Test Against 1 Million Weak Passwords
What is RockYou2024?
RockYou2024 : The Largest Password Compilation Leak
A hacker using the name ‘ObamaCare’ on a popular hacking forum has released a file containing 9,948,575,739 unique plaintext passwords. This list appears to be a compilation of passwords obtained from various old and recent data breaches. For cybercriminals, this list is valuable because it contains real-world passwords. This increases the chances of success in brute-force attacks, where attackers attempt to gain unauthorized access to accounts by trying numerous passwords. However, it is highly unlikely that any online service or website would allow such a massive number of password attempts. Therefore, this list is mainly useful to attackers who have obtained a password database and are attempting to crack the passwords offline, on their own machine. More information is available on CyberNews site.
Ensuring the security of Oracle database is critical. One crucial aspect of this security is password management. Weak passwords can be a significant vulnerability, allowing unauthorized access to your system.
In this post, I will show how you can compare your Oracle database passwords against a list of one million most commonly used passwords, such as those found in the RockYou2024.txt file. Attackers often use precompiled lists of common passwords to perform brute-force attacks. By ensuring your database users aren’t using these weak passwords, you can significantly enhance your database’s security posture.
First i will download the 1 million most used from github repo.
[root@blt01 ~]# curl -L -o /home/oracle/passwords.txt https://raw.githubusercontent.com/danielmiessler/seclists/master/Passwords/Common-Credentials/10-million-password-list-top-1000000.txtI will use this list as an external table, for this purpose i will create a directory object.
SQL> CREATE OR REPLACE DIRECTORY ext_table_data AS '/home/oracle/';
Directory created.Our purpose it to check whether these passwords used or not. Now i will create an external table which reads rows from the file I have downloaded.
SQL> CREATE TABLE t_passwords_ext ( password_brute varchar2(255))
ORGANIZATION EXTERNAL (
TYPE ORACLE_LOADER
DEFAULT DIRECTORY ext_table_data
ACCESS PARAMETERS (
RECORDS DELIMITED BY NEWLINE
FIELDS TERMINATED BY ''
MISSING FIELD VALUES ARE NULL
(
password_brute CHAR(255)
)
)
LOCATION ('passwords.txt')
)
PARALLEL 6
REJECT LIMIT UNLIMITED;
Table created.Let’s walk through a practical example of how to compare your Oracle database SYSTEM user password against the most commonly used ones. It is provided for training purposes. Always ensure that your activities comply with legal and ethical standards.
Compare Oracle hashed passwords with plaintext strings
The provided SQL script is designed to compare Oracle hashed passwords with plaintext strings by extracting the hashed password and salt from the sys.user$ table’s spare4 column. This script relies on the presence of the “S:” part within the spare4 field, which represents the hashed password and salt in specific Oracle versions.
| SQL> SELECT | |
| username, | |
| guessed_password, | |
| stored_hashed_pwd, | |
| CASE | |
| WHEN stored_hashed_pwd = computed_hashed_pwd THEN 'Y' | |
| ELSE 'N' | |
| END AS result | |
| FROM ( — This SELECT concatenates the salt with the guessed password and hashes it. | |
| SELECT | |
| name AS username, | |
| password_brute AS guessed_password, | |
| SUBSTR(SUBSTR(spare4, 3, 60), 1, 40) AS stored_hashed_pwd, — Extract the first 20 bytes (40 characters) of the hashed password | |
| SUBSTR(SUBSTR(spare4, 3, 60), -20) AS stored_salt, — Extract the last 10 bytes (20 characters) of the plaintext salt | |
| — The "3" indicates the use of the SHA-1 algorithm (If you have :S in spare4 then you are using SHA-1) | |
| sys.dbms_crypto.hash( | |
| utl_raw.cast_to_raw(password_brute) || CAST(SUBSTR(SUBSTR(spare4, 3, 60), -20) AS RAW(10)), 3 | |
| ) AS computed_hashed_pwd | |
| FROM sys.user$ , t_passwords_ext where name='SYSTEM') where stored_hashed_pwd = computed_hashed_pwd |
sys.user$ table contains the usernames and their respective password hashes. We’ll concatenate the salt with the guessed password and hash it using the SHA-1 algorithm. we’ll compare the computed hash with the stored hash to check if the password matches.
This script will work with SQLNET.ALLOWED_LOGON_VERSION_SERVER settings: 8, 9, 10, 11, 12.
Starting with Oracle Database 12c release 2 (12.2), the default value for the SQLNET.ORA parameter ALLOWED_LOGON_VERSION_SERVER is changed to 12. This parameter refers to the logon authentication protocol used for the server, not the Oracle Database release. It will also work for 19c and 23c with the default settings.
Here is a short demo in action. First, I will try with a weak password like “oracle”. Then, I will try with a stronger one.
The SQLNET.ALLOWED_LOGON_VERSION_SERVER parameter determines the allowed authentication protocols for the Oracle server. If this parameter is set to 12a, it enforces stricter authentication mechanisms introduced in Oracle 12c and this script will not work. For greater security, consider setting SQLNET.ALLOWED_LOGON_VERSION_SERVER to 12a. A setting of 12 permits both the 11G and 12C verifier to be used for authentication.
Hope it helps.
Osman’s DBlog 
Leave your comment