The following scripts, commands are simple notes for the demos during the presentation Security Best Practice: Oracle Passwords, but secure!. Use at your own risk
Trace the Oracle Logon Process using Wireshark. Show the following topics:
- TNS TCP Stream of logon process
- What happens if somebody runs ALTER USER...
Add SQLNET.ALLOWED_LOGON_VERSION_SERVER to sqlnet.ora
echo "SQLNET.ALLOWED_LOGON_VERSION_SERVER=11" >> $cdn/admin/sqlnet.ora
sed -i 's/SQLNET\.ALLOWED_LOGON_VERSION_SERVER.*/SQLNET\.ALLOWED_LOGON_VERSION_SERVER=11/' $cdn/admin/sqlnet.ora
Create some DB Test Users
host sed -i 's/SQLNET\.ALLOWED_LOGON_VERSION_SERVER.*/SQLNET\.ALLOWED_LOGON_VERSION_SERVER=11/' $cdn/admin/sqlnet.ora
CONNECT / AS SYSDBA
DROP USER test_10g CASCADE;
DROP USER test_11g CASCADE;
DROP USER test_12c CASCADE;
DROP USER test_all CASCADE;
CREATE USER test_10g IDENTIFIED BY VALUES 'AF310E4D20D06950';
CREATE USER test_11g IDENTIFIED BY VALUES 'S:6702B83E88D277BFC378AD6B22DD1AE01895A254470F8124A9D3C5347056';
CREATE USER test_12c IDENTIFIED BY VALUES 'T:45738A7B75C9E31ED0C533BCF4931084658A143FD7CF826B980A88EA6C4F0BE66C28DA7085BCAE386723029BA967DC4F45E9C146F6FA7C22E44BA2C1BD2F56F8C22291D417E26D4B810003F3F055EDFF';
CREATE USER test_all IDENTIFIED BY Welcome1;
GRANT CREATE SESSION TO test_10g;
GRANT CREATE SESSION TO test_11g;
GRANT CREATE SESSION TO test_12c;
GRANT CREATE SESSION TO test_all;
GRANT SELECT_CATALOG_ROLE TO test_10g;
GRANT SELECT_CATALOG_ROLE TO test_11g;
GRANT SELECT_CATALOG_ROLE TO test_12c;
GRANT SELECT_CATALOG_ROLE TO test_all;
Show the user hash values
SET LINESIZE 160 PAGESIZE 200
COL name FOR a10
COL password FOR a16
COL spare4 FOR a64
SELECT name,password,spare4
FROM user$ WHERE name LIKE 'TEST_%' ORDER BY 1;
NAME PASSWORD SPARE4
---------- ---------------- ----------------------------------------------------------------
TEST_10G AF310E4D20D06950
TEST_11G S:6702B83E88D277BFC378AD6B22DD1AE01895A254470F8124A9D3C5347056
TEST_12C T:45738A7B75C9E31ED0C533BCF4931084658A143FD7CF826B980A88EA6C4F0B
E66C28DA7085BCAE386723029BA967DC4F45E9C146F6FA7C22E44BA2C1BD2F56
F8C22291D417E26D4B810003F3F055EDFF
TEST_ALL 4932A1B4C59EC3D0 S:ABF25107166264C8EAFE72BF02152DE17000F359CB5BAF21A6AF41477633;T
:62FEE108652A56D940813F54EC72D1494ACAD99F2BBDD0A578BF1F97FAB4A7E
B468A98B6B553E460DE21E57F6C35A930DEE027D20B33ED13D56EA0ECACB1CEA
94EEC8AC389561346052BB0BFF2C06647
Example to alter the hash values
ALTER USER test_10g IDENTIFIED BY VALUES 'AF310E4D20D06950';
ALTER USER test_11g IDENTIFIED BY VALUES 'S:6702B83E88D277BFC378AD6B22DD1AE01895A254470F8124A9D3C5347056';
ALTER USER test_12c IDENTIFIED BY VALUES 'T:45738A7B75C9E31ED0C533BCF4931084658A143FD7CF826B980A88EA6C4F0BE66C28DA7085BCAE386723029BA967DC4F45E9C146F6FA7C22E44BA2C1BD2F56F8C22291D417E26D4B810003F3F055EDFF';
Show the password versions
SET LINESIZE 160 PAGESIZE 200
COL username FOR a10
COL password_versions FOR a20
SELECT username, password_versions
FROM dba_users WHERE username LIKE 'TEST_%';
USERNAME PASSWORD_VERSIONS
----------- --------------------
TEST_10G 10G
TEST_11G 11G
TEST_ALL 10G 11G 12C
TEST_12C 12C
Test the different Logons / Hash
- Oracle 10g Hash
host sed -i 's/SQLNET\.ALLOWED_LOGON_VERSION_SERVER.*/SQLNET\.ALLOWED_LOGON_VERSION_SERVER=11/' $cdn/admin/sqlnet.ora
host grep -i ALLOWED_LOGON_VERSION_SERVER $cdn/admin/sqlnet.ora
conn test_10g/Welcome1
show user
conn test_11g/Welcome1
show user
conn test_12c/Welcome1
show user
conn test_all/Welcome1
show user
connect / as sysdba
CREATE USER test_new IDENTIFIED BY Welcome1;
SELECT username, password_versions FROM dba_users WHERE username LIKE 'TEST_%';
DROP USER test_new IDENTIFIED BY Welcome1;
- Oracle 11g Hash
host sed -i 's/SQLNET\.ALLOWED_LOGON_VERSION_SERVER.*/SQLNET\.ALLOWED_LOGON_VERSION_SERVER=12/' $cdn/admin/sqlnet.ora
host grep -i ALLOWED_LOGON_VERSION_SERVER $cdn/admin/sqlnet.ora
conn test_10g/Welcome1
show user
conn test_11g/Welcome1
show user
conn test_12c/Welcome1
show user
conn test_all/Welcome1
show user
connect / as sysdba
CREATE USER test_new IDENTIFIED BY Welcome1;
SELECT username, password_versions FROM dba_users WHERE username LIKE 'TEST_%';
DROP USER test_new IDENTIFIED BY Welcome1;
- Oracle 12c Hash
host sed -i 's/SQLNET\.ALLOWED_LOGON_VERSION_SERVER.*/SQLNET\.ALLOWED_LOGON_VERSION_SERVER=12a/' $cdn/admin/sqlnet.ora
host grep -i ALLOWED_LOGON_VERSION_SERVER $cdn/admin/sqlnet.ora
conn test_10g/Welcome1
show user
conn test_11g/Welcome1
show user
conn test_12c/Welcome1
show user
conn test_all/Welcome1
show user
connect / as sysdba
CREATE USER test_new IDENTIFIED BY Welcome1;
SELECT username, password_versions FROM dba_users WHERE username LIKE 'TEST_%';
DROP USER test_new IDENTIFIED BY Welcome1;
Create a password hash for a 7 Character Password.
docker exec tpwd01 sqlplus / as sysdba @/u01/config/scripts/create_password_hash.sql system $(pwgen -1 7)
SQL*Plus: Release 19.0.0.0.0 - Production on Wed Nov 18 10:03:57 2020
Version 19.8.0.0.0
Copyright (c) 1982, 2020, Oracle. All rights reserved.
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.8.0.0.0
SQL> @create_password_hash.sql system ieShae0
Username : system
Password : ieShae0
Hash : 0AD56CF5F1CB8D2A
SQL : alter user system identified by values '0AD56CF5F1CB8D2A';
PL/SQL procedure successfully completed.
SQL> Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.8.0.0.0
- alternatively direct on the DB server
sqh
@/u01/config/scripts/create_password_hash.sql system ieShae0
- Create the hashcat hash file
echo "0AD56CF5F1CB8D2A:SYSTEM" > demo.hash
start a brute force attack for this hash value
--increment
will start to brute force with shorter length e.g 4 characters--custom-charset1
to define numbers and characters--hash-type
Oracle 7+ respectively password verifier 10g--show
show the password
echo "0AD56CF5F1CB8D2A" >demo.hash
hashcat --attack-mode 3 --increment --increment-min 4 \
--custom-charset1 ?l?d --hash-type 3100 ./demo.hash ?1?1?1?1?1?1?1
hashcat --hash-type 3100 ./demo.hash --show
Oracle 10g Hash
hashcat --benchmark --hash-type 3100
Oracle 11g Hash:
hashcat --benchmark --hash-type 112
Oracle 12c Hash:
hashcat --benchmark --hash-type 12300
Für alle Hashes:
hashcat --benchmark-all