Jared,
I'll have a go when I get the chance.
Did I hear someone on the list mention that you are bringing out an
Oracle/Perl book?
Jim
-----Original Message-----
[EMAIL PROTECTED]
Sent: 31 January 2002 18:39
To: Multiple recipients of list ORACLE-L
For those of you that use Perl and DBI, here's a script to check for
default
passwords. If you feel like extending the password list ( hint, hint ), I
wouldn't
mind a bit.
Jared
#!/export/home/oracle/perl/bin/perl
# odpc.pl
# oracle default password check
# Jared Still
# [EMAIL PROTECTED]
use warnings;
use DBI;
use strict;
use Getopt::Long;
my %optctl = ();
Getopt::Long::GetOptions(
\%optctl,
"database=s",
"username=s",
"password=s",
"sysdba!",
"sysoper!",
"z","h","help");
my($db, $username, $password, $connectionMode);
if (
$optctl{h}
|| $optctl{z}
|| $optctl{help}
) {
Usage(0);
}
$connectionMode = 0;
if ( $optctl{sysoper} ) { $connectionMode = 4 }
if ( $optctl{sysdba} ) { $connectionMode = 2 }
if ( ! defined($optctl{database}) ) {
Usage(1);
die "database required\n";
}
$db=$optctl{database};
if ( ! defined($optctl{username}) ) {
Usage(1);
die "username required\n";
}
$username=$optctl{username};
$password = $optctl{password};
my $dbh = DBI->connect(
'dbi:Oracle:' . $db,
$username, $password,
{
RaiseError => 1,
AutoCommit => 0,
ora_session_mode => $connectionMode
}
);
die "Connect to $db failed \n" unless $dbh;
# this is a hash of common default accounts and
# the default passwords in hex form
# to extend the list, just use this SQL
#
# select username, password
# from dba_users
#
# use the resulting password for accounts that
# you know are using the default password.
# change the password on a test database is
# necessary to get the correct data.
my %defusers = (
CTXSYS => '24ABAB8B06281B4C',
DBSNMP => 'E066D214D5421CCC',
LBACSYS => 'AC9700FD3F1410EB',
MDSYS => '72979A94BAD2AF80',
OAS_PUBLIC => '9300C0977D7DC75E',
OLAPDBA => '1AF71599EDACFB00',
OLAPSYS => '3FB8EF9DB538647C',
ORDPLUGINS => '88A2B2C183431F00',
ORDSYS => '7EFA02EC7EA6B86F',
OUTLN => '4A3BA55E08595C81',
SYS => 'D4C5016086B2DC6A',
SYSTEM => 'D4DF7931AB130E37',
TRACESVR => 'F9DA8977092B7B81',
WEBSYS => 'A97282CE3D94E29E',
WKSYS => '545E13456B7DDEA0'
);
my $MySql="select username, password from dba_users ";
$MySql .= q{ where username in('} . join(q{','}, keys %defusers) . q{')};
#print "sql: $MySql\n";
my $sth = $dbh->prepare($MySql);
use vars qw{$rv};
my $rv = $sth->execute || die "error with statement $MySql \n";
while( my $hash = $sth->fetchrow_hashref ) {
#print "username: $hash->{USERNAME} password: $hash->{PASSWORD}\n";
if ( exists $defusers{$hash->{USERNAME}} ) {
if ( $defusers{$hash->{USERNAME}} eq $hash->{PASSWORD} ) {
printf("Account %-20s is using a default password\n",
$hash->{USERNAME});
}
}
}
$dbh->disconnect;
sub Usage {
my $exitval = shift;
use File::Basename;
my $basename = basename($0);
print qq{
usage: $basename Oracle Default Password Checker
-database ORACLE_SID
-username DBA account
-password account password
use one of the following options
to connect as SYSOPER or SYSDBA
[-sysdba || -sysoper]
};
exit $exitval;
}
"James McCann" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
01/31/02 08:42 AM
Please respond to ORACLE-L
To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]>
cc:
Subject: RE: OPS$ / default accounts
Speaking of default accounts with default passwords, here is my list that
I
check for. Anyone want to compare notes :) i.e. have I missed any?
Thanks,
Jim
perfstat/perfstat
TRACESVR ??? is only used with 7.x Databases
REPADMIN ???
CTXSYS/CTXSYS
DBSNMP/DBSNMP
INTERNAL/ORACLE
MDSYS/MDSYS
MTSSYS/MTSSYS
ORDPLUGINS/ORDPLUGINS
ORDSYS/ORDSYS
OUTLN/OUTLN
SYS/CHANGE_ON_INSTALL
SYSTEM/MANAGER
SCOTT/TIGER
-----Original Message-----
Kirti
Sent: 31 January 2002 15:25
To: Multiple recipients of list ORACLE-L
Stephane,
Thanks. Yes, we are properly fenced....
None of the databases have those default accounts with default passwords.
We do not use OEM and that agent. Passwords of critical accounts get
changed
regularly and often. Database user ids are generated & approved by Data
Security group before DBAs can add them to databases (so others do not
know
and can not guess who has what id), and they request reports of access
privileges when least expected.
So, it's all how you manage your set up. When I joined this company I was
going nuts about such things (remote_os_authent, default links by virtue
of
Oracle Names etc), but as I learned the environment I was comfortable..
And
it is helping us more than creating problems and concerns.
Cheers !
- Kirti
-----Original Message-----
Sent: Thursday, January 31, 2002 2:20 AM
To: Multiple recipients of list ORACLE-L
"Deshpande, Kirti" wrote:
>
> We use REMOTE_OS_AUTHENT in many of our databases. I know we shouldn't
do
> this, but we have to, and that's another topic...
>
> We also use a specific auth prefix.
>
> Now, can someone show me how a Windoze user, 'GOD' get in the database
when
> I do not have a user, '<Auth_Prefix>GOD' in my database.
>
> I say, I have nothing to worry about this setup as long as 'GOD' user in
my
> database is controlled appropriately via roles, grants, profile etc....
>
> Sure, if I had <auth_prefix>GOD in the database, I will be looking for
> another job....
> Right?
>
> - Kirti
>
The problem as I see it is that it's fairly easy to get the names of
users on a database. The number of databases you can connect to using
dbsnmp/dbsnmp or outln/outln is desperately high, and from there you can
query ALL_USERS. I must say that I am truly hopeless with any Microsoft
OS, so you could safely let me with admin rights on the box when I feel
at my most mischievous. But imagine I come with Linux on my laptop, I
plug (like many 'nomad' users often do) into your network, manage to
connect (as a less-than-nothing user), check the user list, spot
something looking like a prefix, and use this information to add with
linuxconf a suitably named account to my machine? I am certain that in
your case everything is correctly fenced, but I have met many many many
databases where the standard in terms of grants was 'TO PUBLIC', and
where database links were PUBLIC as well, and usually connected to the
other database as the owner of most tables (even as DBA).
IMHO, if you really want to be secure, you must first know Oracle and
your environment well, and also audit sensitive information.
--
Regards,
Stephane Faroult
Oriole Ltd
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Stephane Faroult
INET: [EMAIL PROTECTED]
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Deshpande, Kirti
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: James McCann
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author:
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: James McCann
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
