Pete Finnigan's Oracle Security Forum (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
Oracle Security >> Oracle Security >> find out weak passwords best practices
(Message started by: Pete Finnigan on Nov 21st, 2005, 2:10pm)

Title: find out weak passwords best practices
Post by Pete Finnigan on Nov 21st, 2005, 2:10pm
Hi,
I want to write a small script in SQL, eventually perl, java or C, to find out weak passwords.

My first try is to look in dba_users and try
connect user/user
for each user. also connect user/resu

Since it is highly critical, my script should display only "Warning : weak password" and not the found password. It should be easy to use, but should not be easily overused to gain illegal access to the database. So a bruteforce engine does not seem to be appropriate, imho. I will not download some "unsupported-by-oracle" binary to do that, because it could be make the whole system even more unsecure than before, and will never be approved by the customer.

Thanks for your advises
Laurent

Title: Re: find out weak passwords best practices
Post by Pete Finnigan on Nov 21st, 2005, 4:44pm
Laurent,

Instead of looking for users with password=usercode why don't you create a password policy (look at $ORACLE_HOME/rdbms/admin/utlpwdmg.sql) that rejects weak passwords: password=usercode, password=resu, etc.
After defining a password policy you have to expire the passwords to force people to change their passwords.
If creating a password policy is not a solution to you then let me know as I can provide you with a Perl (using DBD/DBI modules) script to check for weak passwords.

Ivan

Title: Re: find out weak passwords best practices
Post by Pete Finnigan on Nov 21st, 2005, 4:49pm
a password policy is definitely a must, thanks for the reminder. However, we have over 600 databases here and your perl script will be greatly appreciated !

Regards,
Laurent
tl30@zkb.ch

Title: Re: find out weak passwords best practices
Post by Pete Finnigan on Nov 21st, 2005, 5:02pm
I'd suggest not performing a connect attempt for each user lest you lock them out. Even if it doesn't this'll just confuse the audit trail (and possibly hide attempted breakins).
When you say, "I will not download some `unsupported-by-oracle` binary" I take it that means you can't use a commercial/free Oracle password cracker. If you can, NGSSQuirreL http://www.ngssoftware.com/squirrelora.htmsupports the option for _not_ showing the password if cracked - we added this for those using the tool for Sarbanes Oxley compliance.
HTH,
David Litchfield

Title: Re: find out weak passwords best practices
Post by Pete Finnigan on Nov 21st, 2005, 5:20pm
thanks david, I will try to suggest this software to my customer in alternative to a perl script

Title: Re: find out weak passwords best practices
Post by Pete Finnigan on Nov 22nd, 2005, 8:07am
David, your advise not to try connection is sound.

If I want to write a script that compare hashes how should I start ?

I could imagine the following :

1) select databasename, username, password in every databases
2) create user identified by user in a database created for this special purpose
3) compare the hashes and reveal weak database/users
4) create user identified by "dictionary word"
5) compare the hashes
...

Or what is the best way to see if

user1/user1 matches user1/BBE7786A584F9103

without trying the connection?

I am using AIX and I am not allowed try "external software" on my pc

Title: Re: find out weak passwords best practices
Post by Pete Finnigan on Nov 22nd, 2005, 4:14pm
one more try, feedback welcome :

declare
   cursor c1 is select username u from dba_users where username=upper(username);
   cursor c2 is select upper(username) u from dba_users group by upper(username),password having count(*)>1;
begin
   for r in c1 loop
       execute immediate 'create user "'||lower(r.u)||'" identified by "'||r.u||'"';
   end loop;
   for r in c2 loop
       dbms_output.put_line('WARNING: '||r.u||' has a default password');
   end loop;
   for r in c1 loop
       execute immediate 'drop user "'||lower(r.u)||'"';
   end loop;
end;
/

WARNING: DIP has a default password
WARNING: OUTLN has a default password
WARNING: USER1 has a default password
WARNING: CTXSYS has a default password
WARNING: EXFSYS has a default password
WARNING: GASTON has a default password
WARNING: TSMSYS has a default password


I am using the concatenation and uppercase property of the algorythm to make that test.

Title: Re: find out weak passwords best practices
Post by Pete Finnigan on Dec 23rd, 2005, 4:45am
Why don't you take a look at the scanner PeteF wrote in 2001 while still at Pentest Limited?

It will check for default usernames/passwords based on auditing the hashvalues in dba_users against a pre-tabulated set of username/hashvalue pairs.

It's available at http://www.pentest.co.uk/sql/scanner.sql

If you update it with the list of username/password/passwordhash values from this site (Tools/Default Password List) you will pretty much have a tool to audit for default passwords.

The benefit is that this is an audit that does not try repeated logon or create and drop users, actions that ought to be audited (by oracle db auditing features) in a production database.  
So you will not set off any alarms !!!!

The script further has the benefit of being self-contained, i.e. it doesn't need 'write' access to the database - and it is written in pl/sql so you can review it to make sure it's not doing anything "funny".

Oh, BTW it does a few other checks - you can disable those.

Title: Re: find out weak passwords best practices
Post by Pete Finnigan on Dec 23rd, 2005, 8:06am
thanks for the hint, but I have another approach.

If the users are ADAMS ANONYMOUS BLAKE CLARK CTXSYS DBSNMP DIP DMSYS EXFSYS HR JONES MDDATA MDSYS MGMT_VIEW ODM ODM_MTR OE OLAPSYS ORDPLUGINS ORDSYS OUTLN PERFSTAT PM QS QS_ADM QS_CB QS_CBADM QS_CS QS_ES QS_OS QS_WS SCOTT SH SI_INFORMTN_SCHEMA TSMSYS WK_TEST WKPROXY WKSYS WMSYS XDB, they must be locked, so I do not care of their password.

I am looking to check in the database for "weak" password. Ok, username=password is the weakest, but my method is so slow that I cannot check millions of password for each user.

I would like to write a much much much faster gethash(username,password), similar to orabf, but in plsql for example. Than I would be able to compare passwords. This is all what my function is about. David advise about NGS sounds wise, but if NGS can do it, I should also be able to do it.

For the moment, I do not have the time to write my own algorythm, so I simply checking username=password with my doubious code above...

Cheers
Laurent


PS: well, the code above revealed default password for DIP, but in my productive script, I check only for lock_date is null


declare
   cursor c1 is select username u from dba_users where username=upper(username) and LOCK_DATE is null;
   cursor c2 is select upper(username) u from dba_users group by upper(username),password having count(*)>1;
begin
   begin
       execute immediate 'create profile verifynull limit PASSWORD_VERIFY_FUNCTION null';
   exception
       when others then
           dbms_output.put_line(sqlerrm);
           dbms_output.put_line(' received while creating profile verifynull');
   end;
   for r in c1 loop
       begin
           execute immediate 'create user "'||lower(r.u)||'" identified by "'||r.u||'" profile verifynull account lock';
       exception
           when others then
               dbms_output.put_line(sqlerrm);
               dbms_output.put_line(' received while creating user '||lower(r.u));
       end;
   end loop;
   for r in c2 loop
       dbms_output.put_line('FATAL: '||r.u||' has a default password');
   end loop;
   for r in c1 loop
       begin
           execute immediate 'drop user "'||lower(r.u)||'"';
       exception
           when others then
               dbms_output.put_line(sqlerrm);
               dbms_output.put_line(' received while dropping user '||lower(r.u));
       end;
   end loop;
   begin
       execute immediate 'drop profile verifynull';
   exception
       when others then
           dbms_output.put_line(sqlerrm);
           dbms_output.put_line(' received while dropping profile verifynull');
   end;
end;
/



Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board