| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: Funny sort of question re sys password
Hi Nuno,
Oracle do not make the encryption algorithm public but there is enough info in their own documents to know it is a modified DES encryption algorithm. DES has been cracked so it is possible, i suppose but not practical. Using a password cracker is the only other possibility, there are a couple of free PL/SQL based ones out there that use "alter user" to change the password and compare against the hash in sys.user$. There are links to both on my tools page http://www.petefinnigan.com/tools.htm - these are toys really compared to a real cracker like John the ripper or lopht. If the password is still the default then it is also easy to crack. Brute forcing using a pl/sql based password cracker would be useless unless you (he) were lucky.
I guess he is not talking about breaking the encryption or using a brute force or dictionary attack. he most probably is talking about being able to simply change the password of SYS. There are many many ways that would allow this that i can think of. Most depend on what your current set up is and whether you have blocked these avenues off. There are also issues of password leakage, vulnerabilities...
If you look at my site http://www.petefinnigan.com/orasec.htm there are two checklists on there, one is the SANS S.C.O.R.E document which is a big checklist of Oracle security items to look at and the other is the CIS Oracle benchmark which is based very closely on the SANS work.
Your Sun guy is easy though, he is just connecting as root and logging on as "/ as sysdba" - i guess.
kind regards
Pete
--
Pete Finnigan
email:pete_at_petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.
 |
 |