Oracle

Introduction
For 7-10g Oracle databases the password hash incorporates both the username and password. First the username and the password are concatenated to produce a plaintext string. The string is converted to uppercase characters, and then hashed via a proprietary Oracle hashing algorithm. The required key space is greatly reduced because the algorithm converts the password to uppercase characters. This makes a brute-force attack more effective. Because the hash includes the username, a rainbow table would have to be generated for every user. This makes rainbow tables less effective for less common usernames.

Hashing Algorithms
Oracle 7-10g
1. Concatenate the username and the password to produce a plaintext string;
2. Convert the plaintext string to uppercase characters;
3. Convert the plaintext string to multi-byte storage format; ASCII characters have the
high byte set to 0x00;
4. Encrypt the plaintext string (padded with 0s if necessary to the next even block length)
using the DES algorithm in cipher block chaining (CBC) mode with a fixed key value of
0x0123456789ABCDEF;
5. Encrypt the plaintext string again with DES-CBC, but using the last block of the output
of the previous step (ignoring parity bits) as the encryption key. The last block of the
output is converted into a printable string to produce the password hash value.

Up to 30 characters long. All characters will be converted to uppercase before the hashing starts
8-byte hash, encrypted with a DES encryption algorithm without real salt (just the username).
The algorithm can be found in the book "Special Ops Host And Network Security For Microsoft, Unix, And Oracle" on page 727.

  • Oracle (7-10g R2) encrypts the concatenation of (username||password) and sys/temp1 and system/p1 have the identical hashkey (2E1168309B5B9B7A)

Oracle 11g
Oracle database 11g offers the (optional) possibility to use passwords up to 50 characters (uppercase/lowercase). In Oracle 11g the passwords are now hashed with DES (column: password) AND using SHA-1 (column: spare4). The SHA-1 passwords are now supporting mixed-case passwords. In 11g the password hashes are no longer available in dba_users.

  • Oracle (11g R1) uses SHA-1 to hash the concatenation of (password||salt)

Weaknesses for 7-10g

  • The username is used as the salt.
  • The password is converted to uppercase before being hashed.
  • Weak hashing algorithm.

Where are the Hashes Stored?

Oracle 7-10g

  • DBA_USERS
  • SYS.USER$
SELECT username, password FROM DBA_USERS;

SELECT name,password FROM SYS.USER$ WHERE password is not null;

Oracle 11g
In 11g the password hash is no longer accessible via dba_users

  • SYS.USER$
SELECT name,spare4 FROM SYS.USER$ WHERE password is not null;

Attacking Hashes

Brute Force
The 7-10g keyspace required to be searched is limited because the password is converted to uppercase before it is hashed. There are several Oracle brute force or dictionary attack tools available. The fastest tool for brute force attacks orabf calculates 1.100.000 passwords/second. The fastest tool for dictionary attacks are checkpwd and repscan with 600.000 pw per second. On a Pentium 4 with 3 GHz it takes (26 ascii characters only, e.g. 26^5)

  • 10 seconds to calculate all 5-ascii-character-combinations
  • 5 minutes to calculate all 6-ascii-character-combinations
  • 2 hours to calculate all 7-ascii-character-combinations
  • 2,1 days to calculate all 8-ascii-character-combinations
  • 57 days to calculate all 9-ascii-character-combinations
  • 4 years to calculate all 10-ascii-character-combinations

Rainbow Tables
The use of rainbow tables is generally limited to password algorithms that do not use a salt.
However, since the salt mechanism used by Oracle is the account username, an attacker can
build rainbow tables for a fixed username. One username selection candidate would be the
SYSTEM account, since this account exists on all Oracle databases, and would provide
privileged access to the database if the hash can be reversed.

Tools

Orabf
http://www.toolcrypt.org/index.html?orabf

CheckPWD
http://www.red-database-security.com/software/checkpwd.html

Cain & Abel
http://www.oxid.it/cain.html
Cain & Abel is the easiest to use but it is also the slowest.

Oracle Default Password List
http://www.petefinnigan.com/default/default_password_list.htm


References
An Assessment of the Oracle Password Hashing Algorithm by Joshua Wright and Carlos Cid
http://www.sans.org/reading_room/papers/index3.php?id=oracle_pass&c=795f1e452880795d00abeac32ff05646

Fact sheet about Oracle database passwords
http://www.red-database-security.com/whitepaper/oracle_passwords.html

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-Share Alike 2.5 License.