Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "A good page describing Oradebug"] [Next entry: "New TNS protocol full client available for testing listener security"]

Hashattack - Oracle password tool update to version 2.0

Josh Wright has just informed us via a thread on my Oracle security forum titled "hashattack a dictionary attack tool for Oracle" that he has updated the tool to version 2.0.

This tool can be used to pre-compute password hashes for an Oracle database user so that a simple repeatable check can be made for weak passwords. This tool is very useful for default accounts such as SYS or SYSTEM or application accounts that would be checked regularly.

Version 2.0 has had some improvements added based on a discussion on my forum. Thanks to Gary for suggestions.

The changes (stolen from Josh’s change log ..:-) ) are:-

"2005-08-11 - 0.2.0
+ Improvements implemented following suggestions from Pete Finnigan and
gamyers in the "hashattack a dictionary attack tool for Oracle" thread at
+ Creates a profile called "HASHATTACK_PROFILE" to limit sessions_per_user,
connect_time, idle_time, failed_login_attempts, password_reuse_max and
password_verify_function to appropriate values. This is necessary because
the default profile should have constraints applied that will hinder
hashattack's performance. You have applied limits to the default profile,
+ Added a check to see if the temp account exists before creating.
+ Properly quoted passwords for alter user syntax.
+ Re-wrote how passwords are collected from the filesystem; instead of
multiple UTL_FILE calls for each word, build an external table that turns
into a database table via CTAS statement, and read words from a cursor."

I have updated my Oracle Security Tools page to include a link to version 2.0.