Re: Pete Finnigan's Oracle database password checker
Date: Fri, 10 Oct 2008 12:13:14 +0200
the slow part of the plsql code is the Brute Force attack. That can hardly compete with real password crackers written in C(++). You can reduce the pain of doing a brute force attack by changing the line with
*passlen:=4*; -- need to restrict to 4 so that it takes around 35 secs
*passlen:=2*; -- need to restrict to 2 so that it takes around 1 sec
you can extend the dictionary list with your own words as pointed out by others.
For those not well versed in plsql (not many in this list I'd guess) here's
a small explanation of how the plsql code works:
from a list of cleartext passwords it generates the hash and compares that
with the oracle hash stored in the SYS.USER$ column. If the hash matches
then it means you found the clear text password. It's as simple as that. The
algorithm for calculating the oracle password hash was been known in the
public area for years. But now Pete implemented it in this plsql procedure.
That is the added value because now you can easily run the cracker as an
oracle database job.
You may also want to change the output it generates. Certain companies won't allow you to publish real passwords. This certainly applies to sox databases. So instead of the password itself you might change the procedure so that it returns the string 'WEAK' or 'BAD' or simliar.