Oracle Password Cracker

Introduction

I have written an Oracle password cracker in PL/SQL. Why should I do this, you may ask? - well I wanted to have a password cracker that would be easy and simple to run. It doesn't necessarilly need to be fast and it doesn't need to replace excellent password crackers such as woraauthbf. What i wanted was to promote the need to check for weak passwords in customer databases but allow the customer to have a safe and easy method to do it that doesn't involve downloading binaries, oracle clients, ssl dlls and more. I wanted it to be as easy as possible for people to at least do a high level check of password strength.

Then there is no excuse to not do it. This method is as simple as running a sqlplus script, no more, no less, no libraries, nothing. Just fire up SQL*Plus and type @cracker-v2.0.sql and it runs and checks passwords. That said there is still value in real password crackers as they are faster and can check mopre complex and longer passwords. The PL/SQL cracker can get the basics done for you easily and will show where you are on the scale of password weakness. If you can run cracker-v2.0.sql and it doesnt crack any passwords then you are on the road to success and more importantly you will have started a regime in your company of password cracking. So moving to a tool such as woraauthbf is easier for you to do to check strength to a better level.

All of the sites I audit will (would have) failed using cracker-v2.0.sql so its worth running it, period. The speed is still not bad as it does around 13,000 hash attempts per second. I have seen it do 16,000 hashes a second as well. This is not woraauthbf of course that does 1.2Million hashes a second on my laptop BUT as i said cracker-v2.0.sql will find the key issues for you as well as woraauthbf.

Of course the other major advantage to PL/SQL is that you can simply read the code and see how it works and also because it runs in the database you can be sure to block any danger by designing the privileges of the user who will run it to be the minimum necessary. This at present is CREATE SESSION, SELECT ON SYS.USER$ and EXECUTE ON DBMS_OBFUSCATION_TOOLKIT.

The cracker works on 9i (r1 and r2), 10g (r1 and r2) and 11gR1. I dont have 8i to test with but i assume it ewill work.

Running the cracker

SQL> @cracker-v2.0.sql
cracker: Release 1.0.2.0.0 - Beta on Thu Sep 25 14:27:37 2008
Copyright (c) 2008 PeteFinnigan.com Limited. All rights reserved.

T Username             Password               CR FL STA
=======================================================

U SYS                  [ORACLE1             ] DI CR OP
U SYSTEM               [ORACLE1             ] DI CR OP
U OUTLN                [OUTLN               ] DE CR EL
U DIP                  [DIP                 ] DE CR EL
U TSMSYS               [TSMSYS              ] PU CR EL
U ORACLE_OCM           [ORACLE_OCM          ] PU CR EL
U XDB                  [CHANGE_ON_INSTALL   ] DE CR EL
R GLOBAL_AQ_USER_ROLE  [GL-EX {GLOBAL}      ] GE CR OP
U DBSNMP               [ORACLE1             ] DI CR OP
U WMSYS                [WMSYS               ] DE CR EL
U EXFSYS               [EXFSYS              ] DE CR EL
U CTXSYS               [CHANGE_ON_INSTALL   ] DE CR EL
U XS$NULL              [                    ] -- -- EL
U ANONYMOUS            [IMP {anonymous}     ] IM CR EL
R SPATIAL_WFS_ADMIN    [SPATIAL_WFS_ADMIN   ] PU CR OP
U ORDSYS               [ORDSYS              ] DE CR EL
U ORDPLUGINS           [ORDPLUGINS          ] DE CR EL
U SI_INFORMTN_SCHEMA   [SI_INFORMTN_SCHEMA  ] DE CR EL
U MDSYS                [MDSYS               ] DE CR EL
U OLAPSYS              [                    ] -- -- EL
U MDDATA               [MDDATA              ] DE CR EL
U HR                   [CHANGE_ON_INSTALL   ] DE CR EL
U SPATIAL_WFS_ADMIN_US [SPATIAL_WFS_ADMIN_US] PU CR EL
R WFS_USR_ROLE         [WFS_USR_ROLE        ] PU CR OP
R SPATIAL_CSW_ADMIN    [SPATIAL_CSW_ADMIN   ] PU CR OP
U SPATIAL_CSW_ADMIN_US [SPATIAL_CSW_ADMIN_US] PU CR EL
R CSW_USR_ROLE         [CSW_USR_ROLE        ] PU CR OP
U WKSYS                [CHANGE_ON_INSTALL   ] DE CR EL
U WKPROXY              [CHANGE_ON_INSTALL   ] DE CR EL
U WK_TEST              [WK_TEST             ] DE CR EL
U SYSMAN               [ORACLE1             ] DI CR OP
U MGMT_VIEW            [                    ] -- -- OP
U FLOWS_FILES          [                    ] -- -- EL
U APEX_PUBLIC_USER     [                    ] -- -- EL
U FLOWS_030000         [                    ] -- -- EL
U OWBSYS               [OWBSYS              ] PU CR EL
R OWB$CLIENT           [S                   ] BF CR OP
R OWB_DESIGNCENTER_VIE [S                   ] BF CR OP
U SCOTT                [TIGER               ] DE CR OP
U AB                   [AB                  ] PU CR OP
U OE                   [CHANGE_ON_INSTALL   ] DE CR EL
U IX                   [CHANGE_ON_INSTALL   ] DE CR EL
U SH                   [CHANGE_ON_INSTALL   ] DE CR EL
U PM                   [CHANGE_ON_INSTALL   ] DE CR EL
U BI                   [CHANGE_ON_INSTALL   ] DE CR EL
U PETE                 [PETE                ] DE CR OP
U BILL                 [BILL                ] PU CR OP
U A                    [A                   ] PU CR OP
U B                    [B                   ] PU CR OP
U C                    [C                   ] PU CR OP
U RES_TEST             [RES_TEST            ] PU CR OP
U XX                   [123456              ] DI CR OP
U ORASCAN              [ORASCAN             ] PU CR OP
U IMPOSS               [IMP {imposs123456789] IM CR OP
U D                    [                    ] -- -- OP
U P1                   [P1                  ] PU CR OP
U P2                   [P2                  ] PU CR OP


INFO: Number of crack attempts = [4330039]
INFO: Elapsed time = [333.52 Seconds]
INFO: Cracks per second = [12980]

PL/SQL procedure successfully completed.

SQL>
						

What does it do?, what does it all mean?

The cracker is very simple to run as you can see above. It runs pretty fast, in the sample 11gR1 database I tested with above its testing 57 user accounts and also roles that have had passwords assigned. In this case 3 passwords could not be cracked as they had been set to impossible passwords (These are where the password hash is not a valid hash, i.e. they have been set with the undocumented ALTER USER IDENTIFIED BY VALUES command). One further password could not be cracked as it is identified as being externally authenticated or a GLOBAL password (such as those authenticated by OID). Of the rest, in this example only 7 passwords were not cracked. This gives a percentage of 87% of passwords were cracked easily, in other words the passwords had very weak settings. This unfortunately is something I see regularly on real production systems. This emphasises why a simple PL/SQL based tool has value and the fast C based tools should be used later.

OK, so what does the tool do. It first checks which accounts it cannot crack. It then tries to crack users accounts and roles with passwords. The type is identified in the first column, a value of 'U'ser or 'R'ole is set. The next column is the username or rolename. The next column is the cracked password or blank if the password was not cracked. If the password hash is an impossible one as described above then the password column has [IMP {impossible value}]. If the password is GLOBAL or EXTERNAL then the password column shows [GL-EX {GLOBAL}] for a GLOBAL password, for instance. Another possible setting for the password column is [HASH {hash value}]. This is output for cases where the password hash is a known default BUT we dont know what the password is. This should still be changed of course.

The columns after the password are as follows. The first column is the method with which the password was cracked. The first check is for 'DE'fault passwords. The second check is 'PU' which means the password is set to the username. The third check is 'DI'ctionary where the password is set to a dictionary word. The final check is 'BF' which means the password was brute forced.

Of course the values for the above conditions, 'IM' for Impossible, 'GE' for GLOBAL/EXTERNAL and 'HS' for hash are also output. Any row that has '--' means the password was not cracked. The next column seems redundant as it shows '--' for not cracked or 'CR' for cracked passwords but I added this to use awk to pull out the lines more easily. The final column is the account status. The values can be seen in the code, but OP means Open and EL means Expired/Locked for instance.

A few notes: The brute force mode is hard coded to a length of 4 characters at the moment (you can change this of course) as this takes around 35 seconds for a single password for the character set used. You can change the character set to alpha, alpha/num or alpha/num/+specials by changing the length from 26 to 36 to 39 respectively. You can also add bigger character sets.

The driving select in the pre_load function can also be changed to read user_history$ for instance or to check a subset of users or roles by changing the where clause.

The dictionary included is pretty small, you can add your own dictionary words easily. I have added around 2000 in my own copy but have refrained from including them here as I simply cannot find where I got them from.

The code includes a trace/debug interface. To turn on debug if there is a problem, uncomment the debugw calls and turn on the debug at the top of the file. This would only be needed if you find a bug, if you can reproduce you can send me a trace file to be able to fix the issues.

Future Plans

There are lots of things I can do to improve this code and time willing I will do so and make the code available. I have a stub function in the code already to crack 11g passwords. I have not had time to add the code yet but I will do this first. I also plan to add a change that allows "WEAK" to be output instead of the password for countries that are supposed to do this. I think also that I can tune the code to make it faster. I have some ideas on this. Also I have plans to add more output in terms of password management values.

If anyone has requests, ideas for improvement please ask me and i will try and add them. Send an email to to Pete Finnigan.

Download the cracker

First a short word about the confusing versions, there is a reason for this. The version in the file name is v2.0, this is because the code comes from PeteFinnigan.com Limited's Oracle Database Security Scanner and that is currently at major version 2.0, each individual file that is part of the scanner is either 1.x or 2.x depending on when the file was added to the scanner. The major version can be ignored in terms of the v2.0 i.e. ignore v2.0, it has meaning for us internally but to keep state with our tools, it stays!.

People downloading the cracker are interested to make sure that they have the lastest version of the source code / cracker and should make sure that they have the latest version. This is always covered in the version column. A readme.txt is also available for each version. Download the "current version" Finally you can download the cracker from here :

I will leave old versions here available for download when new ones are added - see above.