Skip to content

Instantly share code, notes, and snippets.

@oehrlis

oehrlis/oracle_passwords_demos.md Secret

Last active Dec 1, 2020
Embed
What would you like to do?

Notes Security Best Practice: Oracle Passwords, but secure!

The following scripts, commands are simple notes for the demos during the presentation Security Best Practice: Oracle Passwords, but secure!. Use at your own risk

Demo : Logon Process

Trace the Oracle Logon Process using Wireshark. Show the following topics:

  • TNS TCP Stream of logon process
  • What happens if somebody runs ALTER USER...

Demo : Test Different Password Verifier

Add SQLNET.ALLOWED_LOGON_VERSION_SERVER to sqlnet.ora

echo "SQLNET.ALLOWED_LOGON_VERSION_SERVER=11" >> $cdn/admin/sqlnet.ora
sed -i 's/SQLNET\.ALLOWED_LOGON_VERSION_SERVER.*/SQLNET\.ALLOWED_LOGON_VERSION_SERVER=11/' $cdn/admin/sqlnet.ora

Create some DB Test Users

host sed -i 's/SQLNET\.ALLOWED_LOGON_VERSION_SERVER.*/SQLNET\.ALLOWED_LOGON_VERSION_SERVER=11/' $cdn/admin/sqlnet.ora
CONNECT / AS SYSDBA
DROP USER test_10g CASCADE;
DROP USER test_11g CASCADE;
DROP USER test_12c CASCADE;
DROP USER test_all CASCADE;

CREATE USER test_10g IDENTIFIED BY VALUES 'AF310E4D20D06950';
CREATE USER test_11g IDENTIFIED BY VALUES 'S:6702B83E88D277BFC378AD6B22DD1AE01895A254470F8124A9D3C5347056';
CREATE USER test_12c IDENTIFIED BY VALUES 'T:45738A7B75C9E31ED0C533BCF4931084658A143FD7CF826B980A88EA6C4F0BE66C28DA7085BCAE386723029BA967DC4F45E9C146F6FA7C22E44BA2C1BD2F56F8C22291D417E26D4B810003F3F055EDFF';
CREATE USER test_all IDENTIFIED BY Welcome1;

GRANT CREATE SESSION TO test_10g;
GRANT CREATE SESSION TO test_11g;
GRANT CREATE SESSION TO test_12c;
GRANT CREATE SESSION TO test_all;

GRANT SELECT_CATALOG_ROLE TO test_10g;
GRANT SELECT_CATALOG_ROLE TO test_11g;
GRANT SELECT_CATALOG_ROLE TO test_12c;
GRANT SELECT_CATALOG_ROLE TO test_all;

Show the user hash values

SET LINESIZE 160 PAGESIZE 200
COL name FOR a10
COL password FOR a16
COL spare4 FOR a64
SELECT name,password,spare4 
FROM user$ WHERE name LIKE 'TEST_%' ORDER BY 1;

NAME       PASSWORD         SPARE4
---------- ---------------- ----------------------------------------------------------------
TEST_10G   AF310E4D20D06950
TEST_11G                    S:6702B83E88D277BFC378AD6B22DD1AE01895A254470F8124A9D3C5347056
TEST_12C                    T:45738A7B75C9E31ED0C533BCF4931084658A143FD7CF826B980A88EA6C4F0B
                            E66C28DA7085BCAE386723029BA967DC4F45E9C146F6FA7C22E44BA2C1BD2F56
                            F8C22291D417E26D4B810003F3F055EDFF

TEST_ALL   4932A1B4C59EC3D0 S:ABF25107166264C8EAFE72BF02152DE17000F359CB5BAF21A6AF41477633;T
                            :62FEE108652A56D940813F54EC72D1494ACAD99F2BBDD0A578BF1F97FAB4A7E
                            B468A98B6B553E460DE21E57F6C35A930DEE027D20B33ED13D56EA0ECACB1CEA
                            94EEC8AC389561346052BB0BFF2C06647

Example to alter the hash values

ALTER USER test_10g IDENTIFIED BY VALUES 'AF310E4D20D06950';
ALTER USER test_11g IDENTIFIED BY VALUES 'S:6702B83E88D277BFC378AD6B22DD1AE01895A254470F8124A9D3C5347056';
ALTER USER test_12c IDENTIFIED BY VALUES 'T:45738A7B75C9E31ED0C533BCF4931084658A143FD7CF826B980A88EA6C4F0BE66C28DA7085BCAE386723029BA967DC4F45E9C146F6FA7C22E44BA2C1BD2F56F8C22291D417E26D4B810003F3F055EDFF';

Show the password versions

SET LINESIZE 160 PAGESIZE 200
COL username FOR a10
COL password_versions FOR a20
SELECT username, password_versions 
FROM dba_users WHERE username LIKE 'TEST_%';

USERNAME    PASSWORD_VERSIONS
----------- --------------------
TEST_10G    10G
TEST_11G    11G
TEST_ALL    10G 11G 12C
TEST_12C    12C

Test the different Logons / Hash

  • Oracle 10g Hash
host sed -i 's/SQLNET\.ALLOWED_LOGON_VERSION_SERVER.*/SQLNET\.ALLOWED_LOGON_VERSION_SERVER=11/' $cdn/admin/sqlnet.ora
host grep -i ALLOWED_LOGON_VERSION_SERVER $cdn/admin/sqlnet.ora
conn test_10g/Welcome1
show user
conn test_11g/Welcome1
show user
conn test_12c/Welcome1
show user
conn test_all/Welcome1
show user
connect / as sysdba
CREATE USER test_new IDENTIFIED BY Welcome1;
SELECT username, password_versions FROM dba_users WHERE username LIKE 'TEST_%';
DROP USER test_new IDENTIFIED BY Welcome1;
  • Oracle 11g Hash
host sed -i 's/SQLNET\.ALLOWED_LOGON_VERSION_SERVER.*/SQLNET\.ALLOWED_LOGON_VERSION_SERVER=12/' $cdn/admin/sqlnet.ora
host grep -i ALLOWED_LOGON_VERSION_SERVER $cdn/admin/sqlnet.ora
conn test_10g/Welcome1
show user
conn test_11g/Welcome1
show user
conn test_12c/Welcome1
show user
conn test_all/Welcome1
show user
connect / as sysdba
CREATE USER test_new IDENTIFIED BY Welcome1;
SELECT username, password_versions FROM dba_users WHERE username LIKE 'TEST_%';
DROP USER test_new IDENTIFIED BY Welcome1;
  • Oracle 12c Hash
host sed -i 's/SQLNET\.ALLOWED_LOGON_VERSION_SERVER.*/SQLNET\.ALLOWED_LOGON_VERSION_SERVER=12a/' $cdn/admin/sqlnet.ora
host grep -i ALLOWED_LOGON_VERSION_SERVER $cdn/admin/sqlnet.ora
conn test_10g/Welcome1
show user
conn test_11g/Welcome1
show user
conn test_12c/Welcome1
show user
conn test_all/Welcome1
show user
connect / as sysdba
CREATE USER test_new IDENTIFIED BY Welcome1;
SELECT username, password_versions FROM dba_users WHERE username LIKE 'TEST_%';
DROP USER test_new IDENTIFIED BY Welcome1;

Demo : Check Passwords

Create a password hash for a 7 Character Password.

docker exec tpwd01 sqlplus / as sysdba @/u01/config/scripts/create_password_hash.sql system $(pwgen -1 7)

SQL*Plus: Release 19.0.0.0.0 - Production on Wed Nov 18 10:03:57 2020
Version 19.8.0.0.0

Copyright (c) 1982, 2020, Oracle.  All rights reserved.


Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.8.0.0.0

SQL> @create_password_hash.sql system ieShae0

Username : system
Password : ieShae0
Hash	 : 0AD56CF5F1CB8D2A
SQL	 : alter user system identified by values '0AD56CF5F1CB8D2A';

PL/SQL procedure successfully completed.

SQL> Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.8.0.0.0
  • alternatively direct on the DB server
sqh
@/u01/config/scripts/create_password_hash.sql system ieShae0
  • Create the hashcat hash file
echo "0AD56CF5F1CB8D2A:SYSTEM" > demo.hash

start a brute force attack for this hash value

  • --increment will start to brute force with shorter length e.g 4 characters
  • --custom-charset1 to define numbers and characters
  • --hash-type Oracle 7+ respectively password verifier 10g
  • --show show the password
echo "0AD56CF5F1CB8D2A" >demo.hash
hashcat --attack-mode 3 --increment --increment-min 4 \
--custom-charset1 ?l?d --hash-type 3100 ./demo.hash ?1?1?1?1?1?1?1
hashcat --hash-type 3100 ./demo.hash --show

Benchmarks

Oracle 10g Hash

hashcat --benchmark --hash-type 3100

Oracle 11g Hash:

hashcat --benchmark --hash-type 112

Oracle 12c Hash:

hashcat --benchmark --hash-type 12300

Für alle Hashes:

hashcat --benchmark-all
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment