|
Red-Database-Security GmbH is specialized in Oracle SecurityProductsRepscan 2.5 Hedgehog Enterprise Checkpwd (free)
Services
Information
Company |
Oracle Password Checker (Cracker) Checkpwd 1.23 is one of the fastest (see Benchmark) dictionary based password checker for Oracle databases. This is a useful tool for DBA's to identify Oracle accounts with weak or default passwords. Version 1.23 contains a version which only shows that a password is weak but not the password itself. Checkpwd reads the password hashes from the view dba_users and compares the hashkeys with the hashkeys calculated from a dictionary file. Details about Oracle (database) passwords are available here: Fact Sheet about Oracle database passwords. Downloads Checkpwd 1.23 (for Windows) + default passwords + libaries + wordlist with 1.5 Mio words + Oracle Instant Client 10.2 (35 MB, MD5SUM: d41737cca1b07d66bd134c53989fa1b5 *oracle_checkpwd_big.zip) Checkpwd 1.23 (for Windows) + default passwords + libaries (1.5 MB, MD5SUM: 17a00e28b9ff0e6bed45554b43f62b06 *oracle_checkpwd.zip) Checkpwd 1.23 - passwords not displayed - (for Windows) + default passwords + libaries (1.5 MB, MD5SUM: 6638b0c82dea7685b6e045c9f7136168 *oracle_checkpwd_nopw.zip) Checkpwd 1.23 (for Linux) + default passwords + Instant Client 10.2 (42 MB, MD5SUM: aa05f5e7c8a20ec1094e68143085c3a7 *oracle_checkpwd_linux.tar.gz) Checkpwd 1.23 - passwords not displayed - (for Linux) + default passwords + Instant Client 10.2 (42 MB, MD5SUM: b0f356a27f6089275637555fbe70445d *oracle_checkpwd_nopw_linux.tar.gz) Checkpwd 1.23 (for Mac OSX (PPC)) + default passwords + wordlist with 1.5 Mio words + Instant Client 10.1 (48 MB, MD5SUM: fe4608bf25915585adea5bf668ec6569 *oracle_checkpwd_mac_big.tar.gz) Checkpwd 1.23 (for Mac OSX (PPC)) + default passwords (without Instant Client) (56 KB, MD5SUM: 53bfaf05ba7375a576a55d30f4a44319 *oracle_checkpwd_mac.tar.gz) Checkpwd 1.23 - passwords not displayed - (for Mac OSX (PPC)) + default passwords (without Instant Client) (56 KB, MD5SUM: dc4a3c623224055de5a8bac0f076f7a6 *oracle_checkpwd_nopw_mac.tar.gz) Checkpwd 1.23 (for Mac OSX (Intel)) + default passwords + wordlist with 1.5 Mio words + Instant Client 10.1 (37 MB, MD5SUM: be18c958cf1a7af27c7825c9c78c3fa6 *oracle_checkpwd_mac_intel_big.zip) Checkpwd 1.23 (for Mac OSX (Intel)) + default passwords (without Instant Client) (68 KB, MD5SUM: f7d82902baea9df804e55b757c452aa3 *oracle_checkpwd_mac_intel.zip) Checkpwd 1.23 - passwords not displayed - (for Mac OSX (Intel)) + default passwords (without Instant Client) (68 KB, MD5SUM: edac226122e78c7690bef1b0e4780959 *oracle_checkpwd_nopw_mac_intel.zip) Usage with Oracle database connect (requires Oracle client) C:\>checkpwd system/strongpw@//123.34.54.123:1521/ORCL password_list.txt Checkpwd 1.23 [Win] - (c) 2007 by Red-Database-Security GmbH Oracle Security Consulting, Security Audits & Security Training http://www.red-database-security.com initializing Oracle client library connecting to the database retrieving users and password hash values opening weak password list file reading weak passwords list checking passwords Starting 2 threads MDSYS has weak password MDSYS [EXPIRED & LOCKED] ORDSYS has weak password ORDSYS [EXPIRED & LOCKED] DUMMY123 has weak password DUMMY123 [OPEN] DBSNMP OK [OPEN] SCOTT has weak password TIGER [OPEN] CTXSYS has weak password CHANGE_ON_INSTALL [EXPIRED & LOCKED] SH has weak password CHANGE_ON_INSTALL [EXPIRED & LOCKED] OUTLN has weak password OUTLN [EXPIRED & LOCKED] DIP has weak password DIP [EXPIRED & LOCKED] DUMMY321 has weak password 123YMMUD [OPEN] [...] SYS OK [OPEN] SYSTEM OK [OPEN] Done. Summary: Passwords checked : 13900828 Weak passwords found : 23 Elapsed time (min:sec) : 0:54 Passwords / second : 265486 Usage standalone (Oracle client software NOT required) c:\>checkpwd SCOTT:F894844C34402B67 default_passwords.txt Checkpwd 1.23 - (c) 2007 by Red-Database-Security GmbH Oracle Security Consulting, Security Audits & Security Training http://www.red-database-security.com opening weak password list file reading weak passwords list checking passwords Starting 1 thread SCOTT OK Done. Summary: Passwords checked : 1543900 Weak passwords found : 0 Elapsed time (min:sec) : 0:05 Passwords / second : 320335 FAQ Q: I'm getting the error message MSVCR80.dll not found. A: This dll was missing. Download Checkpwd 1.22 again. Q: Where can I get an Oracle Client? A: Checkpwd 1.23 does no longer need a separate Oracle client. The large ZIP file (36 MB) contains a complete Oracle (instant) client. Q: What is the difference between the standalone and normal version? A: The normal version requires an installed Oracle client software because checkpwd can connect to the database. The standalone version is not able to connect to an Oracle database and can only check 1 hashkey. Q: What Linux versions do you support? A: Checkpwd 1.1 was tested on Backtrack, Red Hat Enterprise Server 3 and Red Hat Fedora Core release 4 (Thanks to Paul van Maaren for testing). Q: Is there a bigger dictionary file with permutations e.g. Oracle, 0racle, Oracle1, Oracle2, ...? A: You could use John the Ripper to create such a dictionary file (e.g. john.exe -wordfile:password_list.txt -stdout -rules > password_list_big.txt). The result is a 840 MB file. Q: McAfee report a threat PWCrack-Oracle. Is checkpwd dangerous or illegal? A: No. McAfee shows that checkpwd is a mighty and potentially unwanted program on the scanned computer. checkpwd does NOT contain dangerous or illegal code. History 1.0 - Initial Version 1.1 - Smaller Changes Show Oracle Account Status (OPEN, EXPIRED, LOCKED) Check for weak password = username Linux Version (static, shared and standalone) Dictionary file can now contain \n or \r\n Dictionary converted to upper case 1.12 - Smaller Changes Support for Oracle Easy Connect Usage of the instant client (no separate client required) 1.12a - Smaller Changes Oracle CPU July 2006 files included into checkpwd_big 1.21 - Support for multithreading * Checkpwd supports now multi-threading and is up to 2.5 times faster than 1.12 * Additional optimizations 1.22 - Optimization (up to 30% faster) * OpenSSL optimized * Dictionary Sort Order Optimized * Oracle Instant Client Updated 1.23 - non-optimized Openssl Library is now default again * special nopw version * available for Windows, Linux and Mac (PPC) Old versions of checkpwd Checkpwd 1.21 (for Windows) + default passwords + libaries (804 KB, 54d649b4219cad597940a2c306892c2f *oracle_checkpwd.zip) Checkpwd 1.21 (for Windows) + default passwords + libaries + wordlist with 1.5 Mio words + Oracle Instant Client 10.2 (41 MB, MD5SUM: f11d44676b6fd87a068036cead64804f *oracle_checkpwd_big.zip) References License This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/). Check checkpwd.txt for the openssl license. © 2005-2009 by Red-Database-Security GmbH - last update 16-apr-2009 |
Upcoming Events & Security Conferences |
