Re: Pete Finnigan's Oracle database password checker

From: Yaping Chen <hangzhoumaster_at_gmail.com>
Date: Mon, 13 Oct 2008 21:51:42 +0800
Message-ID: <170d3ad90810130651l59d86f7et32037e474318bc6e@mail.gmail.com>

Hi,

I write it recently. I want to add more function to in the future.

@>alter user system identified by p1;
User altered.
@>select NAME,PASSWORD,SPARE4 from user$ where NAME='SYSTEM';

NAME                 PASSWORD                       SPARE4
--------- -----------------------
----------------------------------------------------------------------

SYSTEM 2E1168309B5B9B7A
S:09043B9ABFA366DF41DD16DE6768FDC04C57EF1374E0B04DAC8616716074
[oracle_at_chen src]$ cat orapw11g.c

#include <openssl/sha.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#define SALT_LEN 10
#define HASH_LEN 20
/********************************************************

Function: Generate password hash value for Oralce 11g Author: Yaping Chen
Email: yaping123_at_gmail.com
Revised: Yaping Chen, 2008/10
Comment: Compiled with gcc 3.2.3 on RHEL 4 Reference: http://www.petefinnigan.com/

*********************************************************/

main(int argc,char *argv[])
{

  char *md;
  char *pwd;
  char *data;
  char *saltraw;
  char *saltstr;

int i,n;

  char *c1;
  char *c2;
  char *c5;
  char *c6;

  if (argc!=3) {
     printf("Parameters invalid.\nUsage:\nargv[0] pwd salt(hex)\n\n");
     return -1;

}

if (strlen((char *)argv[2]) != SALT_LEN * 2) {

     printf("salt's length error, it must be %d in hex\n",SALT_LEN*2);
     return -1;

  }
  pwd=malloc(strlen((char *)argv[1]));
  saltraw=malloc(SALT_LEN * 2);
  saltstr=malloc(SALT_LEN);
  data=malloc(strlen((char *)argv[1]) + SALT_LEN);

  md=malloc(HASH_LEN);
  c1=malloc(2);
  c2=malloc(40);
  c5=malloc(8);
  c6=malloc(8);
  if (!pwd || !saltraw || !data || !md || !c1 || !c2 || !c5 || !c6) {
     perror("malloc fail");
     return -1;

  }
  pwd=argv[1];
  saltraw=argv[2];
  for(i=0;i<SALT_LEN;i++) {

     strncpy(c1,saltraw+i*2,2);
     sscanf(c1,"%X",&n);
     saltstr[i]=(char)n;

  }
  memcpy(data,pwd,strlen((char*)pwd));
  memcpy(data+strlen((char*)pwd),saltstr,SALT_LEN);   SHA1(data,strlen((char*)pwd) + SALT_LEN,md);   printf("pwd:%s,\tsaltraw:%s,\tsaltstr:%s,\tsha1 value:\n",pwd,saltraw,saltstr);
  for(i=0;i<HASH_LEN;i++) {

     sprintf(c5,"%X",md[i]);
     sprintf(c6,"%s",c5);
     n=strlen(c6);
     if (n == 1) {
        c2[i*2]='0';
        c2[i*2 + 1]=c6[0];
     }
     else if (n == 2) {
        c2[i*2]=c6[0];
        c2[i*2 + 1]=c6[1];
     }
     else {
        c2[i*2]=c6[n-2];
        c2[i*2 + 1]=c6[n-1];
     }

  }
  printf("%s\n\n",c2);
  return 0;
}
[oracle_at_chen src]$ gcc orapw11g.c -lssl -o orapw11g
[oracle_at_chen src]$
[oracle_at_chen src]$
[oracle_at_chen src]$ ./orapw11g p1 74E0B04DAC8616716074
pwd:p1, saltraw:74E0B04DAC8616716074, saltstr:tà°M¬†q`t, sha1 value: 09043B9ABFA366DF41DD16DE6768FDC04C57EF13
[oracle_at_chen src]$

2008/10/13 Pete Finnigan <pete_at_petefinnigan.com>

> Hi Ray,
>
> It means that none of your passwords are weak (Importantly though: only
> to the rules of the PL/SQL cracker, i.e. username=password, dictionary
> word, default password and password <= 4 characters are checked though,
> you need to use a stronger cracker written in C to test longer passwords
> and huge dictionaries). The one result you got is for a default role and
> the password is global so its not weak.
>
> cheers
>
> Pete
>
> Ray Stell wrote:
> > On Tue, Oct 07, 2008 at 02:41:19PM +0200, Andre van Winssen wrote:
> >> Pete Finnigan released v2 of his oracle database password checker
> written in
> >> plsql.
> >
> >
> > ran for four hours on a old, slowaris devel machine.
> >
> > It reports the following.
> >
> > T Username             Password               CR FL STA
> > =======================================================
> > R "GLOBAL_AQ_USER_ROLE [GL-EX {GLOBAL}      ] GE CR OP
> >
> > GE for GLOBAL/EXTERNAL
> > CR for cracked passwords
> > OP means Openo
> >
> > what are the implications of this.  I don't know if I
> > should alter the role or not.
> > --
> > http://www.freelists.org/webpage/oracle-l
> >
> >
> >
>
> --
>
> Pete Finnigan
> Principal Consultant
> PeteFinnigan.com Limited
>
> Registered in England and Wales
> Company No: 4664901
>
> Specialists in database security.
>
> If you need help to audit or secure an Oracle database, please ask for
> details of our courses and consulting services
>
> Phone: 0044 (0)1904 791188
> Fax  : 0044 (0)1904 791188
> Mob  : 0044 (0)7742 114223
> email: pete_at_petefinnigan.com
> site : http://www.petefinnigan.com
>
> Please note that this email communication is intended only for the
> addressee and may contain confidential or privileged information. The
> contents of this email may be circulated internally within your
> organisation only and may not be communicated to third parties without
> the prior written permission of PeteFinnigan.com Limited.  This email is
> not intended nor should it be taken to create any legal relations,
> contractual or otherwise.
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

-- 
Regards,
Yaping Chen

http://yaping123.wordpress.com
--
http://www.freelists.org/webpage/oracle-l

Received on Mon Oct 13 2008 - 08:51:42 CDT

This message: [ Message body ]
Next message: Sweetser, Joe: "RE: Data Guard question"
Previous message: Ian Cary: "Re: DBLink MS SQL Server, Access, Excel ODBC and Oracle together?"
In reply to: Pete Finnigan: "Re: Pete Finnigan's Oracle database password checker"
Next in thread: Bradd Piontek: "Re: Pete Finnigan's Oracle database password checker"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message