _not_ showing the password if cracked - we added this for those using the tool for Sarbanes Oxley compliance.
HTH,
David Litchfield

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: find out weak passwords best practices
« Reply #4 on: Nov 21^st, 2005, 5:20pm »

Quote | Modify

thanks david, I will try to suggest this software to my customer in alternative to a perl script

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: find out weak passwords best practices
« Reply #5 on: Nov 22^nd, 2005, 8:07am »

Quote | Modify

David, your advise not to try connection is sound.

If I want to write a script that compare hashes how should I start ?

I could imagine the following :

1) select databasename, username, password in every databases
2) create user identified by user in a database created for this special purpose
3) compare the hashes and reveal weak database/users
4) create user identified by "dictionary word"
5) compare the hashes
...

Or what is the best way to see if

user1/user1 matches user1/BBE7786A584F9103

without trying the connection?

I am using AIX and I am not allowed try "external software" on my pc

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: find out weak passwords best practices
« Reply #6 on: Nov 22^nd, 2005, 4:14pm »

Quote | Modify

one more try, feedback welcome :

declare
cursor c1 is select username u from dba_users where username=upper(username);
cursor c2 is select upper(username) u from dba_users group by upper(username),password having count(*)>1;
begin
for r in c1 loop
execute immediate 'create user "'||lower(r.u)||'" identified by "'||r.u||'"';
end loop;
for r in c2 loop
dbms_output.put_line('WARNING: '||r.u||' has a default password');
end loop;
for r in c1 loop
execute immediate 'drop user "'||lower(r.u)||'"';
end loop;
end;
/

WARNING: DIP has a default password
WARNING: OUTLN has a default password
WARNING: USER1 has a default password
WARNING: CTXSYS has a default password
WARNING: EXFSYS has a default password
WARNING: GASTON has a default password
WARNING: TSMSYS has a default password

I am using the concatenation and uppercase property of the algorythm to make that test.

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: find out weak passwords best practices
« Reply #7 on: Dec 23^rd, 2005, 4:45am »

Quote | Modify

Why don't you take a look at the scanner PeteF wrote in 2001 while still at Pentest Limited?

It will check for default usernames/passwords based on auditing the hashvalues in dba_users against a pre-tabulated set of username/hashvalue pairs.

It's available at http://www.pentest.co.uk/sql/scanner.sql

If you update it with the list of username/password/passwordhash values from this site (Tools/Default Password List) you will pretty much have a tool to audit for default passwords.

The benefit is that this is an audit that does not try repeated logon or create and drop users, actions that ought to be audited (by oracle db auditing features) in a production database.
So you will not set off any alarms !!!!

The script further has the benefit of being self-contained, i.e. it doesn't need 'write' access to the database - and it is written in pl/sql so you can review it to make sure it's not doing anything "funny".

Oh, BTW it does a few other checks - you can disable those.

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: find out weak passwords best practices
« Reply #8 on: Dec 23^rd, 2005, 8:06am »

Quote | Modify

thanks for the hint, but I have another approach.

If the users are ADAMS ANONYMOUS BLAKE CLARK CTXSYS DBSNMP DIP DMSYS EXFSYS HR JONES MDDATA MDSYS MGMT_VIEW ODM ODM_MTR OE OLAPSYS ORDPLUGINS ORDSYS OUTLN PERFSTAT PM QS QS_ADM QS_CB QS_CBADM QS_CS QS_ES QS_OS QS_WS SCOTT SH SI_INFORMTN_SCHEMA TSMSYS WK_TEST WKPROXY WKSYS WMSYS XDB, they must be locked, so I do not care of their password.

I am looking to check in the database for "weak" password. Ok, username=password is the weakest, but my method is so slow that I cannot check millions of password for each user.

I would like to write a much much much faster gethash(username,password), similar to orabf, but in plsql for example. Than I would be able to compare passwords. This is all what my function is about. David advise about NGS sounds wise, but if NGS can do it, I should also be able to do it.

For the moment, I do not have the time to write my own algorythm, so I simply checking username=password with my doubious code above...

Cheers
Laurent

PS: well, the code above revealed default password for DIP, but in my productive script, I check only for lock_date is null

 
 declare 
     cursor c1 is select username u from dba_users where username=upper(username) and LOCK_DATE is null; 
     cursor c2 is select upper(username) u from dba_users group by upper(username),password having count(*)>1; 
 begin 
     begin 
    execute immediate 'create profile verifynull limit PASSWORD_VERIFY_FUNCTION null'; 
     exception 
    when others then 
   dbms_output.put_line(sqlerrm); 
   dbms_output.put_line(' received while creating profile verifynull'); 
     end; 
     for r in c1 loop 
    begin 
   execute immediate 'create user "'||lower(r.u)||'" identified by "'||r.u||'" profile verifynull account lock'; 
    exception 
   when others then 
       dbms_output.put_line(sqlerrm); 
       dbms_output.put_line(' received while creating user '||lower(r.u)); 
    end; 
     end loop; 
     for r in c2 loop 
    dbms_output.put_line('FATAL: '||r.u||' has a default password'); 
     end loop; 
     for r in c1 loop 
    begin 
   execute immediate 'drop user "'||lower(r.u)||'"'; 
    exception 
   when others then 
       dbms_output.put_line(sqlerrm); 
       dbms_output.put_line(' received while dropping user '||lower(r.u)); 
    end; 
     end loop; 
     begin 
    execute immediate 'drop profile verifynull'; 
     exception 
    when others then 
   dbms_output.put_line(sqlerrm); 
   dbms_output.put_line(' received while dropping profile verifynull'); 
     end; 
 end; 
 /

IP Logged

Pages: 1

Reply | Notify of replies | Send Topic | Print


« Previous topic \| Next topic »

PFCLScan
Simply connect PFCLScan to your Oracle database and it will automatically discover the security issues that could make your Oracle database vulnerable to attack and to the potential loss of your data.

Learn more
PFCLObfuscate
PFCLObfuscate is the only tool available that can automatically add license controls to your PL/SQL code. PFCLObfuscate protects your Intellectual Property invested in your PL/SQL database code.

Learn more
PFCLCode
PFCLCode is a tool to allow you to analyse your PL/SQL code for many different types of security issues. PFCLCode gives you a detailed review and reports and includes a powerful colour syntax highlighting code editor

Learn more
PFCLForensics
PFCLForensics is the only tool available to allow you to do a detailed live response of a breached Oracle database and to then go on and do a detailed forensic analysis of the data gathered.

Learn more
PFCLReselling
PeteFinnigan.com Limited has partnered with a small number of relevant companies to resell their products where they enhance or compliment what we do

Learn more
PFCLATK
PFCLATK is a toolkit that allows detailed pre-defined policy driven audit trails for your Oracle database. The toolkit also provides for a centralised audit trail and centralised activity reporting

Learn more
PFCLCookie
PFCLCookie is a useful tool to use to audit your websites for tracking cookies. Scan websites in a natural way using powerful browser driven scanner

Learn more
PFCLTraining
PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database, design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.

Learn more
PFCLServices
Choose PFCLServices to add PeteFinnigan.com Ltd to your team for your Oracle Security needs. We are experts in performing detailed security audits, data security design work and policy creation

Learn more
PFCLConsulting
Choose PFCLConsulting to ask PeteFinnigan.com Limited to set up and use our products on your behalf

Learn more
PFCLCustom
All of our software products can be customised at a number of levels. Choose this to see how our products can be part of your products and services

Learn more
PFCLCloud
Private cloud, public cloud, hybrid cloud or no cloud. Learn how all of our services, trainings and products will work in the cloud

Learn more
PFCLUserRights
PFCLUserRights allows you to create a very detailed view of database users rights. The focus of the reports is to allow you to decide what privileges and accounts to keep and which to remove.

Learn more
PFCLSTK
PFCLSTK is a toolkit application that allows you to provide database security easily to an existing database. PFCLSTK is a policy driven toolkit of PL/SQL that creates your security

Learn more
PFCLSFTK
PFCLSFTK is a toolkit that solves the problem of securing third party applications written in PL/SQL. It does this by creating a thin layer between the application and database and this traps SQL Injection attempts. This is a static firewall.

Learn more
PFCLSEO
PFCLSEO is a web scanner based on the PFCLScan technology so that a user can easily scan a website for technical SEO issues

Learn more