Pete Finnigan's Oracle Security Weblog

I wrote an Oracle password cracker completely in PL/SQL some time ago and have been using it on Oracle Database Security audits as a good starting point to test the strength of Oracle database passwords. Of course I will not abandon tools such as Laszlo Toth's excellent woraauthbf as the sheer speed from it is necessary to check true password strength.

So why write a tool completely in PL/SQL?

A number of reasons really. I wanted to have a tool that just runs and checks the basics without extracting password hashes, usernames etc from the database. I know checkpwd connects to the database and also that woraauthbf will do so soon as well (I am writing some OCI code for Laszlo to allow this, just not much time recently to complete it..:-( )

Any binary based tool, is well a binary.... it needs an Oracle client that works out of the box, the instant client often requires some tweaking to make it work. If the tool doesnt connect to the database you need to gather the usernames/hashes first. Just running with no dependancies is attractive.

In the olden days before C based crackers were freely available the only free Oracle passwords crackers were PL/SQL based (the most popular was the bear dang one that did brute force checks and the Adam Martin one that did a dictionary attack) but they all used the ALTER USER command to alter the users password in the database for each password guess and then compared the hash generated. This has a number of issues, the first is that the database is altered (any security tool should not alter the software or data being checked), any password management would become locked or would need to be removed, any triggers, audit etc would be affected.....more.....

I wanted to see if its possible to write a PL/SQL based password cracked in PL/SQL that doesnt use ALTER USER commands but actually implements the encryption routines so that any password can be checked. Also I wanted the tool to be an anonymous block in PL/SQL so that it can be run from any client with no external or internal dependancies in the database.

Let's take a look at it running and then discuss it:

SQL> @cracker-v2.0.sql cracker: Release 2.0.1.0.0 - Alpha on Fri Aug 29 16:28:24 2008 Copyright (c) 2008 PeteFinnigan.com Limited. All rights reserved. T Username Password CR FL STA ======================================================= U SYS [ORACLE1 ] DI CR OP U SYSTEM [ORACLE1 ] DI CR OP U OUTLN [OUTLN ] DE CR EL U DIP [DIP ] DE CR EL U TSMSYS [TSMSYS ] PU CR EL U ORACLE_OCM [ORACLE_OCM ] PU CR EL U XDB [CHANGE_ON_INSTALL ] DE CR EL R GLOBAL_AQ_USER_ROLE [GL-EX {GLOBAL} ] GE CR OP U DBSNMP [ORACLE1 ] DI CR OP U WMSYS [WMSYS ] DE CR EL U EXFSYS [EXFSYS ] DE CR EL U CTXSYS [CHANGE_ON_INSTALL ] DE CR EL U XS$NULL [ ] -- -- EL U ANONYMOUS [IMP {anonymous} ] IM CR EL R SPATIAL_WFS_ADMIN [SPATIAL_WFS_ADMIN ] PU CR OP U ORDSYS [ORDSYS ] DE CR EL U ORDPLUGINS [ORDPLUGINS ] DE CR EL U SI_INFORMTN_SCHEMA [SI_INFORMTN_SCHEMA ] DE CR EL U MDSYS [MDSYS ] DE CR EL U OLAPSYS [ ] -- -- EL U MDDATA [MDDATA ] DE CR EL U HR [CHANGE_ON_INSTALL ] DE CR EL U SPATIAL_WFS_ADMIN_US [SPATIAL_WFS_ADMIN_US] PU CR EL R WFS_USR_ROLE [WFS_USR_ROLE ] PU CR OP R SPATIAL_CSW_ADMIN [SPATIAL_CSW_ADMIN ] PU CR OP U SPATIAL_CSW_ADMIN_US [SPATIAL_CSW_ADMIN_US] PU CR EL R CSW_USR_ROLE [CSW_USR_ROLE ] PU CR OP U WKSYS [CHANGE_ON_INSTALL ] DE CR EL U WKPROXY [CHANGE_ON_INSTALL ] DE CR EL U WK_TEST [WK_TEST ] DE CR EL U SYSMAN [ORACLE1 ] DI CR OP U MGMT_VIEW [ ] -- -- OP U FLOWS_FILES [ ] -- -- EL U APEX_PUBLIC_USER [ ] -- -- EL U FLOWS_030000 [ ] -- -- EL U OWBSYS [OWBSYS ] PU CR EL R OWB$CLIENT [S ] BF CR OP R OWB_DESIGNCENTER_VIE [S ] BF CR OP U SCOTT [TIGER ] DE CR OP U OE [CHANGE_ON_INSTALL ] DE CR EL U IX [CHANGE_ON_INSTALL ] DE CR EL U SH [CHANGE_ON_INSTALL ] DE CR EL U PM [CHANGE_ON_INSTALL ] DE CR EL U BI [CHANGE_ON_INSTALL ] DE CR EL U PETE [PETE ] DE CR OP U BILL [BILL ] PU CR OP U A [A ] PU CR OP U B [B ] PU CR OP U C [C ] PU CR OP U RES_TEST [RES_TEST ] PU CR OP U P1 [P1 ] PU CR OP U P2 [P2 ] PU CR OP U XX [123456 ] DI CR OP U ORASCAN [ORASCAN ] PU CR OP U IMPOSS [IMP {imposs123456789] IM CR OP U D [ ] -- -- OP INFO: Number of crack attempts = [4344517] INFO: Elapsed time = [328.94 Seconds] INFO: Cracks per second = [13200] PL/SQL procedure successfully completed. SQL>

The script runs fairly fast for a PL/SQL script, its no where near as fast as a C based approach but thats not its intention. My intention was to have a script that runs fast enough to check:

• username=password


• password=known default


• password=simple word


• known hash but not cracked


• simple brute force

What do the columns mean? - the first means 'U'ser or 'R'ole, the second is the name, the third the cracked password, if its an impossible password it says so, if its EXTERNAL or GLOBAL it says so and also if we know its a default hash but don't know the password it says. The CR column defines the mode of being cracked, PU => pass=username, DE => default password, DI => dictionary word, BF => brute force, IM => impossible password. The FL column is CRacked or not, the final colum is the account status.

The release code will include more account analysis.

Then the idea is to output the relevant input for worauthbf. The key aim of this script is to allow people to easily check their databases for the worst sins that can be aimed at passwords, i.e. very simple passwords. I am starting to see a number of sites cracking passwords for their databases in an attempt to strengthen passwords. This sqlplus script will make that process much easier.

The speed is not bad, between 13,000 and 16,000 hashes per second, its not the 1.2Million hashes per second with woraauthbf BUT remember that i am testing on a laptop, this code will actually run on your production database server, thats not as easy to do with a binary based approach and also its not the intention to replace woraauthbf, its an attempt to get people to test the basics more easily.

If anyone would like this script then I will release the code next week after I have tidied it up and added some extra bits I want to add. So please watch out for a post next week with the code in it.