Re: Funny sort of question re sys password

  • From: Pete Finnigan <oracle_list@xxxxxxxxxxxxxxxxxxxxxxxxx>
  • To: oracle-l@xxxxxxxxxxxxx
  • Date: Wed, 10 Mar 2004 11:18:03 +0000

Hi Nuno,

Oracle do not make the encryption algorithm public but there is enough
info in their own documents to know it is a modified DES encryption
algorithm. DES has been cracked so it is possible, i suppose but not
practical. Using a password cracker is the only other possibility, there
are a couple of free PL/SQL based ones out there that use "alter user"
to change the password and compare against the hash in sys.user$. There
are links to both on my tools page http://www.petefinnigan.com/tools.htm
- these are toys really compared to a real cracker like John the ripper
or lopht. If the password is still the default then it is also easy to
crack. Brute forcing using a pl/sql based password cracker would be
useless unless you (he) were lucky.

I guess he is not talking about breaking the encryption or using a brute
force or dictionary attack. he most probably is talking about being able
to simply change the password of SYS. There are many many ways that
would allow this that i can think of. Most depend on what your current
set up is and whether you have blocked these avenues off. There are also
issues of password leakage, vulnerabilities...

If you look at my site http://www.petefinnigan.com/orasec.htm there are
two checklists on there, one is the SANS S.C.O.R.E document which is a
big checklist of Oracle security items to look at and the other is the
CIS Oracle benchmark which is based very closely on the SANS work. 

Your Sun guy is easy though, he is just connecting as root and logging
on as "/ as sysdba" - i guess.

kind regards

Pete
-- 
Pete Finnigan
email:pete@xxxxxxxxxxxxxxxx
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.

----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to:  oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------

Other related posts: