The incredible speed of dictionary attacks in password cracking

As I wrote last week, I did an Oracle database hacking training. One of the exercises was to get password hashes from sys.user$ (in 10g and before: dba_users) and brute force crack the password with woraauthbf 0.22. In the database I prepared for the course I intentionally created a user there with a weak password. The password was “simpel”, the Dutch word for “simple”. With woraauthbf 0.22 it takes about 300 seconds to crack it on the somewhat older laptops we used.

Some people also tried to crack the system password, which was “oracle11g”, but that simply took too long. It’s simple if you do the math. A password of 6 characters and only lowercase letters (26 different characters), means there are 26 to the power of 6 possible combinations. Which is about 309 million possible combinations which a password cracker must go through. A lot of people think that that’s a lot, but modern computers can go through 3 million combinations a second. In our case it was a little slower though.

But if you use the password “oracle11g” there are 9 positions and 36 different characters (26 lowercase letters + 10 numbers). So that’s about 100 trillion combinations. So a modern computer will need 391 days (worst case!) to crack this nut. So we’re safe right? (As long as you change the password every 60 days?)

You might have been forgiven for thinking that, until we came to the part of the exercise where we used a dictionary attack. For passwords with Dutch words, I needed a Dutch dictionary in text format. It turns out, that such a thing can be found at the site of opentaal.org (http://www.opentaal.org/bestanden/view_cat/41-). And I’m sure there are lists like these for many other languages as well.

You can use the dictionary in woraauthbf in this way. (The password file is a formatted file with usernames and password hashes found by you. More on soonerorlater.hu):
woraauthbf -p pwfile.txt -d opentaal2010.txt -t 11g10g -m 9 -c alphanum

Using the dictionary, cracking the password “simpel” took 0 seconds. The next step, was adding the password “oracle11g” to the very end of the dictionary file (of 2 Mb). Then I tried to crack the system password. That took 0 seconds as well! Scary stuff!

Now you might say that is cheating, because I knew the password beforehand. Yes, but being a Oracle DBA for 16 years I’ve seen a lot of DBA passwords and I know a significant number of DBAs choose very weak passwords. If you wanted to crack the password of a DBA account, you’d do very well by beginning to compile a “custom made” dictionary. Try a couple of combinations of the following with different version numbers, years and so:

  • oracle
  • The name of the database.
  • The (abbriviated) name of the vendor of the application.
  • The (abbriviated) name of the company.
  • If you know the name of the DBAs, try to find the names of spouses, children, pets and cars on social media.
  • Next try the dictionary.

So we learned two things here. We need to protect sys.user$ in the extreme (for example: don’t grant SELECT ANY DICTIONARY!) and we need to choose complex passwords.

And why not? With software like Password Safe and Keepass you can generate passwords of, say, 20 characters, use them in Oracle and store them encrypted. You never need to see the passwords, because copying and pasting them is very easy in these tools. (Note: if your encrypted password database falls in the hands of organizations that have a lot of computer power, they might still be able to crack your password safe. It’s not 100% waterproof.)

The day after the training I overheard two collegues. One of them attended my training. The other one suggested picking a dictionary word for a new admin password. “No we won’t”, the other one said, “because I’ve been to Marcel-Jan’s training yesterday and I’ve seen how easy it is to crack those”. Needless to say, the outcome of that argument sounded like music to my ears.

 

Time to crack a password brute force

(worst case. with speed: 3,000,000 variations per seconds)

Number of characters Alpha, one case(26 variations) Alpha, mixed case(52 variations) Alphanum, mixed case(62 variations) Alphanum + special characters (85 variations)
6 103 seconds 1,8 hours 5,3 hours 34,9 hours
7 0,7 hours 4,0 days 13,6 days 123,7 days
8 0,8 days 206,2 days 2,3 years 28,8 years
9 20,9 days 29,4 years 143,1 years 2443 years
10 1,5 years 1528 years 8871 years 208095 years
Advertisements

About Marcel-Jan Krijgsman

Ever since I started working with Oracle, I had an interest in Oracle database performance tuning. This led, eventually, to a four day training I made and gave for customers of Transfer Solutions. Since 2012 I work for Rabobank Nederland. A few years ago I also became interested in Oracle database security. All technology aside, it is my experience that security usually plays out on a political level. I'm a Oracle certified professional for the 8i, 9i, 10g and 11g databases and Oracle Database 11g Performance Tuning Certified Expert.
This entry was posted in Oracle security and tagged , , , , , . Bookmark the permalink.

One Response to The incredible speed of dictionary attacks in password cracking

  1. Pingback: % ANY % privileges and other excessive privileges | Marcel-Jan's Oracle Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s