Crack Oracle Password Example

Brute Force One of hacking way used application programs to decode encrypted data such as passwords or Data Encryption Just as a criminal might break into, or “crack” a safe by trying many possible combinations, a brute force cracking application proceeds through all possible combinations of legal characters in sequence. Brute force is considered to be an infallible, although time-consuming, approach.

To help prevent dictionary brute-force attacks many systems will only allow a user to make a mistake in entering their username or password three or four times. If the user exceeds these attempts, the system will either lock them out of the system or prevent any future attempts for a set amount of time.

Today i will provide example how to crack oracle password using Tools called orabf  please remember it’s only example and there’s million tools can do the same i will mention it later in this Topics and work on them in another thread.

Orabf is an extremely fast offline brute force/dictionary attack tool that can be used when the particular username and hash are known for an Oracle account.  Obviously the speed of the brute force attack slows down the longer the amount of characters that it is trying to brute force with but for short username/hash combinations it can be over a million tries per second. 

and you can visit the website here.

Check the below example :

set head off
set feed off
set verify off
Spool Hacker.lis
select password||’:’||username from dba_users
Spool off ;

Output sample for the file look like :

PASSWORD||’:’||USERNAME
————————————————————-
2D594E86F93B17A1:SYSTEM
8A8F025737A9097A:SYS
4F538DF5F344F348:MGMT_VIEW
FFF45BB2C0C327EC:DBSNMP
2CA614501F09FCCC:SYSMAN
BCD8F9C79618E694:MARIA
C43474F068EDB100:MARK
FB129C4425FBCF2E:TEST
224D9FB5D377B8E1:JENNIFER
6399F3B38EDF3288:HR
F894844C34402B67:SCOTT

if you have any tag on the column remove them and save the file again since Orabf  don’t read these tags

Because i am using version 0.7.5 the command should be like :

orabfscript hacker.lis -c default.txt

Remember Default.txt is the file already exist in the software and output append inside this file.

Small trick !!! i will provide another example using another software such as :

  • Repscan 
  • Checkpwd 
  • John The Ripper
  •  bfora

Thank you
Osama Mustafa

Step By Step Install Database Vault 11g

I talked before about how to install Oracle Database Vault 10g But now i will talk about 11g and how to install it ?

in database 11g database vault installation become more easier, all you have to do is check the box to install that option and even if you forgot that you can install it later by run script

the below is screen shot for the installation for database 11g , the idea is to see where to choose Database Vault features:

If you check the below screen you see that in “Select Option” you can choose Database Vault and while installation is running it will be installed :

the installation will remain in normal procedure , If you want to check it’s installed or not you can go with v$option : 

SQL> select * from v$option where parameter =’Oracle Database Vault’;
PARAMETER                                                        VALUE
——————————- ——————————–
Oracle Database Vault                                            FALSE

to enable database vault make sure database , dbconsole and listener are shutdown:

[oracle@prim u01]$ cd /u01/app/oracle/product/11.2.0/db_1/rdbms/lib/
[oracle@prim lib]$ make -f ins_rdbms.mk dv_on lbac_on ioracle

SQL> select * from v$option where parameter =’Oracle Database Vault’;
PARAMETER                                                        VALUE
—————————————————————-
Oracle Database Vault                                            TRUE

Please notice that i use Redhat in windows you need to rename some files read Oracle Documentation.
To disable Database Vault the same thing but :

cd $ORACLE_HOME/rdbms/lib
make -f ins_rdbms.mk dv_off
cd $ORACLE_HOME/bin
relink all

thank you 
Osama mustafa 

Step By Step Install Database Vault On 10g

Oracle Database Vault restricts access to specific areas in an Oracle database from any user, including users who have administrative access. For example, you can restrict administrative access to employee salaries, customer medical records, or other sensitive information.
You configure Oracle Database Vault to manage the security of an individual Oracle Database instance. You can install Oracle Database Vault on standalone Oracle Database installations, in multiple Oracle homes, and in Oracle Real Application Clusters (Oracle RAC) environments.
Today i will provide step by step how to install Database Vault on Oracle Database 10g, Notice to install it you should upgrade your database at least to 10.2.0.3 to avoid any errors.
Database Vault is very useful to protect your data from users such as DBA who has access to all tables , But the questions is who is control database vault ?
Usually there are two users to control it , Database vault owner this user is granted the DV_Owner role and can manage database role and configurations, the username must be minimum 2 and maximum 30 character , the password for this user should be complex.
another user called : Database Vault manager which is granted DV_ACCTMGR role, and used to manage database user account , this user is created to facilitate separation duties which mean while you install you can only create one user do all this jobs , the username should be minimum 2/maximum 30 character and the password is complex .
The below is screen-shot for installing Database Vault (Notice Database and Listener should be shutdown) :


Thank you 
Osama Mustafa


Oracle Security Case Study

Does your security procedure protect your data?

In most of the companies , there is access to Email Systems, Intranet , networks and internet , most of these user are using the application that connected to Database ( assume that it’s Oracle Database).

By Creating Security Procedure to protect database and what this database contain you create hard environment to deal with  since the three compentents are availability,  integrity and secuirty which mean if you increase the security then integrity will not be on the same level and so on,The Oracle database has several layers of security and provides auditing functionality at each level. most of then mention in Oracle Security Section website.

  • Password management : One of the basic steps to Enforce user to follow the rules such as : password expiration, limit password reuse, limit the number of failed logon attempts, force password complexity, lock and expire database accounts
  •     Database Auditing to monitor user activity.
  •     Fine Grained Auditing to define specific conditions necessary for an audit record to be generated, resulting in a more meaningful audit trail
  •     Database Resource Manager to set resource limits and quotas on the amount of various system resources available to users
  •     Roles to manage object privileges
  •      Oracle Label Security for more sophisticated row level security
  •     Data Encryption to provide an additional layer of protection
Which Kind Of Security Plan you follow , Do you think the Basic Steps to Secure Database will be enough or should someone enable auditing , install database firewall …. when you answer consider that more security means it will be hard to deal with application and environment.
tell me your case about the security ? what you think ?
Thank you 
Osama mustafa  

 

Install/Deinstall Oracle Lable Secuirty

Oracle provide you with amazing tools to secure your data, and make sure no one will access to it. One of this amazing tools is Oracle label security (OLS) allows access control down to individual rows based on attached labels. Similar functionality can be reproduced using Fine Grained Access Control (FGAC) but OLS provides an out-of-the-box solution to row-level security. In this article I’ll present a simple example of the configuration of OLS.

To understand OLS you could read oracle documentation about it, OLS has two parts One binary which installed through Oracle Universal Installer (OUI) and to know if you have been install it you can check log in information to sqlplus  banner

Oracle Label Security  ….

All this in the 11g become more easier since you can install all features while you choose enterprise edition and use chopt to enable and disable :

chopt enable lbac
chopt disable lbac

 talking about second part which can be installed via PL/SQL packages,all this can be installed thru catols.sql
and you can use this way in 10g or 11g, and to de-install the OLS you can use the catnools.sql. but just as information oracle recommend that to install OLS you need to use DBCA.

if you decide to goes thru manual way its better to read MOS notes since you need to apply some patches to complete the installation.

Install
sqlplus / as sysdba
SQL> @?/rdbms/admin/catols.sql

 Deinstall
sqlplus / as sysdba
SQL> @?/rdbms/admin/catnools.sql

Just as note : If you install OLS while installation AUD$ table dropped from SYS schema and recreated on SYSTEM to be –> SYSTEM.AUD$

And Once you remove OLS its recreated again on SYS.AUD$

Thank you
Osama Mustafa

Oracle Password Security

As Certified Ethical hacker and Penetration  Testing Always people Asked me about if the Oracle Password can be Cracked or not ? You need to know that if the hacker want to get into your database and he will all you can do is make it harder for him , so don’t choose Easy password to crack

I post these topics not to use it in wrong way , No as DBA you need to know about Securing you database
and How to make it unbreakable.

For example check the below tools that used to crack Oracle Password

And Others Tools Found for free On Internet , for example Red database security (which is amazing company and website provide you with article/topics about oracle security ) provide some of these tools for free.

Thank you
Osama Mustafa

Oracle security Function for password changing

Check this function that is used for changing user password , you need to watch out from functions like that i post this function as an example

FUNCTION CHGPWD (
P_USER VARCHAR2,
P_PWD VARCHAR2)
RETURN BOOLEAN IS
L_STMT VARCHAR2(255);
BEGIN
L_STMT:= ‘ALTER USER “‘ || P_USER || ‘” IDENTIFIED BY “‘ || P_PWD||’”‘;
EXECUTE IMMEDIATE L_STMT;
RETURN TRUE;
END;

Thank you

I will Post More and More Topics about Oracle security