Penetration Testing mailing list archives

RE: Oracle Default Passwords

From: "Lopes, Leonardo (ISSBrazil)" <llopes () iss net>
Date: Mon, 5 Nov 2001 15:38:10 -0300

Ehlo!

I have make one Perl script to perform a flexible brute force over Oracle
Databases, this script is to simple and need many improves.
For use, you need to install Oracle Client on your machime and Perl-DBI
module. I have made tests over Ora Cli 8i runing on Windows 2000.
This can help some people without knows on Database servers.
If anyone make any chage on my script, please sent to me.

[]'s

        Leo.

PS.: Sorry by my poor english. The SQL Server tests are not implemented.

-----Original Message-----
From: Pete Finnigan [mailto:pete () peterfinnigan demon co uk]
Sent: Friday, November 02, 2001 7:50 PM
To: pen-test () securityfocus com
Subject: Oracle Default Passwords


Hi All

Recently i posted a note to this list about a document about Oracle
security that i wrote and its had quite a lot of feedback so i thought
people on this list might be interested in a new paper i have created on
all of the Oracle default users and passwords that i could find. There
are now 109 on the list. I still have some more area's to investigate so
there should be more to come.

The list is a table of usernames, passwords and hashes. Also included
with the paper is an SQL script that can be run in SQL*Plus to check if
any of the default users exist in the Oracle database and if the
passwords are still set to the default value.

I also intend this table to be a central list for Oracle default Users
and their defaults passwords. So please if anyone comes across any
usernames / passwords that i have not listed then please let me know.

The list and script is available at http://www.pentest-
limited.com/default-user.htm.

I would like to acknowledge Aaron Newman for letting me update my list
with usernames from his list that i did not have and David Litchfield
has also provided some names that i will add over the next couple of
days.

regards

Pete
--
Pete Finnigan
IT Security Consultant
PenTest Limited

Office  01565 830 990
Fax     01565 830 889
Mobile  07974 087 885

pete.finnigan () pentest-limited com

www.pentest-limited.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Attachment: brutedb.pl
Description:

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Oracle Default Passwords Pete Finnigan (Nov 05)
- RE: Oracle Default Passwords Lopes, Leonardo (ISSBrazil) (Nov 08)