As we have mentioned and emphasized before you should perform security assessments against your databases regularly. Password crackers are the best tools to check your real passwords strength. These tools are used also by attackers to crack passwords. If you can crack a password then there is 100 percent probability that an attacker can do the same. In recent years, some very fast Oracle password crackers were developed. In this recipe we will use one of the fastest, an Oracle password-cracker tool developed by Laszlo Toth called woraauthbf.
This tool can be downloaded from Laszlo's personal page http://soonerorlater.hu (For a description of the tool and its download link, go to http://soonerorlater.hu/index.khtml?article_id=513); it has the capability of cracking passwords based on hash, dictionary, and brute force methods.
In this recipe we will connect to the HACKDB database, and we will collect the password hashes in a file that will be used as the input for woraauthbf.
Woraauthbf works only on Windows, hence for this recipe you need to establish a connection using an Oracle client installed on a Windows machine.
- Connect to the
HACKDBdatabase as the usersystem, and spool the password hashes in a file by issuing the following statement:SQL> set linesize 500 SQL> set head off SQL> set feedback off SQL> set trimspool on SQL> set pagesize 0 SQL> spool d:passwordspassword_hash.txt SQL> spool d:passwordhashespassword_hash.txt SQL> select u.name||':'||u.password||':'||substr(u.spare4,3,63)||':'||d.name||':'|| 2 sys_context('USERENV','SERVER_HOST')||':' from sys.user$ u, sys.V_$DATABASE d where u.type#=1 where user# in ('SYTEM','DBSNMP'), SYSTEM:8877FF8306EF558B:859F89EF23ED553DB0CED949EFD079D06B642C509B4F21160668E5B27863:HACKDB:nodeorcl1: DBSNMP:E066D214D5421CCC:0E06646DEF3977BF5737A81BE52E45061EDD9C9B7102965C8E73FB83BBA4:HACKDB:nodeorcl1: SQL> spool off
- Start woraauthbf using the dictionary cracking mode
(-dswitch), and add thepassword_hash.txtfile as the input. All weak passwords will be cracked under a second, seen as follows:D:woraauthbf_0.22R2>woraauthbf.exe -p d:passwordhashespassword_hash.txt -d default.txt Usernames will be permuted! The number of processors: 2 Number of pwds to check: 487 Number of pwds to check by thread: 243 Password file: d:passwordhashespassword_hash.txt, dictionary file: default.txt, type: hash Start: 1 End: 243 Password found: DBSNMP:DBSNMP:0E06646DEF3977BF5737A81BE52E45061EDD9C9B7102965C8E73FB83BBA4:HACKDB Start: 244 End: 487 Password found: SYSTEM:SYS:859F89EF23ED553DB0CED949EFD079D06B642C509B4F21160668E5B27863:HACKDB Start array thread with 490 number of passwords! Elpased time: 0s Checked passwords: 795 D:woraauthbf_0.22R2>
- Using the brute-force mode, execute the following code:
D:woraauthbf_0.22R2>woraauthbf.exe -p d:passwordhashespassword_hash.txt -c all -m 6 Usernames will be permuted! The number of processors: 2 Number of pwds to check: 100343116692 Number of pwds to check by thread: 50171558346 Password file: d:passwordhashespassword_hash.txt, charset: all, maximum length: 6, type: hash Start: 50171558346 End: 100343116692 Start: 0 End: 50171558346 Start array thread with 490 number of passwords! Password found: DBSNMP:DBSNMP:0E06646DEF3977BF5737A81BE52E45061EDD9C9B7102965C8E73FB83BBA4:HACKDB Password found: SYSTEM:SYS:859F89EF23ED553DB0CED949EFD079D06B642C509B4F21160668E5B27863:HACKDB Elpased time: 0s Checked passwords: 6484
To understand the internals of Oracle authentication mechanisms and how the passwords are encrypted and hashed, I recommend a research paper written by Laszlo Toth, found at http://soonerorlater.hu/index.khtml?article_id=512.
Another interesting and fast password cracker is checkpwd. (Its description and download link is available at http://www.red-database-security.com/software/checkpwd.html.)