Pete Finnigan's Oracle Security Forum


    
      
        Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Security tools >> Oracle password cracker written in PL/SQL
        
(Message started by: Pete Finnigan on Oct 1^st, 2008, 9:39am)

Title: Oracle password cracker written in PL/SQL
Post by Pete Finnigan on Oct 1^st, 2008, 9:39am

Hi Guys,

I have just released a free Oracle password cracker written completely in PL/SQL on my website. The reason for doing this is to try and encourage people to "test" passwords for strength in their own databases. I am not seeing any real improvements in password strength generally across the industry over the last 8 years.

It is not the intention to replace the fast C based crackers such as woraauthbf but instead to suppliment it. In my experience I find that people have not covered the bases yet, that is they still have passwords set to usernames, passwords set to defaults and also extremely weak passwords.

I often suggest to people to download binary based crackers but there is often a reticence to do this. Hence I decided to create a PL/SQL based one. This way there is no excuse, its a SQL script that can be run in SQL*Plus and also its going to find the core issues anyway before you need a faster cracker.

Some details on how it works and what it does are included in the page http://www.petefinnigan.com/oracle_password_cracker.htm for the cracker. You can also download it from the same page.

hope its useful

cheers

Pete

Title: Re: Oracle password cracker written in PL/SQL
Post by Pete Finnigan on Oct 29^th, 2008, 8:46pm

We just ran your latest version of this tool in a non-production instance. We have 247 accounts and it took about 5 hours for the script to run. We had a few accounts cracked with default passwords (which we'll change!) but no cracks for dictionary words or through brute force. Are the dictionary words used for the dictionary crack attempt limited to the 47 words in the script? What about the brute force crack; how is that working? Would you recommend pointing to an extenal dictionary file with compiled hashes for both dictionary and brute force crack attempts? Thanks!

Title: Re: Oracle password cracker written in PL/SQL
Post by Pete Finnigan on Nov 5^th, 2008, 4:40pm

Hi,

Sorry for the delay, I have been working abroad for the last few days.

The dictionary included with the cracker is simple. You can easily extend it using any dictionary you can find on the net. An alternate solution is to read in the dictionary from a table in the database.

Pre-compiling hashes is not really practical in this case. That is what rainbow tools do in essence.

The brute force is only to 4 characters and that part is what took the most of your five hours. This tool is no where near as fast as tools such as woraauthbf and it is not intended to be as I have stated previously the main focus of this tool is to get people to find the basics, i.e. password=username, password=default, password=dictionary word. It is intended to get people to do the checks without the need of a binary tool. You should, once you have started the process with this cracker at some point move to a much faster tool such as woraauthbf.

You can change the brute force by changing the number of characters it brute forces to.

hope this helps

cheers

Pete

Title: Re: Oracle password cracker written in PL/SQL
Post by Pete Finnigan on Nov 13^th, 2008, 12:05pm

Hi,

I tried to use this cracker but I had some errors from SQLPLUS :

SQL> start cracker-v2.0.sql
from sys.user$
*
ERROR at line 295:
ORA-06550: line 295, column 12:
PL/SQL: ORA-00942: table or view does not exist
ORA-06550: line 289, column 3:
PL/SQL: SQL Statement ignored
ORA-06550: line 305, column 7:
PLS-00364: loop index variable 'LV_USER' use is invalid
ORA-06550: line 305, column 4:
PL/SQL: Statement ignored
ORA-06550: line 310, column 7:
PLS-00364: loop index variable 'LV_USER' use is invalid
ORA-06550: line 310, column 4:
PL/SQL: Statement ignored
ORA-06550: line 330, column 8:
PLS-00364: loop index variable 'LV_USER' use is invalid
ORA-06550: line 330, column 4:
PL/SQL: Statement ignored
ORA-06550: line 334, column 32:
PLS-00364: loop index variable 'LV_USER' use is invalid
ORA-06550: line 334, column 4:
PL/SQL: Statement ignored
ORA-06550: line 335, column 36:
PLS-00364: loop index variable 'LV_USER' use is invalid
ORA-06550: line 335, column 4:
PL/SQL: Statement ignored

is it due to my version ? :

Oracle9i Release 9.2.0.1.0 - Production
PL/SQL Release 9.2.0.1.0 - Production
CORE 9.2.0.1.0 Production
TNS for Linux: Version 9.2.0.1.0 - Production
NLSRTL Version 9.2.0.1.0 - Production

Regard

Title: Re: Oracle password cracker written in PL/SQL
Post by Pete Finnigan on Nov 24^th, 2008, 9:42am

Hi,

could you help me please ?

regards

Title: Re: Oracle password cracker written in PL/SQL
Post by Pete Finnigan on Nov 24^th, 2008, 10:37am

Hi,

Thanks for your post. Sorry for the delay, I have been working abroad and had no internet access.

The problem is simply permissions. Normally, you only need two permissions to run this cracker, this is CREATE SESSION and also SELECT on SYS.USER$:

SQL> select * from user_role_privs;

no rows selected

SQL> select * from user_sys_privs;

USERNAME PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
CRACKER CREATE SESSION NO

1 row selected.

SQL> select * from user_tab_privs;

GRANTEE OWNER
------------------------------ ------------------------------
TABLE_NAME GRANTOR
------------------------------ ------------------------------
PRIVILEGE GRA HIE
---------------------------------------- --- ---
CRACKER SYS
USER$ SYS
SELECT NO NO

1 row selected.

SQL> @cracker-v2.0.sql
cracker: Release 1.0.4.0.0 - Beta on Mon Nov 24 10:32:51 2008
Copyright (c) 2008 PeteFinnigan.com Limited. All rights reserved.

T Username Password CR FL STA
=======================================================

U "SYS" [ORACLE1 ] DI CR OP
U "SYSTEM" [ORACLE1 ] DI CR OP
U "OUTLN" [OUTLN ] DE CR EL
U "DIP" [DIP ] DE CR EL
U "TSMSYS" [TSMSYS ] PU CR EL
U "ORACLE_OCM" [ORACLE_OCM ] PU CR EL
U "XDB" [CHANGE_ON_INSTALL ] DE CR EL
R "GLOBAL_AQ_USER_ROLE [GL-EX {GLOBAL} ] GE CR OP
U "DBSNMP" [ORACLE1 ] DI CR OP
U "WMSYS" [WMSYS ] DE CR EL
U "EXFSYS" [EXFSYS ] DE CR EL
U "CTXSYS" [CHANGE_ON_INSTALL ] DE CR EL
U "XS$NULL" [ ] -- -- EL
U "ANONYMOUS" [IMP {anonymous} ] IM CR EL
R "SPATIAL_WFS_ADMIN" [SPATIAL_WFS_ADMIN ] PU CR OP
U "ORDSYS" [ORDSYS ] DE CR EL
U "ORDPLUGINS" [ORDPLUGINS ] DE CR EL
U "SI_INFORMTN_SCHEMA" [SI_INFORMTN_SCHEMA ] DE CR EL
U "MDSYS" [MDSYS ] DE CR EL
U "OLAPSYS" [ ] -- -- EL
U "MDDATA" [MDDATA ] DE CR EL
U "HR" [CHANGE_ON_INSTALL ] DE CR EL
U "SPATIAL_WFS_ADMIN_U [SPATIAL_WFS_ADMIN_US] PU CR EL
R "WFS_USR_ROLE" [WFS_USR_ROLE ] PU CR OP
R "SPATIAL_CSW_ADMIN" [SPATIAL_CSW_ADMIN ] PU CR OP
U "SPATIAL_CSW_ADMIN_U [SPATIAL_CSW_ADMIN_US] PU CR EL
R "CSW_USR_ROLE" [CSW_USR_ROLE ] PU CR OP
U "WKSYS" [CHANGE_ON_INSTALL ] DE CR EL
U "WKPROXY" [CHANGE_ON_INSTALL ] DE CR EL
U "WK_TEST" [WK_TEST ] DE CR EL
U "SYSMAN" [ORACLE1 ] DI CR OP
U "MGMT_VIEW" [ ] -- -- OP
U "FLOWS_FILES" [ ] -- -- EL
U "APEX_PUBLIC_USER" [ ] -- -- EL
U "FLOWS_030000" [ ] -- -- EL
U "OWBSYS" [OWBSYS ] PU CR EL
R "OWB$CLIENT" [S ] BF CR OP
R "OWB_DESIGNCENTER_VI [S ] BF CR OP
U "SCOTT" [TIGER ] DE CR EG
U "AB" [AB ] PU CR OP
U "OE" [CHANGE_ON_INSTALL ] DE CR EL
U "IX" [CHANGE_ON_INSTALL ] DE CR EL
U "SH" [CHANGE_ON_INSTALL ] DE CR EL
U "PM" [CHANGE_ON_INSTALL ] DE CR EL
U "BI" [CHANGE_ON_INSTALL ] DE CR EL
U "PETE" [PETE ] DE CR OP
U "BILL" [BILL ] PU CR OP
U "A" [A ] PU CR OP
U "B" [B ] PU CR OP
U "C" [C ] PU CR OP
U "RES_TEST" [RES_TEST ] PU CR OP
U "XX" [123456 ] DI CR OP
U "ORASCAN" [ORASCAN ] PU CR OP
U "IMPOSS" [IMP {imposs123456789] IM CR OP
U "D" [ ] -- -- OP
U "P1" [P1 ] PU CR OP
U "P2" [P2 ] PU CR OP
U "CRACKER" [CRACKER ] PU CR OP

INFO: Number of crack attempts = [59963]
INFO: Elapsed time = [4.24 Seconds]
INFO: Cracks per second = [14140]

PL/SQL procedure successfully completed.

SQL>

So simply do:

GRANT SELECT ON SYS.USER$ TO {USER} and
GRANT CREATE SESSION TO {USER}

Hope this helps

cheers

Pete

Title: Re: Oracle password cracker written in PL/SQL
Post by Pete Finnigan on Dec 2^nd, 2008, 3:48pm

Hi Pete,

it's the heart of my problem !!
my privileges are insufficient, this the reason why I would like to find admin password !! It's an old DB and I would like to delete undotbs1 because of its size > 10Go. Manufacturer does not maintain this system but it have to work yet !!

SQL> GRANT SELECT ON SYS.USER$ TO ab_svr;
GRANT SELECT ON SYS.USER$ TO ab_svr
*
ERROR at line 1:
ORA-00942: table or view does not exist

SQL> GRANT CREATE SESSION TO ab_svr;
GRANT CREATE SESSION TO ab_svr
*
ERROR at line 1:
ORA-01031: insufficient privileges

thank

Fabrice

Title: Re: Oracle password cracker written in PL/SQL
Post by Pete Finnigan on Dec 3^rd, 2008, 10:20pm

What privileges do you have ?
Someone (presumably) has access to the server the database is running on and can log in as oracle and connect with the / AS SYSDBA syntax.
Once that's done they can reset the password.

Title: Re: Oracle password cracker written in PL/SQL
Post by Pete Finnigan on Dec 8^th, 2008, 9:34am

Hello Pete,

My privileges are : (from DBA_TAB_PRIVS)

GRANTEE : ab_svr
OWNER : ab_admin (I have an access to ab_admin)
TABLE_NAME : several
GRANTOR : ab_static or ab_admin (I have an access too)
PRIVILEGE : SELECT, INSERT,UPDATE,DELETE.

Could you explain me the way to use / AS SYSDBA ??

Thank again

Title: Re: Oracle password cracker written in PL/SQL
Post by Pete Finnigan on Dec 8^th, 2008, 10:21pm

System privileges would be more useful than tab privilieges. For example, if you have the ALTER USER system privilege you can simply reset the password (using ALTER USER).
To connect using "/ AS SYSDBA", log on to the server that the database is running on as the oracle user. If you don't have that password, the system administrator should be able to log in as root and change it. If it is a Windows server, a user with administrator privileges should work too.
Then, from a command prompt, try
sqlplus / as sysdba
That assumes there's only one instance running on that database.
As you can understand, a typical oracle user should NOT be able to access/change/crack passwords.

That isn't to say that they can't (especially if patching has been neglected), but the legitimate DBA should have more direct official routes to get things done.

Title: Re: Oracle password cracker written in PL/SQL
Post by Pete Finnigan on Apr 27^th, 2009, 4:07pm

hey,
Question n°1:plz what is the meaning of PU CR OP BF EL DI .

Question n°2:i would like to post the result of your script in HTML page ,how can i do ?

thx .

Title: Re: Oracle password cracker written in PL/SQL
Post by Pete Finnigan on Apr 27^th, 2009, 9:21pm

Hi,

PU = Password equals Username, i..e the password was cracked like this
CR = Cracked - I added this to post process with awk
OP = Open account status
BF = Brute Force - i.e. the password was cracked in brute force mode
EL = Expired Locked - its an account status
DI = Dictionary - it means that the password was cracked using a dictionary word.

HTML:- The easiest way would be to modify the output statements in the PL/SQL to output a HTML table.

cheers

Pete

Title: Re: Oracle password cracker written in PL/SQL
Post by Pete Finnigan on May 28^th, 2009, 6:33am

Hi Pete,

I downloaded versions 1.4, 1.3 and 1.2. Version 1.4 is giving errors as below. BEGIN :debugv := 'OFF'; END;

*
ERROR at line 1:
ORA-06502: PL/SQL: numeric or value error: character string buffer too small
ORA-06512: at line 1

Version 1.3 does not give errors so I used that instead.

BTW, you mentioned another password checker, woraauthbf, can that be run as is as well, i.e. like running a UNIX script or a PL/SQL script.

Finally, does your copyright prohibit wrap(ping) your password cracker to a .plb 'coz the PL/SQL is readable in plain text. Incidentally, I tried a sample PL/SQL file and run a wrap on it then run the strings command and I can see the code in plain text so probably not something worth doing. In any case, may I obtain permission to convert the PL/SQL file into some binary form that can be executed from within SQL*Plus, at the moment, only know of using wrap.

Thanks in advance.

Title: Re: Oracle password cracker written in PL/SQL
Post by Pete Finnigan on May 28^th, 2009, 9:37am

Hi,

Thanks for your post. I found this a strange one. I ran this on my own 11.1.0.7 database and it works fine:

Connected to:
Personal Oracle Database 11g Release 11.1.0.7.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> @cracker-v2.0.sql
cracker: Release 1.0.4.0.0 - Beta on Thu May 28 09:02:58 2009
Copyright (c) 2008 PeteFinnigan.com Limited. All rights reserved.

T Username Password CR FL STA
=======================================================

U "SYS" [ORACLE1 ] DI CR OP
U "SYSTEM" [ORACLE1 ] DI CR OP
U "OUTLN" [OUTLN ] DE CR EL
...

I did investigate the code though and there is an issue with the variable debugv being varchar2(2) whereas it should be length 3 to accomodate the word 'OFF'. I have fixed the code and updated the zip to version 1.5. The new code is available from http://www.petefinnigan.com/oracle_password_cracker.htm .

You cannot wrap a SQL*Plus script; you can only wrap database objects such as PROCEDURES, FUNCTIONS, PACKAGES {BODY}, TYPE {BODY}. This is why it didnt work. Also if you want to wrap it then wrap the testpwd.sql code available from http://www.petefinnigan.com/tools.htm as that is intended to be installed in the database BUT you will need to feed it with passwords.

Yes worauthbf by Laszlo is a cracker witten in C. There is a link on my tools page or in the blog. It is a binary. I wrote the PL/SQL script because people had issues using binaries in their organisations.

cheers

Pete