Breaking password on Oracle

This post maybe give u some to think about, maybe u will change something in your databases. How easy do you think he is to get the user’s password or other user SYSTEM? answer: very easy

Oracle stores the keys in the SYS.USER $ table in the PASSWORD column, using an algorithm that is a variation of standard MD5. The encryption algorithm is unidirectional, which means that you can not break the code by taking the string stored in the PASSWORD column.

You can display the user name in the encrypted key to any of these queries:

SELECT NAME, PASSWORD from $ SYS.USER;
SELECT NAME, PASSWORD from DBA_USERS;

Oracle was saying that to generate the keys it does is convert the user name and password which is given to uppercase, what the encrypted key will be the same if, for example, your password is “tiger” or “Tiger” or “Tiger” and from there a process applied to the resulting string to the issue at hand is not the most important .

One of the goals when the encryption algorithm should be designed for different users with the same password, the resulting encrypted string must be different: “If different users Have the same password, then the one-way hash value (encrypted value) for the passwords will be different.”

This is achieved in a very simple way, which is to make what is encrypted is not only the password, but a concatenation of username + password, previously converted to uppercase. The way this is demonstrated as follows:

If we have a user ‘ARTURO’ password ‘Secreto’, his string stored in the PASSWORD column is encrypted from ‘ARTURO’ + ‘SECRETO’.

If we have a user ‘ART’ password ‘Urosecreto’ chain stored in the PASSWORD column is encrypted from ‘ART’ + ‘UROSECRETO’.

With the following query to check the encrypted password is the same:

SQL> select p username, password from dba_users where username LIKE ‘% ART’
USERNAME PASSWORD
————————————————– ———-
ARTURO 621V3E7638423350
ART 621V3E7638423350

This form of encryption key also means that the user’s password cifrade ‘SCOTT’ with password ‘TIGER’ be ‘F894844C34402B67’ in all Oracle installations in the whole world.

As I said, the algorithm is unidirectional so forget about trying to decipher the key. But with what we have just seen, and knowing that there are programs that can encrypt strings using the modified MD5 algorithm used by Oracle, we see that only have the username and chain PASSWORD column is possible by comparison, force brute or dictionary attack, get the key.

A practical example of how to break the key
The utility I found to “break” key is called orabf.exe Oracle, you can download your manual directly from here:

http://static.natalian.org/2005-11-27/orabf-v0.7.4.zip 

This first test is made with the user SCOTT, because although useless checks before starting the default passwords:

C:> orabf.exe F894844C34402B67: SCOTT-c 3
orabf v0.7.5, (C) 2005 orm (at) toolcrypt.org———————————- —–
Trying default passwords …
password found: SCOTT: TIGER

In this second user SCOTT has another password:

orabf.exe 225E25B9A5319105: SCOTT-c 3
orabf v0.7.5, (C) 2005 orm (at) toolcrypt.org———————————- —–
Trying default passwords … done

Starting brute force using session charset:
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
press ‘q’ to quit. any other key to see status
password found: SCOTT: TIGER
51297999 passwords tried. elapsed time 00:00:44. p / s: 1153610

easy crack password no? but now…

How protect the database?

1 – If no one has access to $ SYS.USER or DBA_USERS no one can check hash value, always this not possible maybe users working in development databases have the role “select any dictionary”. So never use the same password for admin user databases different environments (development, integration, preproduction, production).

2 – No use simple and easy passwords like “pacifier”, “temporary”, “madrid”, etc, as they are more vulnerable to dictionary attacks.

3 – Always use very long passwords, mix upper/lowercase letters, numbers and change them frecuently. We have seen in the proof above, that a brute force attack about 1 million passwords checked per second. This means it would take less than a week to make all combinations for a password of 8 characters and a few hours if example we use a cluster of 10 nodes.

4 – Do not repeat passwords.
In sumamry to prevent is use basic security policy about set good passwords. All this just add one thing. Have found this weakness Oracle does not make it worse than another database. As you have seen, with little additional effort in the administration will not mean a problem.

Advertisements

Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s