Re: cracking Oracle passwds

Long long ago on V6 I loaded a dictionary text file into a table , altered the user system's password to each word, and stored the encrypted value back into another column of the table and fetched the next word in a long loop, much faster than trying to use brute force. The results were 70000 words with their encrypted password equivalent in a very short space of time. It could guess any word in the dictionary if it was used as a password for the SYSTEM account. I worked on this using PL/SQL to generate a HUGE table with all possible values using 1-10 and A-Z, I had to limit processing to passwords less than 8 characters as the disk space demand was exponential, you would need 200TB to store all possiblities of passwords less than 16 characters, and about 2-3 years procesing power of the latest Intel. However, it can be done faster and less resourceful on MF class systems If I had the disk space, this project would have been on the web by now as a service to locked out DBA's

It appears that the encrypted values for a specific password for a specific user are the same accross all platforms but encrypted passwords of the same word accross differing usernames differ. Oracle doesn't like passwords starting with numbers so this cut down drastically on the CPU time. There is even some shareware on the net that lets you specifiy the quality of the password (length, numerics/special chars etc etc) and given the length it will write a standard text file with all combinations. SQL*loader really loves this kind of file and I sidetracked for a whole two weeks super-fine tuning block size, pctfree pctused, buffers and just about everything a DBA could to speed up load times, I was stunned at how wuick a measly P200 could load 1.2M records.

Unless Oracle changes the visibility of the encrypted password, the above method could be available within a couple of months if some behind the scenes groups were to take the challenge on. I had an idea for a while of putting my encryption cracker onto the web to test it's percieved 100% sccess rate. Can't wait until I can get my hands on a few 100 GB's of cheap disk so that I could put a 10-12 character limited version up. I can only guess as to why Oracle makes this so easy...

This would make a fine experiment for a bored SETI group,,,

Only a matter of time before someone with select access on the underlying DBA_USERS table and web access start to guess paswords of the SYS account and lock the DBA out...just the start of a nightmare methinks.

The only way to prevent this in the short to medium term is to insist that DBA passwords are 12-16 characters in length. The amount of space to crack those is prohibitive in the short to medium term.

"Greg Tupper" <gtupper_at_tupper.dhs.org> wrote in message news:IrEx4.11464$%85.101905_at_hnlnewsr1.hawaii.rr.com...
> The idea isfor the oracle dba to use a 'crack' utility to expose guessable
> or lame passwords and inform the oracle user their password needs to be
> decent.
>
> I know crack does good work for unix sysadmin folks. Oracle should have a
> similar tool. In my searching of the oracle docs I have found none. I
> figured there may be other methods to apply.
>
> The method 2 is what I would like to try. Does oracle used the same hash
> algorythm as Unix to encrypt passwords? If not, what is the hashing
> algorythm they use? I would not be against putting some time into a perl
 to
> encrypt strings for comparison.
>
>
> GC wrote in message <38C6DE3F.C7E1CE04_at_hotmail.com>...
> >Steven Hauser wrote:
> >> 2> as sys get the encrypted string version of the password from
> >> dba_users, figure out the crypt calls from oracle
> >> start crypting and comparing to the encrypted string.
> >
> >If you have sys, there is no need to do this. There is already a command
> >that allows you to change a users password, login in as the user, and
> >change is back to the original password when you are done.
> >
> >Cheers,
> >GC
>
>
Received on Thu Mar 09 2000 - 00:00:00 CST