Deutsch Download free trial version of Repscan from Sentrigo

Red-Database-Security GmbH is specialized in Oracle Security

Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security

Oracle Password Checker (Cracker)

Checkpwd 1.23 (free)

Checkpwd 1.23 is one of the fastest (see Benchmark) dictionary based password checker for Oracle databases. This is a useful tool for DBA's to identify Oracle accounts with weak or default passwords.

Version 1.23 contains a version which only shows that a password is weak but not the password itself.
Checkpwd reads the password hashes from the view dba_users and compares the hashkeys with the hashkeys calculated from a dictionary file. Details about Oracle (database) passwords are available here:

Fact Sheet about Oracle database passwords.


Downloads

Checkpwd 1.23 (for Windows) + default passwords + libaries + wordlist with 1.5 Mio words + Oracle Instant Client 10.2
(35 MB, MD5SUM: d41737cca1b07d66bd134c53989fa1b5 *oracle_checkpwd_big.zip)

Checkpwd 1.23 (for Windows) + default passwords + libaries
(1.5 MB, MD5SUM: 17a00e28b9ff0e6bed45554b43f62b06 *oracle_checkpwd.zip)

Checkpwd 1.23 - passwords not displayed - (for Windows) + default passwords + libaries
(1.5 MB, MD5SUM: 6638b0c82dea7685b6e045c9f7136168 *oracle_checkpwd_nopw.zip)


Checkpwd 1.23 (for Linux) + default passwords + Instant Client 10.2
(42 MB, MD5SUM: aa05f5e7c8a20ec1094e68143085c3a7 *oracle_checkpwd_linux.tar.gz)

Checkpwd 1.23 - passwords not displayed - (for Linux) + default passwords + Instant Client 10.2
(42 MB, MD5SUM: b0f356a27f6089275637555fbe70445d *oracle_checkpwd_nopw_linux.tar.gz)


Checkpwd 1.23 (for Mac OSX (PPC)) + default passwords + wordlist with 1.5 Mio words + Instant Client 10.1
(48 MB, MD5SUM: fe4608bf25915585adea5bf668ec6569 *oracle_checkpwd_mac_big.tar.gz)


Checkpwd 1.23 (for Mac OSX (PPC)) + default passwords (without Instant Client)
(56 KB, MD5SUM: 53bfaf05ba7375a576a55d30f4a44319 *oracle_checkpwd_mac.tar.gz)


Checkpwd 1.23 - passwords not displayed - (for Mac OSX (PPC)) + default passwords (without Instant Client)
(56 KB, MD5SUM: dc4a3c623224055de5a8bac0f076f7a6 *oracle_checkpwd_nopw_mac.tar.gz)



Checkpwd 1.23 (for Mac OSX (Intel)) + default passwords + wordlist with 1.5 Mio words + Instant Client 10.1
(37 MB, MD5SUM: be18c958cf1a7af27c7825c9c78c3fa6 *oracle_checkpwd_mac_intel_big.zip)


Checkpwd 1.23 (for Mac OSX (Intel)) + default passwords (without Instant Client)
(68 KB, MD5SUM: f7d82902baea9df804e55b757c452aa3 *oracle_checkpwd_mac_intel.zip)


Checkpwd 1.23 - passwords not displayed - (for Mac OSX (Intel)) + default passwords (without Instant Client)
(68 KB, MD5SUM: edac226122e78c7690bef1b0e4780959 *oracle_checkpwd_nopw_mac_intel.zip)



Usage with Oracle database connect (requires Oracle client)

C:\>checkpwd system/strongpw@//123.34.54.123:1521/ORCL password_list.txt

Checkpwd 1.23 [Win] - (c) 2007 by Red-Database-Security GmbH
Oracle Security Consulting, Security Audits & Security Training
http://www.red-database-security.com

initializing Oracle client library
connecting to the database
retrieving users and password hash values
opening weak password list file
reading weak passwords list
checking passwords
Starting 2 threads
MDSYS has weak password MDSYS [EXPIRED & LOCKED]
ORDSYS has weak password ORDSYS [EXPIRED & LOCKED]
DUMMY123 has weak password DUMMY123 [OPEN]
DBSNMP OK [OPEN]
SCOTT has weak password TIGER [OPEN]
CTXSYS has weak password CHANGE_ON_INSTALL [EXPIRED & LOCKED]
SH has weak password CHANGE_ON_INSTALL [EXPIRED & LOCKED]
OUTLN has weak password OUTLN [EXPIRED & LOCKED]
DIP has weak password DIP [EXPIRED & LOCKED]
DUMMY321 has weak password 123YMMUD [OPEN]
[...]
SYS OK [OPEN]
SYSTEM OK [OPEN]

Done. Summary:
Passwords checked : 13900828
Weak passwords found : 23
Elapsed time (min:sec) : 0:54
Passwords / second : 265486




Usage standalone (Oracle client software NOT required)

c:\>checkpwd SCOTT:F894844C34402B67 default_passwords.txt

Checkpwd 1.23 - (c) 2007 by Red-Database-Security GmbH
Oracle Security Consulting, Security Audits & Security Training
http://www.red-database-security.com

opening weak password list file
reading weak passwords list
checking passwords
Starting 1 thread
SCOTT OK

Done. Summary:
Passwords checked : 1543900
Weak passwords found : 0
Elapsed time (min:sec) : 0:05
Passwords / second : 320335




FAQ


Q: I'm getting the error message MSVCR80.dll not found.

A: This dll was missing. Download Checkpwd 1.22 again.

Q: Where can I get an Oracle Client?

A: Checkpwd 1.23 does no longer need a separate Oracle client. The large ZIP file (36 MB) contains a complete Oracle (instant) client.

Q: What is the difference between the standalone and normal version?
A: The normal version requires an installed Oracle client software because checkpwd can connect to the database.
The standalone version is not able to connect to an Oracle database and can only check 1 hashkey.

Q: What Linux versions do you support?

A: Checkpwd 1.1 was tested on Backtrack, Red Hat Enterprise Server 3 and Red Hat Fedora Core release 4 (Thanks to Paul van Maaren for testing).

Q: Is there a bigger dictionary file with permutations e.g. Oracle, 0racle, Oracle1, Oracle2, ...?

A: You could use John the Ripper to create such a dictionary file (e.g. john.exe -wordfile:password_list.txt -stdout -rules > password_list_big.txt). The result is a 840 MB file.


Q: McAfee report a threat PWCrack-Oracle. Is checkpwd dangerous or illegal?

A: No. McAfee shows that checkpwd is a mighty and potentially unwanted program on the scanned computer. checkpwd does NOT contain dangerous or illegal code.




History

1.0 - Initial Version

1.1 - Smaller Changes
Show Oracle Account Status (OPEN, EXPIRED, LOCKED)
Check for weak password = username
Linux Version (static, shared and standalone)
Dictionary file can now contain \n or \r\n
Dictionary converted to upper case

1.12 - Smaller Changes
Support for Oracle Easy Connect
Usage of the instant client (no separate client required)

1.12a - Smaller Changes
Oracle CPU July 2006 files included into checkpwd_big

1.21 - Support for multithreading
* Checkpwd supports now multi-threading and is up to 2.5 times faster than 1.12
* Additional optimizations

1.22 - Optimization (up to 30% faster)
* OpenSSL optimized
* Dictionary Sort Order Optimized
* Oracle Instant Client Updated

1.23 - non-optimized Openssl Library is now default again
* special nopw version * available for Windows, Linux and Mac (PPC)

Old versions of checkpwd

Checkpwd 1.21 (for Windows) + default passwords + libaries
(804 KB, 54d649b4219cad597940a2c306892c2f *oracle_checkpwd.zip)

Checkpwd 1.21 (for Windows) + default passwords + libaries + wordlist with 1.5 Mio words + Oracle Instant Client 10.2
(41 MB, MD5SUM: f11d44676b6fd87a068036cead64804f *oracle_checkpwd_big.zip)


References




License

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/). Check checkpwd.txt for the openssl license.




© 2005-2009 by Red-Database-Security GmbH - last update 16-apr-2009

Upcoming Events & Security Conferences