Oracle Password Cracker         Version 1.6     Written by Adam Martin, 2002

Free download available at www.download.com .

 

CONTENTS

1.    Description

2.    Installation

3.    Using the Oracle Password Cracker

4.    Full Version

5.    Frequently Asked Questions

6.    License and Disclaimers

 

DESCRIPTION

Great for password retrieval or for enforcing password selection guidelines, the Oracle Password Cracker is a utility which can be used by database administrators to obtain a clear-text password for any user account in an Oracle database!  The software utilizes Oracle's modified DES encryption algorithm and stored password hashes in your database to perform a password dictionary attack.   

Running as a PL/SQL stored procedure, it can run on any platform where Oracle is installed (but requires Oracle 8i or above).  The software does not need to change the user's password while performing the crack, and it is not affected by preventive security measures such as the number of failed login attempts or password history storage.  

The download comes with a very good dictionary including commonly used passwords.  (Of course, the best passwords cannot be discovered by a dictionary attack.)

The free version has two limitations: Only words that are four letters long or shorter will be used from the dictionary, and the program will only run for up to five minutes at a time.  The full version (only $4) removes these limitations, plus it includes the source code and a graphical user interface.

 

INSTALLATION

1. Choose a user who will own the stored procedure

To install the Oracle Password Cracker, you will need to login to an Oracle database with a DBA account.  The account you use must have EXPLICIT rights on the sys.DBA_USERS view (not through a role like DBA).  In other words, if you plan on using "SYSTEM" or some other DBA account in your database such as "ADMIN_GUY" then you need to login as SYS and type: "GRANT SELECT ON DBA_USERS TO ADMIN_GUY;" without the double quotes, in order to grant explicit rights on the table.  Alternatively, you can login as SYS and compile the procedure as SYS without doing any grants. 

2. Create the WORDS table

After you have identified a user that will own the stored procedure, run the script called create_table.sql by loging into the database in SQL*PLUS  and typing "@c:\directory\create_table" (where c:\directory is the path to the file).  This will create the table called WORDS.  Experienced Oracle users may change the file to include storage information such as the tablespace where the table will be created, but in most cases this will not be necessary.

3. Populate the WORDS table

A script has been prepared with thousands of insert statements to populate the WORDS table with the dictionary.  To run it, in SQL*PLUS type "@c:\directory\load_dictionary" (where c:\directory is the path to the file).  This will insert records into the WORDS table, periodically issuing a commit.  This will run for a few minutes!  It is inserting over 27,000 words, so be patient.

You are always welcome to insert additional words into the words table, or even delete some of the ones that are inserted.  The dictionary is simply provided as a convenience.  The dictionary in the free version is a subset (words that are four letters or shorter) of the dictionary in the full version, which has over 140,000 words in it.

4. Create the GET_PASSWORD procedure

At the SQL*PLUS prompt, type "@c:\directory\load_procedure.plb" (where c:\directory is the path to the file).  This will create the GET_PASSWORD PL/SQL stored procedure.  It is the heart of the Oracle Password Cracker, and contains all the logic for the program.

 

USING THE ORACLE PASSWORD CRACKER

You use the Oracle Password Cracker just like you would call any other stored procedure.  The following describes the parameters:

    GET_MESSAGE(user_id in varchar2, allowed_to_change_password in varchar2, maxtime_to_search in number, result out varchar2)

    For user_id pass in the name of the account that you want the password for.  The next parameter is just a yes/no field: pass in 'Y' if it is ok to change the user's password while running or 'N' if you don't want the user's password to be changed while running.  Then pass in a number (or fraction of a number) for the length of time you want the program to run.  (1.5 would be 90 seconds).  Finally, declare a variable to accept the return message from the program and print it out.  Make sure your serveroutput is on!  Here is an example program:

set serveroutput on

declare
v_message varchar2(200);
begin
get_password('FOO', 'N', 3, v_message);
dbms_output.put_line(v_message);
end;
/

The example above turns on the serveroutput first.  Then it begins a pl/sql block and declares a variable to receive the output of the password cracker.  The parameters are saying: Give me the password for user FOO without touching FOO's password, and only try for 3 minutes to crack the password.  You can just copy and paste the above example into SQL*PLUS after installation.

You can also use the file called run_cracker.sql which will prompt you for values.  Just type in @c:\directory\run_cracker and it will run.

You could receive one of four different messages as output:  the password, time limit, unknown, or error.  If you discover the password, the above example would say something like this: "The password for FOO is: PASSWORD"  If the program reaches the specified time limit before finding the password, it will say, "Time limit reached."  If the program finishes successfully but cannot find the password it will simply say "unknown".  (If you do get the message that says "unknown" after running the program, you may get better results by letting the program change the user password during the process.)  Finally, if an unexpected, unhandled error occurs, you will get the message, "Error".  In any case the user account and password will be the way they were before the program ran.  No permanent changes are made even if you allow the program to change passwords while cracking them.

FULL VERSION

After you have evaluated the free download, you will want to purchase the full version.  It will only cost you $4.00 to purchase through PayPal.  Simply click the button below:

 

The full version of the Oracle Password Cracker includes the following:

FREQUENTLY ASKED QUESTIONS

1. What if I don't have a DBA account in the database?

    You don't need to install the procedure in the database that you are cracking.  You can always create a user with the same name in a database of your own and crack it there.  For example, let's say I want to crack a password in the database "PROD" for the user "JACK" but I don't have the necessary rights in that database.  All I need to do is get the password hash value for JACK and then I can crack it in my own database.  So I log into PROD and type:

    SELECT PASSWORD FROM DBA_USERS WHERE USERNAME = 'JACK';   

    It returns his password of "E241123AC2232BB". 

    So then I login into my database "TEST" as a DBA and I type:

    CREATE USER JACK IDENTIFIED BY VALUES 'E241123AC2232BB';

    Presto, I can now attempt to crack Jack's password in my test database.

 

2. I never use the SYS account.  What if I don't know the password for SYS to grant access to sys.DBA_USERS for the installation?

    If you don't know the password for SYS, but you have the password of a user with DBA privileges then you can still login as SYS by following the following steps:

    First get the encrypted password of SYS by typing:    SELECT PASSWORD FROM DBA_USERS WHERE USERNAME = 'SYS';  Say the password is 'EE1122DD5223119'.  Make note of the password.

    Then change the password of SYS by typing: ALTER USER SYS IDENTIFIED BY FOO;

    Login as SYS: CONNECT SYS/FOO@MY_DB

    Change the password back: ALTER USER SYS IDENTIFIED BY VALUES 'EE1122DD5223119'; 

    You are still logged in as SYS, so do whatever you need to, like the grant: GRANT SELECT ON DBA_USERS TO ADMIN_GUY;

 

3. Why is the procedure code not readable?

    You may have noticed that the file load_procedure.plb is not the PL/SQL you are used to seeing. The file has been encrypted using Oracle's wrapper function.  The purpose of wrapping source code is to protect trade secrets by not letting others read your code.  I wrapped the code so that I could offer the full version of the Oracle Password Cracker (with source code) as a separate purchase in order to recover some of my costs in developing the software.  Anyone can buy the full version and source for a measly $4.  I am not out to make lots of money on the product, but I do like to earn a little something for my efforts.

 

4. Why does the full version only cost four dollars?

    It is definitely worth more than $4, but like I mentioned earlier, I am not trying to make lots of money on this software.  It is a relatively small piece of software, but it serves its purpose well.  People have asked me to make my password cracker available for download, which I finally did.  Getting it ready for release to the public did take some work, so I am trying to earn something for my efforts. 

    Most people today are not willing to pay high fees for software and media.  Since it is faster and easier to pay $4 than to recreate the software yourself, most Oracle programmers will gladly pay the four bucks.  Plus, in the days where software had to be put on a disk and mailed to the buyer, the cost of delivering software was much higher, but since I am just emailing the program to buyers, it is a relatively inexpensive way for me to distribute the program.

 

5. Why are you giving away the source code?

    Why didn't I just put in the time restriction and password length restriction on the free version and then remove them in the full version?  Good question.  Actually, to me the source code is the most valuable part!  It is an incentive to buy the full version.  If I were buying it from someone else, I would be 10 times more likely to want it if the source code were available.  Then I could change it, enhance it, and see what it is really doing.

    Plus, some people will not run any freely downloaded SQL against their database until they can read it and see exactly what it is about to do.  I don't blame them.

 

6. What if I want to buy the full version but I don't use PayPal?

    First of all, why don't you use PayPal!?  It rules!  In fact, at the time I wrote this, PayPal was giving away $5 to people who sign up for the first time.  You may actually get the software for free, plus a dollar for yourself!  You might be able to actually make money on this purchase.

 

7. Isn't it wrong to try to crack passwords?

    I am not suggesting you use this software for illegal or unethical purposes.  This type of software is very useful in identifying weaknesses in your database security.  Bad passwords still tend to be the weakest link in most security strategies.  A knowledgeable database administrator can use this software to check individual accounts for weak passwords.  Besides, you have to be able to get the encrypted password for this software to work.  You aren't going to be using it to get into databases where you are not an authorized user.

 

8. How do I buy the full version?

    Easy.  Click this button:

 

    You will receive the software within two business days as an attachment to an email.

 

9. Why wasn't the graphical user interface (Oracle Form) included in the free download?

    There are a few reasons why the Form was not included in the free download.  First of all, if I were to include the .fmx file (compiled form) I would have compiled it on Windows 2000, and it would not have worked for Linux or any other operating system.  By providing nothing more than a stored procedure, it will work on any operating system that can run Oracle.  When the full version is purchased, I include the .fmb file (source) so that the end user can compile it on whatever operating system is chosen.  Secondly, it is a great incentive to purchase the full version.  Finally, it is much easier to reverse-engineer an .fmx file than a .plb wrapped pl/sql file.

 

LICENSE AND DISCLAIMERS

The free version is for evaluation purposes only, and not for a production environment.  However, you are welcome to keep the free version for as long as you like to use for testing, evaluation, or self-education.  The full version may be used in a production environment including business or government, limit one license per user per database.

Author retains all rights and ownership of this product.  You are not permitted to copy, distribute, sell, alter, reverse-engineer, or reproduce this software.

This software is not intended as a tool to gain unauthorized access to databases.  It is meant as a tool for implementing or auditing good password selection as part of a security strategy. Use at your own risk.  The author takes no responsibility for any damages caused by using of this software.  Please use legally and ethically.