Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "PeteFinnigan.com Limited becomes UK partner for Sentrigo Hedgehog"] [Next entry: "Oracle security conferences, illness and ...."]

A default password script and a cracker helper script



I subscribe to the pentest list on security focus and a recent thread around Oracle password crackers threw up links to a couple of small scripts that are worth a mention simply to keep a record of them here.

The first is a default password script that uses a similar style to the one I originally wrote for pentest and that Mark took over. It also uses the contents of my Oracle default password list from this site. For completeness i would also include the contents of the Oracle default password check script.

The twist is that it generates an alter script that is then run at the end that prompts you for a password for each default user found. The script is called Oracle-chngdef.sql and is available from the US military stigs site. A sample output from a test system here generated:

set verify off
alter user CTXSYS identified by &CTXSYS;
alter user DBSNMP identified by &DBSNMP;
alter user HR identified by &HR;
alter user HR identified by &HR;
alter user MDSYS identified by &MDSYS;
alter user ODM identified by &ODM;
alter user ODM_MTR identified by &ODM_MTR;
alter user OE identified by &OE;
alter user OLAPSYS identified by &OLAPSYS;
alter user ORDPLUGINS identified by &ORDPLUGINS;
alter user ORDSYS identified by &ORDSYS;
alter user OUTLN identified by &OUTLN;
alter user PM identified by ±
alter user QS identified by &QS;
alter user QS_ADM identified by &QS_ADM;
alter user QS_CB identified by &QS_CB;
alter user QS_CBADM identified by &QS_CBADM;
alter user QS_CS identified by &QS_CS;
alter user QS_ES identified by &QS_ES;
alter user QS_OS identified by &QS_OS;
alter user QS_WS identified by &QS_WS;
alter user RMAN identified by &RMAN;
alter user SH identified by &SH;
alter user WKPROXY identified by &WKPROXY;
alter user WKSYS identified by &WKSYS;
alter user WMSYS identified by &WMSYS;
alter user XDB identified by &XDB;

The second script is a helper script by Marco Ivaldi to run check_pwd and to parse out the results at the end of the run. Its a simple shell script and it simply removes all the additional text generated by the cracker. I have a similar manual process that i use on orabf or worauthbf depending on which I used at the time. I use cygwin for a command line so that I have access to a bash shell on Windows. The script is called oracrack.