昨天一网友问到,oracle 10g中关于用户密码忘记如何处理的问题?下面进行解答。 本文的目的不是
想说使用alter user去更改或通过orapwd去重建密码文件,因为在很 多情况下是不允许的,比如这个
网友的情况,应用马上要上线,如果alter user修改 密码了,那么势必要去修改应用配置,在10g以
前的版本中容易处理,在10g以及以后版本 这个问题就不那么容易了。
[ora10g@killdb ~]$ sqlplus "/as sysdba"
SQL*Plus: Release 10.2.0.5.0 - Production on Sat Nov 5 21:00:31 2011
Copyright (c) 1982, 2010, Oracle. All Rights Reserved.
Connected to an idle instance.
SQL> startup
ORACLE instance started.
Total System Global Area 167772160 bytes
Fixed Size 1272600 bytes
Variable Size 83887336 bytes
Database Buffers 79691776 bytes
Redo Buffers 2920448 bytes
Database mounted.
Database opened.
SQL> alter user roger identified by roger;
User altered.
SQL> alter user SCOTT identified by scott;
User altered.
SQL> alter user SCOTT account unlock;
User altered.
SQL> select username,password from dba_users where
2 username in('ROGER','SCOTT');
USERNAME PASSWORD
------------------------------ ------------------------------
ROGER F445AB203A65C4DB
SCOTT CDC57F9E62A38D03
SQL>
SQL> select name,password from user$ where name in('ROGER','SCOTT');
NAME PASSWORD
------------------------------ ------------------------------
ROGER F445AB203A65C4DB
SCOTT CDC57F9E62A38D03
SQL> alter user roger identified by values 'CDC57F9E62A38D03';
User altered.
SQL> conn roger/scott
ERROR:
ORA-01017: invalid username/password; logon denied
Warning: You are no longer connected to ORACLE.
SQL>
SQL> conn /as sysdba
Connected.
SQL> select name,password from user$ where name in('ROGER','SCOTT');
NAME PASSWORD
------------------------------ ------------------------------
ROGER CDC57F9E62A38D03
SCOTT CDC57F9E62A38D03
SQL>
SQL> alter user roger identified by scott;
User altered.
SQL> select name,password from user$ where name in('ROGER','SCOTT');
NAME PASSWORD
------------------------------ ------------------------------
ROGER 0212881AEAA22C4F
SCOTT CDC57F9E62A38D03
SQL>
SQL> conn roger/scott
Connected.
SQL>
我们可以看到,传统的方式在10g中已经不好使了,即使password hash值相同,其密码也可能不一样的。
我们来看看dba_users的定义,如下:
SQL> select owner,object_name,object_type from dba_objects
2 where object_name='DBA_USERS';
OWNER OBJECT_NAME OBJECT_TYPE
------------------------------ ------------------------------ -------------------
SYS DBA_USERS VIEW
PUBLIC DBA_USERS SYNONYM
SQL> select dbms_metadata.get_ddl('VIEW','DBA_USERS','SYS') from dual;
DBMS_METADATA.GET_DDL('VIEW','DBA_USERS','SYS')
--------------------------------------------------------------------------------
CREATE OR REPLACE FORCE VIEW "SYS"."DBA_USERS" ("USERNAME", "USER_ID", "PASSWO
RD", "ACCOUNT_STATUS", "LOCK_DATE", "EXPIRY_DATE", "DEFAULT_TABLESPACE", "TEMPOR
ARY_TABLESPACE", "CREATED", "PROFILE", "INITIAL_RSRC_CONSUMER_GROUP", "EXTERNAL_
NAME") AS
select u.name, u.user#, u.password,
m.status,
decode(u.astatus, 4, u.ltime,
5, u.ltime,
6, u.ltime,
8, u.ltime,
9, u.ltime,
10, u.ltime, to_date(NULL)),
decode(u.astatus,
1, u.exptime,
2, u.exptime,
5, u.exptime,
6, u.exptime,
9, u.exptime,
10, u.exptime,
decode(u.ptime, '', to_date(NULL),
decode(pr.limit#, 2147483647, to_date(NULL),
decode(pr.limit#, 0,
decode(dp.limit#, 2147483647, to_date(NULL), u.ptime +
dp.limit#/86400),
u.ptime + pr.limit#/86400)))),
dts.name, tts.name, u.ctime, p.name,
nvl(cgm.consumer_group, 'DEFAULT_CONSUMER_GROUP'),
u.ext_username
from sys.user$ u left outer join sys.resource_group_mapping$ cgm
on (cgm.attribute = 'ORACLE_USER' and cgm.status = 'ACTIVE' and
cgm.value = u.name),
sys.ts$ dts, sys.ts$ tts, sys.profname$ p,
sys.user_astatus_map m, sys.profile$ pr, sys.profile$ dp
where u.datats# = dts.ts#
and u.resource$ = p.profile#
and u.tempts# = tts.ts#
and u.astatus = m.status#
and u.type# = 1
and u.resource$ = pr.profile#
and dp.profile# = 0
and dp.type#=1
and dp.resource#=1
and pr.type# = 1
and pr.resource# = 1
其中很关键的一个基表是user$,其定义如下:
create table user$ /* user table */
( user# number not null, /* user identifier number */
name varchar2("M_IDEN") not null, /* name of user */
type# number not null, /* 0 = role, 1 = user */
password varchar2("M_IDEN"), /* encrypted password */
datats# number not null, /* default tablespace for permanent objects */
tempts# number not null, /* default tablespace for temporary tables */
ctime date not null, /* user account creation time */
ptime date, /* password change time */
exptime date, /* actual password expiration time */
ltime date, /* time when account is locked */
resource$ number not null, /* resource profile# */
audit$ varchar2("S_OPFL"), /* user audit options */
defrole number not null, /* default role indicator: */
/* 0 = no roles, 1 = all roles granted, 2 = roles in defrole$ */
defgrp# number, /* default undo group */
defgrp_seq# number, /* global sequence number for the grp *
spare varchar2("M_IDEN"), /* reserved for future */
astatus number default 0 not null, /* status of the account */
/* 1 = Locked, 2 = Expired, 3 = Locked and Expired, 0 - open */
lcount number default 0 not null, /* count of failed login attempts */
defschclass varchar2("M_IDEN"), /* initial consumer group */
ext_username varchar2("M_VCSZ"), /* external username */
spare1 number, /* used for schema level supp. logging: see ktscts.h */
spare2 number,
spare3 number,
spare4 varchar2(1000),
spare5 varchar2(1000),
spare6 date
)
我们可以看到这里的password是经过DES加密以后的密码,在11g中,直接通过查询dba_users
已经无法查到其加密密码了。
下面我们用orabf来进行10g,11g 用户密码的暴力破解。
F:\orabf-v0.7.6>orabf 0212881AEAA22C4F:ROGER
orabf v0.7.6, (C)2005 orm@toolcrypt.org
---------------------------------------
Trying default passwords...done
Starting brute force session using charset:
#$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_
press 'q' to quit. any other key to see status
current password: GA7PB
16190190 passwords tried. elapsed time 00:00:12. t/s:1302291
password found: ROGER:SCOTT
44096071 passwords tried. elapsed time 00:00:33. t/s:1315172
F:\orabf-v0.7.6>
SQL> alter user roger identified by killdb$;
User altered.
SQL> conn /as sysdba
Connected.
SQL> select name,password from user$ where name in('ROGER','SCOTT');
NAME PASSWORD
------------------------------ ------------------------------
ROGER 6885905A13FAFAA9
SCOTT CDC57F9E62A38D03
SQL>
F:\orabf-v0.7.6>orabf 6885905A13FAFAA9:ROGER
orabf v0.7.6, (C)2005 orm@toolcrypt.org
---------------------------------------
Trying default passwords...done
Starting brute force session using charset:
#$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_
press 'q' to quit. any other key to see status
current password: CW4KD
8236685 passwords tried. elapsed time 00:00:06. t/s:1282510
wrote resume data to ROGER.res
794380208 passwords tried. elapsed time 00:10:05. t/s:1312408
F:\orabf-v0.7.6> ---可以看到,密码比较复杂以后,暴力破解时间就非常漫长了。
我们来看下11g中的情况:
SQL> select * from v$version where rownum <3;
BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - Production
PL/SQL Release 11.2.0.2.0 - Production
SQL>
SQL> select username,password from dba_users where username='ROGER';
USERNAME PASSWORD
------------------------------ ------------------------------
ROGER
SQL> select name,password from user$ where name='ROGER';
NAME PASSWORD
------------------------------ ------------------------------
ROGER F445AB203A65C4DB
F:\orabf-v0.7.6>orabf F445AB203A65C4DB:ROGER
orabf v0.7.6, (C)2005 orm@toolcrypt.org
---------------------------------------
Trying default passwords...
password found: ROGER:ROGER
F:\orabf-v0.7.6>
SQL> conn roger/roger
Connected.
SQL> --对于较为简单的密码,破解速度是非常快的。
老外还有有个更猛的暴力破解工具ops_sse2,不过该工具仅仅只能破解
sys密码,可能软件作者是出于安全考虑吧,下面来试试:
[ora10g@killdb pw_cracker]$ cat filename.txt
SYS:EF78257248B5860C:159
[ora10g@killdb pw_cracker]$
[ora10g@killdb pw_cracker]$ ./ops_sse2 --hashlist=filename.txt
Oracle passwords (DES) solver 0.3 (SSE2) -- Dennis Yurichev
Compiled @ Apr 5 2011 12:25:36
Demo version, supporting only SYS usernames.
username=SYS: 1 unsolved hash(es) left
Checking 1-symbol passwords for username SYS
overall progress= 0%
username=SYS: 1 unsolved hash(es) left
Checking 2-symbol passwords for username SYS
overall progress= 0%
username=SYS: 1 unsolved hash(es) left
Checking 3-symbol passwords for username SYS
overall progress= 0%
username=SYS: 1 unsolved hash(es) left
Checking 4-symbol passwords for username SYS
overall progress= 0%
username=SYS: 1 unsolved hash(es) left
Checking 5-symbol passwords for username SYS
overall progress= 61% / time remaining: 3s
time elapsed: 7s, ~ 5783305 passwords/hashes per second
SYS/159: Found password: ROGER
SYS:ROGER:159
SQL> conn sys/roger as sysdba
Connected.
SQL> show user
USER is "SYS"
SQL>
大家可以去http://conus.info/utils/ops_SIMD/ 下载该软件。
发表回复