Logo Background

Checkpwd – Oracle Database Password Audit Tools

  • By on November 29, 2008 | No Comments

    Checkpwd is one of the fastest dictionary based password checker for Oracle databases. This is a useful tool for DBA’s to identify Oracle accounts with weak or default passwords. Please get the approval from audit team on the reliability of this tool as password auditing software.

    Checkpwd only shows that a password is weak but not the password itself where reads the password hashes from the view dba_users and compares the hash keys with the hash keys calculated from a dictionary file.

    2 types of auditing method were available using this tool: –
    1.    Connect directly to the database
    2.    Running on standalone machine, no database connection required

    Details about Oracle (database) passwords are available here:

    Usage with Oracle database connect (requires Oracle client)
    UNIX> checkpwd system/strongpw@//123.34.54.123:1521/ORCL password_list.txt

    Checkpwd 1.23 [Win] – (c) 2007 by Red-Database-Security GmbH
    Oracle Security Consulting, Security Audits & Security Training
    http://www.red-database-security.com
    initializing Oracle client library
    connecting to the database
    retrieving users and password hash values
    opening weak password list file
    reading weak passwords list
    checking passwords
    Starting 2 threads
    MDSYS has weak password MDSYS [EXPIRED & LOCKED]
    ORDSYS has weak password ORDSYS [EXPIRED & LOCKED]
    DUMMY123 has weak password DUMMY123 [OPEN]
    DBSNMP OK [OPEN]
    SCOTT has weak password TIGER [OPEN]
    CTXSYS has weak password CHANGE_ON_INSTALL [EXPIRED & LOCKED]
    SH has weak password CHANGE_ON_INSTALL [EXPIRED & LOCKED]
    OUTLN has weak password OUTLN [EXPIRED & LOCKED]
    DIP has weak password DIP [EXPIRED & LOCKED]
    DUMMY321 has weak password 123YMMUD [OPEN]
    […]
    SYS OK [OPEN]
    SYSTEM OK [OPEN]

    Done. Summary:
    Passwords checked : 13900828
    Weak passwords found : 23
    Elapsed time (min:sec) : 0:54
    Passwords / second : 265486

    Usage standalone (Oracle client software NOT required)
    UNIX> checkpwd SCOTT:F894844C34402B67 default_passwords.txt

    Checkpwd 1.23 – (c) 2007 by Red-Database-Security GmbH
    Oracle Security Consulting, Security Audits & Security Training
    http://www.red-database-security.com
    opening weak password list file
    reading weak passwords list
    checking passwords
    Starting 1 thread
    SCOTT OK

    Done. Summary:
    Passwords checked : 1543900
    Weak passwords found : 0
    Elapsed time (min:sec) : 0:05
    Passwords / second : 320335

    Previous
    Next
    » Httprint - Web Server Analysis Tools
Leave a Comment