Oracle Password Cracker
Introduction
I have written an Oracle password cracker in PL/SQL. Why should I do this, you may ask? - well I wanted to have a password cracker that would be easy and simple to run. It doesn't necessarilly need to be fast and it doesn't need to replace excellent password crackers such as woraauthbf. What i wanted was to promote the need to check for weak passwords in customer databases but allow the customer to have a safe and easy method to do it that doesn't involve downloading binaries, oracle clients, ssl dlls and more. I wanted it to be as easy as possible for people to at least do a high level check of password strength.
Then there is no excuse to not do it. This method is as simple as running a sqlplus script, no more, no less, no libraries, nothing. Just fire up SQL*Plus and type @cracker-v2.0.sql and it runs and checks passwords. That said there is still value in real password crackers as they are faster and can check mopre complex and longer passwords. The PL/SQL cracker can get the basics done for you easily and will show where you are on the scale of password weakness. If you can run cracker-v2.0.sql and it doesnt crack any passwords then you are on the road to success and more importantly you will have started a regime in your company of password cracking. So moving to a tool such as woraauthbf is easier for you to do to check strength to a better level.
All of the sites I audit will (would have) failed using cracker-v2.0.sql so its worth running it, period. The speed is still not bad as it does around 13,000 hash attempts per second. I have seen it do 16,000 hashes a second as well. This is not woraauthbf of course that does 1.2Million hashes a second on my laptop BUT as i said cracker-v2.0.sql will find the key issues for you as well as woraauthbf.
Of course the other major advantage to PL/SQL is that you can simply read the code and see how it works and also because it runs in the database you can be sure to block any danger by designing the privileges of the user who will run it to be the minimum necessary. This at present is CREATE SESSION, SELECT ON SYS.USER$ and EXECUTE ON DBMS_OBFUSCATION_TOOLKIT.
The cracker works on 9i (r1 and r2), 10g (r1 and r2) and 11gR1. I dont have 8i to test with but i assume it ewill work.
Running the cracker
Running the cracker is easy. Simply fire up SQL*Plus and run it. here is an example session:
SQL> @cracker-v2.0.sql
cracker: Release 1.0.2.0.0 - Beta on Thu Sep 25 14:27:37 2008
Copyright (c) 2008 PeteFinnigan.com Limited. All rights reserved.
T Username Password CR FL STA
=======================================================
U SYS [ORACLE1 ] DI CR OP
U SYSTEM [ORACLE1 ] DI CR OP
U OUTLN [OUTLN ] DE CR EL
U DIP [DIP ] DE CR EL
U TSMSYS [TSMSYS ] PU CR EL
U ORACLE_OCM [ORACLE_OCM ] PU CR EL
U XDB [CHANGE_ON_INSTALL ] DE CR EL
R GLOBAL_AQ_USER_ROLE [GL-EX {GLOBAL} ] GE CR OP
U DBSNMP [ORACLE1 ] DI CR OP
U WMSYS [WMSYS ] DE CR EL
U EXFSYS [EXFSYS ] DE CR EL
U CTXSYS [CHANGE_ON_INSTALL ] DE CR EL
U XS$NULL [ ] -- -- EL
U ANONYMOUS [IMP {anonymous} ] IM CR EL
R SPATIAL_WFS_ADMIN [SPATIAL_WFS_ADMIN ] PU CR OP
U ORDSYS [ORDSYS ] DE CR EL
U ORDPLUGINS [ORDPLUGINS ] DE CR EL
U SI_INFORMTN_SCHEMA [SI_INFORMTN_SCHEMA ] DE CR EL
U MDSYS [MDSYS ] DE CR EL
U OLAPSYS [ ] -- -- EL
U MDDATA [MDDATA ] DE CR EL
U HR [CHANGE_ON_INSTALL ] DE CR EL
U SPATIAL_WFS_ADMIN_US [SPATIAL_WFS_ADMIN_US] PU CR EL
R WFS_USR_ROLE [WFS_USR_ROLE ] PU CR OP
R SPATIAL_CSW_ADMIN [SPATIAL_CSW_ADMIN ] PU CR OP
U SPATIAL_CSW_ADMIN_US [SPATIAL_CSW_ADMIN_US] PU CR EL
R CSW_USR_ROLE [CSW_USR_ROLE ] PU CR OP
U WKSYS [CHANGE_ON_INSTALL ] DE CR EL
U WKPROXY [CHANGE_ON_INSTALL ] DE CR EL
U WK_TEST [WK_TEST ] DE CR EL
U SYSMAN [ORACLE1 ] DI CR OP
U MGMT_VIEW [ ] -- -- OP
U FLOWS_FILES [ ] -- -- EL
U APEX_PUBLIC_USER [ ] -- -- EL
U FLOWS_030000 [ ] -- -- EL
U OWBSYS [OWBSYS ] PU CR EL
R OWB$CLIENT [S ] BF CR OP
R OWB_DESIGNCENTER_VIE [S ] BF CR OP
U SCOTT [TIGER ] DE CR OP
U AB [AB ] PU CR OP
U OE [CHANGE_ON_INSTALL ] DE CR EL
U IX [CHANGE_ON_INSTALL ] DE CR EL
U SH [CHANGE_ON_INSTALL ] DE CR EL
U PM [CHANGE_ON_INSTALL ] DE CR EL
U BI [CHANGE_ON_INSTALL ] DE CR EL
U PETE [PETE ] DE CR OP
U BILL [BILL ] PU CR OP
U A [A ] PU CR OP
U B [B ] PU CR OP
U C [C ] PU CR OP
U RES_TEST [RES_TEST ] PU CR OP
U XX [123456 ] DI CR OP
U ORASCAN [ORASCAN ] PU CR OP
U IMPOSS [IMP {imposs123456789] IM CR OP
U D [ ] -- -- OP
U P1 [P1 ] PU CR OP
U P2 [P2 ] PU CR OP
INFO: Number of crack attempts = [4330039]
INFO: Elapsed time = [333.52 Seconds]
INFO: Cracks per second = [12980]
PL/SQL procedure successfully completed.
SQL>
What does it do?, what does it all mean?
SQL> @cracker-v2.0.sql cracker: Release 1.0.2.0.0 - Beta on Thu Sep 25 14:27:37 2008 Copyright (c) 2008 PeteFinnigan.com Limited. All rights reserved. T Username Password CR FL STA ======================================================= U SYS [ORACLE1 ] DI CR OP U SYSTEM [ORACLE1 ] DI CR OP U OUTLN [OUTLN ] DE CR EL U DIP [DIP ] DE CR EL U TSMSYS [TSMSYS ] PU CR EL U ORACLE_OCM [ORACLE_OCM ] PU CR EL U XDB [CHANGE_ON_INSTALL ] DE CR EL R GLOBAL_AQ_USER_ROLE [GL-EX {GLOBAL} ] GE CR OP U DBSNMP [ORACLE1 ] DI CR OP U WMSYS [WMSYS ] DE CR EL U EXFSYS [EXFSYS ] DE CR EL U CTXSYS [CHANGE_ON_INSTALL ] DE CR EL U XS$NULL [ ] -- -- EL U ANONYMOUS [IMP {anonymous} ] IM CR EL R SPATIAL_WFS_ADMIN [SPATIAL_WFS_ADMIN ] PU CR OP U ORDSYS [ORDSYS ] DE CR EL U ORDPLUGINS [ORDPLUGINS ] DE CR EL U SI_INFORMTN_SCHEMA [SI_INFORMTN_SCHEMA ] DE CR EL U MDSYS [MDSYS ] DE CR EL U OLAPSYS [ ] -- -- EL U MDDATA [MDDATA ] DE CR EL U HR [CHANGE_ON_INSTALL ] DE CR EL U SPATIAL_WFS_ADMIN_US [SPATIAL_WFS_ADMIN_US] PU CR EL R WFS_USR_ROLE [WFS_USR_ROLE ] PU CR OP R SPATIAL_CSW_ADMIN [SPATIAL_CSW_ADMIN ] PU CR OP U SPATIAL_CSW_ADMIN_US [SPATIAL_CSW_ADMIN_US] PU CR EL R CSW_USR_ROLE [CSW_USR_ROLE ] PU CR OP U WKSYS [CHANGE_ON_INSTALL ] DE CR EL U WKPROXY [CHANGE_ON_INSTALL ] DE CR EL U WK_TEST [WK_TEST ] DE CR EL U SYSMAN [ORACLE1 ] DI CR OP U MGMT_VIEW [ ] -- -- OP U FLOWS_FILES [ ] -- -- EL U APEX_PUBLIC_USER [ ] -- -- EL U FLOWS_030000 [ ] -- -- EL U OWBSYS [OWBSYS ] PU CR EL R OWB$CLIENT [S ] BF CR OP R OWB_DESIGNCENTER_VIE [S ] BF CR OP U SCOTT [TIGER ] DE CR OP U AB [AB ] PU CR OP U OE [CHANGE_ON_INSTALL ] DE CR EL U IX [CHANGE_ON_INSTALL ] DE CR EL U SH [CHANGE_ON_INSTALL ] DE CR EL U PM [CHANGE_ON_INSTALL ] DE CR EL U BI [CHANGE_ON_INSTALL ] DE CR EL U PETE [PETE ] DE CR OP U BILL [BILL ] PU CR OP U A [A ] PU CR OP U B [B ] PU CR OP U C [C ] PU CR OP U RES_TEST [RES_TEST ] PU CR OP U XX [123456 ] DI CR OP U ORASCAN [ORASCAN ] PU CR OP U IMPOSS [IMP {imposs123456789] IM CR OP U D [ ] -- -- OP U P1 [P1 ] PU CR OP U P2 [P2 ] PU CR OP INFO: Number of crack attempts = [4330039] INFO: Elapsed time = [333.52 Seconds] INFO: Cracks per second = [12980] PL/SQL procedure successfully completed. SQL>
The cracker is very simple to run as you can see above. It runs pretty fast, in the sample 11gR1 database I tested with above its testing 57 user accounts and also roles that have had passwords assigned. In this case 3 passwords could not be cracked as they had been set to impossible passwords (These are where the password hash is not a valid hash, i.e. they have been set with the undocumented ALTER USER IDENTIFIED BY VALUES command). One further password could not be cracked as it is identified as being externally authenticated or a GLOBAL password (such as those authenticated by OID). Of the rest, in this example only 7 passwords were not cracked. This gives a percentage of 87% of passwords were cracked easily, in other words the passwords had very weak settings. This unfortunately is something I see regularly on real production systems. This emphasises why a simple PL/SQL based tool has value and the fast C based tools should be used later.
OK, so what does the tool do. It first checks which accounts it cannot crack. It then tries to crack users accounts and roles with passwords. The type is identified in the first column, a value of 'U'ser or 'R'ole is set. The next column is the username or rolename. The next column is the cracked password or blank if the password was not cracked. If the password hash is an impossible one as described above then the password column has [IMP {impossible value}]. If the password is GLOBAL or EXTERNAL then the password column shows [GL-EX {GLOBAL}] for a GLOBAL password, for instance. Another possible setting for the password column is [HASH {hash value}]. This is output for cases where the password hash is a known default BUT we dont know what the password is. This should still be changed of course.
The columns after the password are as follows. The first column is the method with which the password was cracked. The first check is for 'DE'fault passwords. The second check is 'PU' which means the password is set to the username. The third check is 'DI'ctionary where the password is set to a dictionary word. The final check is 'BF' which means the password was brute forced.
Of course the values for the above conditions, 'IM' for Impossible, 'GE' for GLOBAL/EXTERNAL and 'HS' for hash are also output. Any row that has '--' means the password was not cracked. The next column seems redundant as it shows '--' for not cracked or 'CR' for cracked passwords but I added this to use awk to pull out the lines more easily. The final column is the account status. The values can be seen in the code, but OP means Open and EL means Expired/Locked for instance.
A few notes: The brute force mode is hard coded to a length of 4 characters at the moment (you can change this of course) as this takes around 35 seconds for a single password for the character set used. You can change the character set to alpha, alpha/num or alpha/num/+specials by changing the length from 26 to 36 to 39 respectively. You can also add bigger character sets.
The driving select in the pre_load function can also be changed to read user_history$ for instance or to check a subset of users or roles by changing the where clause.
The dictionary included is pretty small, you can add your own dictionary words easily. I have added around 2000 in my own copy but have refrained from including them here as I simply cannot find where I got them from.
The code includes a trace/debug interface. To turn on debug if there is a problem, uncomment the debugw calls and turn on the debug at the top of the file. This would only be needed if you find a bug, if you can reproduce you can send me a trace file to be able to fix the issues.
Future Plans
There are lots of things I can do to improve this code and time willing I will do so and make the code available. I have a stub function in the code already to crack 11g passwords. I have not had time to add the code yet but I will do this first. I also plan to add a change that allows "WEAK" to be output instead of the password for countries that are supposed to do this. I think also that I can tune the code to make it faster. I have some ideas on this. Also I have plans to add more output in terms of password management values.
If anyone has requests, ideas for improvement please ask me and i will try and add them. Send an email to to Pete Finnigan.
Download the cracker
First a short word about the confusing versions, there is a reason for this. The version in the file name is v2.0, this is because the code comes from PeteFinnigan.com Limited's Oracle Database Security Scanner and that is currently at major version 2.0, each individual file that is part of the scanner is either 1.x or 2.x depending on when the file was added to the scanner. The major version can be ignored in terms of the v2.0 i.e. ignore v2.0, it has meaning for us internally but to keep state with our tools, it stays!.
People downloading the cracker are interested to make sure that they have the lastest version of the source code / cracker and should make sure that they have the latest version. This is always covered in the version column. A readme.txt is also available for each version. Download the "current version" Finally you can download the cracker from here :
Date | Version | Description | Readme.txt | Download |
28th May 2009 | Version 1.5 | Current Version | Readme.txt | cracker-v2.0(1.5).zip |
13th October 2008 | Version 1.4 | Current Version | Readme.txt | cracker-v2.0(1.4).zip |
30th September 2008 | Version 1.3 | Previous Version | Readme.txt | cracker-v2.0(1.3).zip |
25th September 2008 | Version 1.2 | Previous Version | Readme.txt | cracker-v2.0(1.2).zip |
I will leave old versions here available for download when new ones are added - see above.
-
PFCLScan
Simply connect PFCLScan to your Oracle database and it will automatically discover the security issues that could make your Oracle database vulnerable to attack and to the potential loss of your data.
-
PFCLObfuscate
PFCLObfuscate is the only tool available that can automatically add license controls to your PL/SQL code. PFCLObfuscate protects your Intellectual Property invested in your PL/SQL database code.
-
PFCLCode
PFCLCode is a tool to allow you to analyse your PL/SQL code for many different types of security issues. PFCLCode gives you a detailed review and reports and includes a powerful colour syntax highlighting code editor
-
PFCLForensics
PFCLForensics is the only tool available to allow you to do a detailed live response of a breached Oracle database and to then go on and do a detailed forensic analysis of the data gathered.
-
PFCLATK
PFCLATK is a toolkit that allows detailed pre-defined policy driven audit trails for your Oracle database. The toolkit also provides for a centralised audit trail and centralised activity reporting
-
PFCLCookie
PFCLCookie is a useful tool to use to audit your websites for tracking cookies. Scan websites in a natural way using powerful browser driven scanner
-
PFCLSEO
We offer a number of web based services such as cookie audits, improving website ranking in search engines, locating broken links and hosting email and websites
-
PFCLTraining
PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database, design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.
-
PFCLServices
Choose PFCLServices to add PeteFinnigan.com Ltd to your team for your Oracle Security needs. We are experts in performing detailed security audits, data security design work and policy creation
-
PFCLConsulting
Choose PFCLConsulting to ask PeteFinnigan.com Limited to set up and use our products on your behalf
-
PFCLCustom
All of our software products can be customised at a number of levels. Choose this to see how our products can be part of your products and services
-
PFCLCloud
Private cloud, public cloud, hybrid cloud or no cloud. Learn how all of our services, trainings and products will work in the cloud
-
PFCLUserRights
PFCLUserRights allows you to create a very detailed view of database users rights. The focus of the reports is to allow you to decide what privileges and accounts to keep and which to remove.
-
PFCLSTK
PFCLSTK is a toolkit application that allows you to provide database security easily to an existing database. PFCLSTK is a policy driven toolkit of PL/SQL that creates your security
-
PFCLSFTK
PFCLSFTK is a toolkit that solves the problem of securing third party applications written in PL/SQL. It does this by creating a thin layer between the application and database and this traps SQL Injection attempts. This is a static firewall.
-
PFCLReselling
PeteFinnigan.com Limited has partnered with a small number of relevant companies to resell their products where they enhance or compliment what we do