Author |
Topic: Oracle password cracker written in PL/SQL (Read 34977 times) |
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender:
Posts: 309
|
|
Oracle password cracker written in PL/SQL
« on: Oct 1st, 2008, 9:39am » |
Quote | Modify
|
Hi Guys, I have just released a free Oracle password cracker written completely in PL/SQL on my website. The reason for doing this is to try and encourage people to "test" passwords for strength in their own databases. I am not seeing any real improvements in password strength generally across the industry over the last 8 years. It is not the intention to replace the fast C based crackers such as woraauthbf but instead to suppliment it. In my experience I find that people have not covered the bases yet, that is they still have passwords set to usernames, passwords set to defaults and also extremely weak passwords. I often suggest to people to download binary based crackers but there is often a reticence to do this. Hence I decided to create a PL/SQL based one. This way there is no excuse, its a SQL script that can be run in SQL*Plus and also its going to find the core issues anyway before you need a faster cracker. Some details on how it works and what it does are included in the page http://www.petefinnigan.com/oracle_password_cracker.htm for the cracker. You can also download it from the same page. hope its useful cheers Pete
|
|
IP Logged |
Pete Finnigan (email:pete@petefinnigan.com) Oracle Security Web site: http://www.petefinnigan.com Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender:
Posts: 309
|
|
Re: Oracle password cracker written in PL/SQL
« Reply #1 on: Oct 29th, 2008, 8:46pm » |
Quote | Modify
|
We just ran your latest version of this tool in a non-production instance. We have 247 accounts and it took about 5 hours for the script to run. We had a few accounts cracked with default passwords (which we'll change!) but no cracks for dictionary words or through brute force. Are the dictionary words used for the dictionary crack attempt limited to the 47 words in the script? What about the brute force crack; how is that working? Would you recommend pointing to an extenal dictionary file with compiled hashes for both dictionary and brute force crack attempts? Thanks!
|
|
IP Logged |
Pete Finnigan (email:pete@petefinnigan.com) Oracle Security Web site: http://www.petefinnigan.com Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender:
Posts: 309
|
|
Re: Oracle password cracker written in PL/SQL
« Reply #2 on: Nov 5th, 2008, 4:40pm » |
Quote | Modify
|
Hi, Sorry for the delay, I have been working abroad for the last few days. The dictionary included with the cracker is simple. You can easily extend it using any dictionary you can find on the net. An alternate solution is to read in the dictionary from a table in the database. Pre-compiling hashes is not really practical in this case. That is what rainbow tools do in essence. The brute force is only to 4 characters and that part is what took the most of your five hours. This tool is no where near as fast as tools such as woraauthbf and it is not intended to be as I have stated previously the main focus of this tool is to get people to find the basics, i.e. password=username, password=default, password=dictionary word. It is intended to get people to do the checks without the need of a binary tool. You should, once you have started the process with this cracker at some point move to a much faster tool such as woraauthbf. You can change the brute force by changing the number of characters it brute forces to. hope this helps cheers Pete
|
|
IP Logged |
Pete Finnigan (email:pete@petefinnigan.com) Oracle Security Web site: http://www.petefinnigan.com Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender:
Posts: 309
|
|
Re: Oracle password cracker written in PL/SQL
« Reply #3 on: Nov 13th, 2008, 12:05pm » |
Quote | Modify
|
Hi, I tried to use this cracker but I had some errors from SQLPLUS : SQL> start cracker-v2.0.sql from sys.user$ * ERROR at line 295: ORA-06550: line 295, column 12: PL/SQL: ORA-00942: table or view does not exist ORA-06550: line 289, column 3: PL/SQL: SQL Statement ignored ORA-06550: line 305, column 7: PLS-00364: loop index variable 'LV_USER' use is invalid ORA-06550: line 305, column 4: PL/SQL: Statement ignored ORA-06550: line 310, column 7: PLS-00364: loop index variable 'LV_USER' use is invalid ORA-06550: line 310, column 4: PL/SQL: Statement ignored ORA-06550: line 330, column 8: PLS-00364: loop index variable 'LV_USER' use is invalid ORA-06550: line 330, column 4: PL/SQL: Statement ignored ORA-06550: line 334, column 32: PLS-00364: loop index variable 'LV_USER' use is invalid ORA-06550: line 334, column 4: PL/SQL: Statement ignored ORA-06550: line 335, column 36: PLS-00364: loop index variable 'LV_USER' use is invalid ORA-06550: line 335, column 4: PL/SQL: Statement ignored is it due to my version ? : Oracle9i Release 9.2.0.1.0 - Production PL/SQL Release 9.2.0.1.0 - Production CORE 9.2.0.1.0 Production TNS for Linux: Version 9.2.0.1.0 - Production NLSRTL Version 9.2.0.1.0 - Production Regard
|
|
IP Logged |
Pete Finnigan (email:pete@petefinnigan.com) Oracle Security Web site: http://www.petefinnigan.com Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender:
Posts: 309
|
|
Re: Oracle password cracker written in PL/SQL
« Reply #5 on: Nov 24th, 2008, 10:37am » |
Quote | Modify
|
Hi, Thanks for your post. Sorry for the delay, I have been working abroad and had no internet access. The problem is simply permissions. Normally, you only need two permissions to run this cracker, this is CREATE SESSION and also SELECT on SYS.USER$: SQL> select * from user_role_privs; no rows selected SQL> select * from user_sys_privs; USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- CRACKER CREATE SESSION NO 1 row selected. SQL> select * from user_tab_privs; GRANTEE OWNER ------------------------------ ------------------------------ TABLE_NAME GRANTOR ------------------------------ ------------------------------ PRIVILEGE GRA HIE ---------------------------------------- --- --- CRACKER SYS USER$ SYS SELECT NO NO 1 row selected. SQL> @cracker-v2.0.sql cracker: Release 1.0.4.0.0 - Beta on Mon Nov 24 10:32:51 2008 Copyright (c) 2008 PeteFinnigan.com Limited. All rights reserved. T Username Password CR FL STA ======================================================= U "SYS" [ORACLE1 ] DI CR OP U "SYSTEM" [ORACLE1 ] DI CR OP U "OUTLN" [OUTLN ] DE CR EL U "DIP" [DIP ] DE CR EL U "TSMSYS" [TSMSYS ] PU CR EL U "ORACLE_OCM" [ORACLE_OCM ] PU CR EL U "XDB" [CHANGE_ON_INSTALL ] DE CR EL R "GLOBAL_AQ_USER_ROLE [GL-EX {GLOBAL} ] GE CR OP U "DBSNMP" [ORACLE1 ] DI CR OP U "WMSYS" [WMSYS ] DE CR EL U "EXFSYS" [EXFSYS ] DE CR EL U "CTXSYS" [CHANGE_ON_INSTALL ] DE CR EL U "XS$NULL" [ ] -- -- EL U "ANONYMOUS" [IMP {anonymous} ] IM CR EL R "SPATIAL_WFS_ADMIN" [SPATIAL_WFS_ADMIN ] PU CR OP U "ORDSYS" [ORDSYS ] DE CR EL U "ORDPLUGINS" [ORDPLUGINS ] DE CR EL U "SI_INFORMTN_SCHEMA" [SI_INFORMTN_SCHEMA ] DE CR EL U "MDSYS" [MDSYS ] DE CR EL U "OLAPSYS" [ ] -- -- EL U "MDDATA" [MDDATA ] DE CR EL U "HR" [CHANGE_ON_INSTALL ] DE CR EL U "SPATIAL_WFS_ADMIN_U [SPATIAL_WFS_ADMIN_US] PU CR EL R "WFS_USR_ROLE" [WFS_USR_ROLE ] PU CR OP R "SPATIAL_CSW_ADMIN" [SPATIAL_CSW_ADMIN ] PU CR OP U "SPATIAL_CSW_ADMIN_U [SPATIAL_CSW_ADMIN_US] PU CR EL R "CSW_USR_ROLE" [CSW_USR_ROLE ] PU CR OP U "WKSYS" [CHANGE_ON_INSTALL ] DE CR EL U "WKPROXY" [CHANGE_ON_INSTALL ] DE CR EL U "WK_TEST" [WK_TEST ] DE CR EL U "SYSMAN" [ORACLE1 ] DI CR OP U "MGMT_VIEW" [ ] -- -- OP U "FLOWS_FILES" [ ] -- -- EL U "APEX_PUBLIC_USER" [ ] -- -- EL U "FLOWS_030000" [ ] -- -- EL U "OWBSYS" [OWBSYS ] PU CR EL R "OWB$CLIENT" [S ] BF CR OP R "OWB_DESIGNCENTER_VI [S ] BF CR OP U "SCOTT" [TIGER ] DE CR EG U "AB" [AB ] PU CR OP U "OE" [CHANGE_ON_INSTALL ] DE CR EL U "IX" [CHANGE_ON_INSTALL ] DE CR EL U "SH" [CHANGE_ON_INSTALL ] DE CR EL U "PM" [CHANGE_ON_INSTALL ] DE CR EL U "BI" [CHANGE_ON_INSTALL ] DE CR EL U "PETE" [PETE ] DE CR OP U "BILL" [BILL ] PU CR OP U "A" [A ] PU CR OP U "B" [B ] PU CR OP U "C" [C ] PU CR OP U "RES_TEST" [RES_TEST ] PU CR OP U "XX" [123456 ] DI CR OP U "ORASCAN" [ORASCAN ] PU CR OP U "IMPOSS" [IMP {imposs123456789] IM CR OP U "D" [ ] -- -- OP U "P1" [P1 ] PU CR OP U "P2" [P2 ] PU CR OP U "CRACKER" [CRACKER ] PU CR OP INFO: Number of crack attempts = [59963] INFO: Elapsed time = [4.24 Seconds] INFO: Cracks per second = [14140] PL/SQL procedure successfully completed. SQL> So simply do: GRANT SELECT ON SYS.USER$ TO {USER} and GRANT CREATE SESSION TO {USER} Hope this helps cheers Pete
|
|
IP Logged |
Pete Finnigan (email:pete@petefinnigan.com) Oracle Security Web site: http://www.petefinnigan.com Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender:
Posts: 309
|
|
Re: Oracle password cracker written in PL/SQL
« Reply #6 on: Dec 2nd, 2008, 3:48pm » |
Quote | Modify
|
Hi Pete, it's the heart of my problem !! my privileges are insufficient, this the reason why I would like to find admin password !! It's an old DB and I would like to delete undotbs1 because of its size > 10Go. Manufacturer does not maintain this system but it have to work yet !! SQL> GRANT SELECT ON SYS.USER$ TO ab_svr; GRANT SELECT ON SYS.USER$ TO ab_svr * ERROR at line 1: ORA-00942: table or view does not exist SQL> GRANT CREATE SESSION TO ab_svr; GRANT CREATE SESSION TO ab_svr * ERROR at line 1: ORA-01031: insufficient privileges thank Fabrice
|
|
IP Logged |
Pete Finnigan (email:pete@petefinnigan.com) Oracle Security Web site: http://www.petefinnigan.com Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender:
Posts: 309
|
|
Re: Oracle password cracker written in PL/SQL
« Reply #9 on: Dec 8th, 2008, 10:21pm » |
Quote | Modify
|
System privileges would be more useful than tab privilieges. For example, if you have the ALTER USER system privilege you can simply reset the password (using ALTER USER). To connect using "/ AS SYSDBA", log on to the server that the database is running on as the oracle user. If you don't have that password, the system administrator should be able to log in as root and change it. If it is a Windows server, a user with administrator privileges should work too. Then, from a command prompt, try sqlplus / as sysdba That assumes there's only one instance running on that database. As you can understand, a typical oracle user should NOT be able to access/change/crack passwords. That isn't to say that they can't (especially if patching has been neglected), but the legitimate DBA should have more direct official routes to get things done.
|
|
IP Logged |
Pete Finnigan (email:pete@petefinnigan.com) Oracle Security Web site: http://www.petefinnigan.com Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender:
Posts: 309
|
|
Re: Oracle password cracker written in PL/SQL
« Reply #11 on: Apr 27th, 2009, 9:21pm » |
Quote | Modify
|
Hi, PU = Password equals Username, i..e the password was cracked like this CR = Cracked - I added this to post process with awk OP = Open account status BF = Brute Force - i.e. the password was cracked in brute force mode EL = Expired Locked - its an account status DI = Dictionary - it means that the password was cracked using a dictionary word. HTML:- The easiest way would be to modify the output statements in the PL/SQL to output a HTML table. cheers Pete
|
|
IP Logged |
Pete Finnigan (email:pete@petefinnigan.com) Oracle Security Web site: http://www.petefinnigan.com Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender:
Posts: 309
|
|
Re: Oracle password cracker written in PL/SQL
« Reply #12 on: May 28th, 2009, 6:33am » |
Quote | Modify
|
Hi Pete, I downloaded versions 1.4, 1.3 and 1.2. Version 1.4 is giving errors as below. BEGIN :debugv := 'OFF'; END; * ERROR at line 1: ORA-06502: PL/SQL: numeric or value error: character string buffer too small ORA-06512: at line 1 Version 1.3 does not give errors so I used that instead. BTW, you mentioned another password checker, woraauthbf, can that be run as is as well, i.e. like running a UNIX script or a PL/SQL script. Finally, does your copyright prohibit wrap(ping) your password cracker to a .plb 'coz the PL/SQL is readable in plain text. Incidentally, I tried a sample PL/SQL file and run a wrap on it then run the strings command and I can see the code in plain text so probably not something worth doing. In any case, may I obtain permission to convert the PL/SQL file into some binary form that can be executed from within SQL*Plus, at the moment, only know of using wrap. Thanks in advance.
|
|
IP Logged |
Pete Finnigan (email:pete@petefinnigan.com) Oracle Security Web site: http://www.petefinnigan.com Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender:
Posts: 309
|
|
Re: Oracle password cracker written in PL/SQL
« Reply #13 on: May 28th, 2009, 9:37am » |
Quote | Modify
|
Hi, Thanks for your post. I found this a strange one. I ran this on my own 11.1.0.7 database and it works fine: Connected to: Personal Oracle Database 11g Release 11.1.0.7.0 - Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SQL> @cracker-v2.0.sql cracker: Release 1.0.4.0.0 - Beta on Thu May 28 09:02:58 2009 Copyright (c) 2008 PeteFinnigan.com Limited. All rights reserved. T Username Password CR FL STA ======================================================= U "SYS" [ORACLE1 ] DI CR OP U "SYSTEM" [ORACLE1 ] DI CR OP U "OUTLN" [OUTLN ] DE CR EL ... I did investigate the code though and there is an issue with the variable debugv being varchar2(2) whereas it should be length 3 to accomodate the word 'OFF'. I have fixed the code and updated the zip to version 1.5. The new code is available from http://www.petefinnigan.com/oracle_password_cracker.htm . You cannot wrap a SQL*Plus script; you can only wrap database objects such as PROCEDURES, FUNCTIONS, PACKAGES {BODY}, TYPE {BODY}. This is why it didnt work. Also if you want to wrap it then wrap the testpwd.sql code available from http://www.petefinnigan.com/tools.htm as that is intended to be installed in the database BUT you will need to feed it with passwords. Yes worauthbf by Laszlo is a cracker witten in C. There is a link on my tools page or in the blog. It is a binary. I wrote the PL/SQL script because people had issues using binaries in their organisations. cheers Pete
|
|
IP Logged |
Pete Finnigan (email:pete@petefinnigan.com) Oracle Security Web site: http://www.petefinnigan.com Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
|