The following script when run as sys allows you to assume the identity of
another user without knowing his/her password, and return it to normal
after.
There is also a security loophole many people know about, if you start
server manager and type "connect (type anything here) as sysdba", you get
in with no password and full rights. Try it.

set pagesize 0 feedback off verify off echo off termout off
spool d:\scripts\reset.sql
select 'alter user &&1 identified by values '||''''||
password||''''||' profile '||profile||';'
from dba_users where username = upper('&&1');
prompt 'host del d:\scripts\reset.sql'
prompt 'exit'
spool off
exit



Andrew Rodnite
<[Email Address Removed] To: "LazyDBA.com Discussion" <[Email Address Removed]
rnet.com> cc:
Subject: Looking for Oracle password cracker
07/30/2001
04:10 PM






Hi All,

Does anyone know of any Oracle Password cracking utilities i.e.
programs similar to "Crack" or "John-the-Ripper" but for Oracle. I
seem to recall sometime long ago someone posting a PL/SQL package
that did something along these lines sometime ago.

I called Oracle support they where not helpful and mentioned that the
password encription algorithm was proprietory.

In any case any pointers to any documentation as to what is being used
to encrypt the password (eg. DES etc.) would be greatly appreciated.

I will summarize.

Thanks,
Andrew T. Rodnite
Unix and Oracle Security Analyst
Maxim Group
(612) 310-9080
[Email Address Removed] documentation is here:
http://tahiti.oracle.com/pls/tahiti/tahiti.homepage
To unsubscribe: send a blank email to oracledba-[Email Address Removed] subscribe: send a blank email to oracledba-[Email Address Removed] the list archive: http://www.LAZYDBA.com/odbareadmail.pl
Tell yer mates about http://www.farAwayJobs.com
By using this list you agree to these terms:
http://www.lazydba.com/legal.html





Oracle LazyDBA home page