As I wrote last week, I did an Oracle database hacking training. One of the exercises was to get password hashes from sys.user$ (in 10g and before: dba_users) and brute force crack the password with woraauthbf 0.22. In the database I prepared for the course I intentionally created a user there with a weak password. The password was “simpel”, the Dutch word for “simple”. With woraauthbf 0.22 it takes about 300 seconds to crack it on the somewhat older laptops we used.
Some people also tried to crack the system password, which was “oracle11g”, but that simply took too long. It’s simple if you do the math. A password of 6 characters and only lowercase letters (26 different characters), means there are 26 to the power of 6 possible combinations. Which is about 309 million possible combinations which a password cracker must go through. A lot of people think that that’s a lot, but modern computers can go through 3 million combinations a second. In our case it was a little slower though.
But if you use the password “oracle11g” there are 9 positions and 36 different characters (26 lowercase letters + 10 numbers). So that’s about 100 trillion combinations. So a modern computer will need 391 days (worst case!) to crack this nut. So we’re safe right? (As long as you change the password every 60 days?)
You might have been forgiven for thinking that, until we came to the part of the exercise where we used a dictionary attack. For passwords with Dutch words, I needed a Dutch dictionary in text format. It turns out, that such a thing can be found at the site of opentaal.org (http://www.opentaal.org/bestanden/view_cat/41-). And I’m sure there are lists like these for many other languages as well.
You can use the dictionary in woraauthbf in this way. (The password file is a formatted file with usernames and password hashes found by you. More on soonerorlater.hu):
woraauthbf -p pwfile.txt -d opentaal2010.txt -t 11g10g -m 9 -c alphanum
Using the dictionary, cracking the password “simpel” took 0 seconds. The next step, was adding the password “oracle11g” to the very end of the dictionary file (of 2 Mb). Then I tried to crack the system password. That took 0 seconds as well! Scary stuff!
Now you might say that is cheating, because I knew the password beforehand. Yes, but being a Oracle DBA for 16 years I’ve seen a lot of DBA passwords and I know a significant number of DBAs choose very weak passwords. If you wanted to crack the password of a DBA account, you’d do very well by beginning to compile a “custom made” dictionary. Try a couple of combinations of the following with different version numbers, years and so:
- The name of the database.
- The (abbriviated) name of the vendor of the application.
- The (abbriviated) name of the company.
- If you know the name of the DBAs, try to find the names of spouses, children, pets and cars on social media.
- Next try the dictionary.
So we learned two things here. We need to protect sys.user$ in the extreme (for example: don’t grant SELECT ANY DICTIONARY!) and we need to choose complex passwords.
And why not? With software like Password Safe and Keepass you can generate passwords of, say, 20 characters, use them in Oracle and store them encrypted. You never need to see the passwords, because copying and pasting them is very easy in these tools. (Note: if your encrypted password database falls in the hands of organizations that have a lot of computer power, they might still be able to crack your password safe. It’s not 100% waterproof.)
The day after the training I overheard two collegues. One of them attended my training. The other one suggested picking a dictionary word for a new admin password. “No we won’t”, the other one said, “because I’ve been to Marcel-Jan’s training yesterday and I’ve seen how easy it is to crack those”. Needless to say, the outcome of that argument sounded like music to my ears.
Time to crack a password brute force
(worst case. with speed: 3,000,000 variations per seconds)
|Number of characters||Alpha, one case(26 variations)||Alpha, mixed case(52 variations)||Alphanum, mixed case(62 variations)||Alphanum + special characters (85 variations)|
|6||103 seconds||1,8 hours||5,3 hours||34,9 hours|
|7||0,7 hours||4,0 days||13,6 days||123,7 days|
|8||0,8 days||206,2 days||2,3 years||28,8 years|
|9||20,9 days||29,4 years||143,1 years||2443 years|
|10||1,5 years||1528 years||8871 years||208095 years|