sitemap

RSS地图

收藏本站

设为首页

Oracle研究中心

当前位置:Oracle研究中心 > 故障案例 >

【案例】Oracle数据库忘记用户密码 暴力破解的方法案例

时间:2016-11-27 19:10   来源:Oracle研究中心   作者:网络   点击:

天萃荷净 Oracle研究中心案例分析:分享一篇关于Oracle数据库用户密码忘记问题,该文章记录了在忘记Oracle数据库密码后暴力破解的方法。

本站文章除注明转载外,均为本站原创: 转载自love wife & love life —Roger 的Oracle技术博客
本文链接地址: 忘记oracle 用户密码怎么办?

oracle 10g中关于用户密码忘记如何处理的问题?下面进行解答。 本文的目的不是想说使用alter user去更改或通过orapwd去重建密码文件,因为在很 多情况下是不允许的,比如这个网友的情况,应用马上要上线,如果alter user修改 密码了,那么势必要去修改应用配置,在10g以前的版本中容易处理,在10g以及以后版本 这个问题就不那么容易了。

[ora10g@killdb ~]$ sqlplus "/as sysdba"

SQL*Plus: Release 10.2.0.5.0 - Production ON Sat Nov 5 21:00:31 2011
Copyright (c) 1982, 2010, Oracle.  ALL Rights Reserved.
Connected TO an idle instance.

SQL> startup
ORACLE instance started.

Total System Global Area  167772160 bytes
Fixed SIZE                  1272600 bytes
Variable SIZE              83887336 bytes
DATABASE Buffers           79691776 bytes
Redo Buffers                2920448 bytes
DATABASE mounted.
DATABASE opened.

SQL> ALTER USER roger IDENTIFIED BY roger;
USER altered.

SQL> ALTER USER SCOTT IDENTIFIED BY scott;
USER altered.

SQL> ALTER USER SCOTT account UNLOCK;
USER altered.

SQL> SELECT username,password FROM dba_users WHERE  username IN('ROGER','SCOTT');

USERNAME                       PASSWORD
------------------------------ ------------------------------
ROGER                          F445AB203A65C4DB
SCOTT                          CDC57F9E62A38D03

SQL> SELECT name,password FROM USER$ WHERE name IN('ROGER','SCOTT');

NAME                           PASSWORD
------------------------------ ------------------------------
ROGER                          F445AB203A65C4DB
SCOTT                          CDC57F9E62A38D03

SQL> ALTER USER roger IDENTIFIED BY VALUES 'CDC57F9E62A38D03';
USER altered.

SQL> conn roger/scott
ERROR:
ORA-01017: invalid username/password; logon denied

Warning: You are no longer connected TO ORACLE.

SQL> conn /AS sysdba
Connected.
SQL> SELECT name,password FROM USER$ WHERE name IN('ROGER','SCOTT');

NAME                           PASSWORD
------------------------------ ------------------------------
ROGER                          CDC57F9E62A38D03
SCOTT                          CDC57F9E62A38D03


SQL> ALTER USER roger IDENTIFIED BY scott;
USER altered.

SQL> SELECT name,password FROM USER$ WHERE name IN('ROGER','SCOTT');

NAME                           PASSWORD
------------------------------ ------------------------------
ROGER                          0212881AEAA22C4F
SCOTT                          CDC57F9E62A38D03

SQL> conn roger/scott
Connected.

我们可以看到,传统的方式在10g中已经不好使了,即使password hash值相同,其密码也可能不一样的。

我们来看看dba_users的定义,如下:
SQL> SELECT owner,object_name,object_type FROM dba_objects
  2  WHERE object_name='DBA_USERS';

OWNER                          OBJECT_NAME                    OBJECT_TYPE
------------------------------ ------------------------------ -------------------
SYS                            DBA_USERS                      VIEW
PUBLIC                         DBA_USERS                      SYNONYM

SQL> SELECT dbms_metadata.get_ddl('VIEW','DBA_USERS','SYS') FROM dual;

DBMS_METADATA.GET_DDL('VIEW','DBA_USERS','SYS')
--------------------------------------------------------------------------------

  CREATE OR REPLACE FORCE VIEW "SYS"."DBA_USERS" ("USERNAME", "USER_ID", "PASSWO
RD", "ACCOUNT_STATUS", "LOCK_DATE", "EXPIRY_DATE", "DEFAULT_TABLESPACE", "TEMPOR
ARY_TABLESPACE", "CREATED", "PROFILE", "INITIAL_RSRC_CONSUMER_GROUP", "EXTERNAL_
NAME") AS
  SELECT u.name, u.USER#, u.password,
       m.STATUS,
       decode(u.astatus, 4, u.ltime,
                         5, u.ltime,
                         6, u.ltime,
                         8, u.ltime,
                         9, u.ltime,
                         10, u.ltime, to_date(NULL)),
       decode(u.astatus,
              1, u.exptime,
              2, u.exptime,
              5, u.exptime,
              6, u.exptime,
              9, u.exphttp://www.oracleplus.nettime,
              10, u.exptime,
              decode(u.ptime, '', to_date(NULL),
                decode(pr.LIMIT#, 2147483647, to_date(NULL),
                 decode(pr.LIMIT#, 0,
                   decode(dp.LIMIT#, 2147483647, to_date(NULL), u.ptime +
                     dp.LIMIT#/86400),
                   u.ptime + pr.LIMIT#/86400)))),
       dts.name, tts.name, u.ctime, p.name,
       nvl(cgm.consumer_group, 'DEFAULT_CONSUMER_GROUP'),
       u.ext_username
       FROM sys.USER$ u LEFT OUTER JOIN sys.resource_group_mapping$ cgm
            ON (cgm.attribute = 'ORACLE_USER' AND cgm.STATUS = 'ACTIVE' AND
                cgm.VALUE = u.name),
            sys.ts$ dts, sys.ts$ tts, sys.profname$ p,
            sys.user_astatus_map m, sys.profile$ pr, sys.profile$ dp
       WHERE u.datats# = dts.ts#
       AND u.resource$ = p.profile#
       AND u.tempts# = tts.ts#
       AND u.astatus = m.STATUS#
       AND u.TYPE# = 1
       AND u.resource$ = pr.profile#
       AND dp.profile# = 0
       AND dp.TYPE#=1
       AND dp.resource#=1
       AND pr.TYPE# = 1
       AND pr.resource# = 1

其中很关键的一个基表是USER$,其定义如下:
CREATE TABLE USER$                                             /* user table */
( USER#         NUMBER NOT NULL,                   /* user identifier number */
  name          varchar2("M_IDEN") NOT NULL,                 /* name of user */
  TYPE#         NUMBER NOT NULL,                       /* 0 = role, 1 = user */
  password      varchar2("M_IDEN"),                    /* encrypted password */
  datats#       NUMBER NOT NULL, /* default tablespace for permanent objects */
  tempts#       NUMBER NOT NULL,  /* default tablespace for temporary tables */
  ctime         DATE NOT NULL,                 /* user account creation time */
  ptime         DATE,                                /* password change time */
  exptime       DATE,                     /* actual password expiration time */
  ltime         DATE,                         /* time when account is locked */
  resource$     NUMBER NOT NULL,                        /* resource profile# */
  audit$        varchar2("S_OPFL"),                    /* user audit options */
  defrole       NUMBER NOT NULL,                  /* default role indicator: */
               /* 0 = no roles, 1 = all roles granted, 2 = roles in defrole$ */
  defgrp#       NUMBER,                                /* default undo group */
  defgrp_seq#   NUMBER,               /* global sequence number for  the grp *
  spare         varchar2("M_IDEN"),                   /* reserved for future */
  astatus       NUMBER DEFAULT 0 NOT NULL,          /* status of the account */
                /* 1 = Locked, 2 = Expired, 3 = Locked and Expired, 0 - open */
  lcount        NUMBER DEFAULT 0 NOT NULL, /* count of failed login attempts */
  defschclass   varchar2("M_IDEN"),                /* initial consumer group */
  ext_username  varchar2("M_VCSZ"),                     /* external username */
  spare1        NUMBER, /* used for schema level supp. logging: see ktscts.h */
  spare2        NUMBER,
  spare3        NUMBER,
  spare4        varchar2(1000),
  spare5        varchar2(1000),
  spare6        DATE
)
我们可以看到这里的password是经过DES加密以后的密码,在11g中,直接通过查询dba_users已经无法查到其加密密码了。

下面我们用orabf来进行10g,11g  用户密码的暴力破解。
F:\orabf-v0.7.6>orabf 0212881AEAA22C4F:ROGER

orabf v0.7.6, (C)2005 orm@toolcrypt.org
---------------------------------------
Trying default passwords...done

Starting brute force session using charset:
#$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_

press 'q' to quit. any other key to see status

current password: GA7PB
16190190 passwords tried. elapsed time 00:00:12. t/s:1302291

password found: ROGER:SCOTT

44096071 passwords tried. elapsed time 00:00:33. t/s:1315172

F:\orabf-v0.7.6>

oracleplus.net>; alter user roger identified by killdb$;

User altered.
oracleplus.net>; conn /as sysdba
Connected.
oracleplus.net>; select name,password from user$ where name in('ROGER','SCOTT');

NAME                           PASSWORD
------------------------------ ------------------------------
ROGER                          6885905A13FAFAA9
SCOTT                          CDC57F9E62A38D03

oracleplus.net>;

F:\orabf-v0.7.6>orabf 6885905A13FAFAA9:ROGER

orabf v0.7.6, (C)2005 orm@toolcrypt.org
---------------------------------------
Trying default passwords...done

Starting brute force session using charset:
#$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_

press 'q' to quit. any other key to see status

current password: CW4KD
8236685 passwords tried. elapsed time 00:00:06. t/s:1282510

wrote resume data to ROGER.res

794380208 passwords tried. elapsed time 00:10:05. t/s:1312408

F:\orabf-v0.7.6> ---可以看到,密码比较复杂以后,暴力破解时间就非常漫长了。

我们来看下11g中的情况:
oracleplus.net>; select * from v$version where rownum <3;

BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - Production
PL/SQL Release 11.2.0.2.0 - Production

oracleplus.net>;
oracleplus.net>; select username,password from dba_users where username='ROGER';

USERNAME                       PASSWORD
------------------------------ ------------------------------
ROGER

oracleplus.net>; select name,password from user$ where name='ROGER';

NAME                           PASSWORD
------------------------------ ------------------------------
ROGER                          F445AB203A65C4DB

F:\orabf-v0.7.6>orabf F445AB203A65C4DB:ROGER

orabf v0.7.6, (C)2005 orm@toolcrypt.org
---------------------------------------
Trying default passwords...
password found: ROGER:ROGER

F:\orabf-v0.7.6>

oracleplus.net>; conn roger/roger
Connected.
oracleplus.net>; --对于较为简单的密码,破解速度是非常快的。

老外还有有个更猛的暴力破解工具ops_sse2,不过该工具仅仅只能破解sys密码,可能软件作者是出于安全考虑吧,下面来试试:

[ora10g@killdb pw_cracker]$ cat filename.txt
SYS:EF78257248B5860C:159
[ora10g@killdb pw_cracker]$
[ora10g@killdb pw_cracker]$ ./ops_sse2 --hashlist=filename.txt
Oracle passwords (DES) solver 0.3 (SSE2) -- Dennis Yurichev
Compiled @ Apr  5 2011 12:25:36
Demo version, supporting only SYS usernames.
username=SYS: 1 unsolved hash(es) left
Checking 1-symbol passwords for username SYS
overall progress=  0%
username=SYS: 1 unsolved hash(es) left
Checking 2-symbol passwords for username SYS
overall progress=  0%
username=SYS: 1 unsolved hash(es) left
Checking 3-symbol passwords for username SYS
overall progress=  0%
username=SYS: 1 unsolved hash(es) left
Checking 4-symbol passwords for username SYS
overall progress=  0%
username=SYS: 1 unsolved hash(es) left
Checking 5-symbol passwords for username SYS
overall progress= 61% / time remaining: 3s
time elapsed: 7s, ~ 5783305 passwords/hashes per second
SYS/159: Found password: ROGER
SYS:ROGER:159

oracleplus.net>; conn sys/roger as sysdba
Connected.
oracleplus.net>; show user
USER is "SYS"
oracleplus.net>;

大家可以去http://conus.info/utils/ops_SIMD/ 下载该软件。

--------------------------------------ORACLE-DBA----------------------------------------

最权威、专业的Oracle案例资源汇总之【案例】Oracle数据库忘记用户密码 暴力破解的方法案例

本文由大师惜分飞原创分享,网址:http://www.oracleplus.net/arch/1332.html

Oracle研究中心

关键词:

Oracle数据库用户忘记密码的解决办法

忘记oracle 用户密码怎么办?