RE: Oracle Default Passwords

From: Lopes, Leonardo (ISSBrazil) (llopesat_private)
Date: Mon Nov 05 2001 - 10:38:10 PST

Next message: Alfred Huger: "Full Disclosure Conversation"

Previous message: Dug Song: "Re: How to sniff packets from afar?"
In reply to: Pete Finnigan: "Oracle Default Passwords"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ehlo!

I have make one Perl script to perform a flexible brute force over Oracle
Databases, this script is to simple and need many improves.
For use, you need to install Oracle Client on your machime and Perl-DBI
module. I have made tests over Ora Cli 8i runing on Windows 2000.
This can help some people without knows on Database servers.
If anyone make any chage on my script, please sent to me.

[]'s

	Leo.

PS.: Sorry by my poor english. The SQL Server tests are not implemented.

-----Original Message-----
From: Pete Finnigan [mailto:peteat_private]
Sent: Friday, November 02, 2001 7:50 PM
To: pen-testat_private
Subject: Oracle Default Passwords


Hi All

Recently i posted a note to this list about a document about Oracle
security that i wrote and its had quite a lot of feedback so i thought
people on this list might be interested in a new paper i have created on
all of the Oracle default users and passwords that i could find. There
are now 109 on the list. I still have some more area's to investigate so
there should be more to come.

The list is a table of usernames, passwords and hashes. Also included
with the paper is an SQL script that can be run in SQL*Plus to check if
any of the default users exist in the Oracle database and if the
passwords are still set to the default value.

I also intend this table to be a central list for Oracle default Users
and their defaults passwords. So please if anyone comes across any
usernames / passwords that i have not listed then please let me know.

The list and script is available at http://www.pentest-
limited.com/default-user.htm.

I would like to acknowledge Aaron Newman for letting me update my list
with usernames from his list that i did not have and David Litchfield
has also provided some names that i will add over the next couple of
days.

regards

Pete
--
Pete Finnigan
IT Security Consultant
PenTest Limited

Office  01565 830 990
Fax     01565 830 889
Mobile  07974 087 885

pete.finnigan@pentest-limited.com

www.pentest-limited.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

application/octet-stream attachment: brutedb.pl

---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/

Next message: Alfred Huger: "Full Disclosure Conversation"
Previous message: Dug Song: "Re: How to sniff packets from afar?"
In reply to: Pete Finnigan: "Oracle Default Passwords"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Nov 08 2001 - 16:39:31 PST