Oracle Default Password Auditing Tool
======================================

This page hosts a simple command line tool that can be used to check if any 
default users are installed in your database and more importantly whether those 
default users still have their default passwords set to known values. The tool 
was created by Marcel-Jan Krijgsman who works for Transfer Solutions 
(http://www.transfer-solutions.com) in Holland and he has kindly allowed me to 
host this tool here on my site.

The Problem
============

This is a command line based tool for checking Oracle default users and their 
passwords in your database. The problem of default users and passwords is 
well known for most software applications but is a particularly large problem 
for Oracle databases and associated products and features. There are literally 
hundreds of known default users and passwords. This tool includes a list of 
474 known users and their passwords. Why is this an issue? well simply because 
quite often these users get installed into a database. They come from Oracle 
supplied scripts, from well known third party business applications and tools 
and also from books, documentation and papers. Some software insists on having 
a certain user created with a certain password. If you happen to run this 
software (I am talking generally here) and do not know how to change the 
password or the supplier insists it cannot be changed then you have problems. 
This can also be exacerbated when these default users have excess privileges. 
Guessing usernames and their passwords is the simplest way to access your data 
for a hacker, malicious employee or even a bored employee. You owe it to your 
business to use a tool like this regularly.

Authorship and Credit
=====================

These scripts and the default password list were created by Marcel-Jan 
Krijgsman who works for Transfer Solutions (http://www.transfer-solutions.com. 
Any update suggestions, problems, please email default@petefinnigan.com
in the first instance.

List of Files in the Archive
==============================

Readme.txt:

	A file that describes the files in the archive. This file.

Oracle default password hashes.xls:

	This is a spreadsheet of known Oracle default users and their passwords. 
	This list was derived by Marcle-Jan from a list compiled by Justin Williams. 
	The original sources are indicated by Marcel-Jan in the spreadsheet. The 
	spreadsheet also includes a username, password, security level (based on 
	the privileges of the user), hash and also a description of the user. The 
	final column also includes an SQL statement that can be used to install 
	the list into an Oracle database as part of this tool.

osp_install.sql: 

	This script is used to install the complete package. It first installs 
	the user, then the table, the package and data. It does this by running 
	the previous install scripts.

osp_install_user.sql:

	This script creates a database user called ORAPROBE that owns the table 
	and package procedure used. The script prompts for a password and also
	a default and temporary tablespace.

osp_install_pack.sql:

	This script creates the main database package procedure OSP_PACK that 
	is used to run the checks.

osp_install_tab.sql:

	This script creates the database table that is used to hold the details 
	of each default user.

osp_install_data.sql:

	This script installs the data that lists each default user and the 
	details for them. The script is derived from the spreadsheet mentioned 
	above.

osp_exec.sql:

	This is the main function. This script is run in SQL*Plus as the 
	ORAPROBE user account. The script first creates the name of the 
	spool file for capturing the output then spools to it before calling 
	the OSP_PACK.DEFAULT_PASS_CHECK procedure to check for all of the 
	default users in the table created from the spreadsheet.

osp_exec_accounts.sql:

	This script is called by osp_exec.sql and this script actually runs 
	the package procedure.
	
Output Files
============

The tool creates two output files. The first is osp_exec.lis which simply 
defines the file name, the second records the details of the run. The filename 
is of the form osp_accounts_sans.us.oracle.com_200410261150. The first part is 
fixed the second part identifies the database instance and the last part is 
the date. This means that multiple runs will give separate output files.

How Does It work
================

The set of scripts written by Marcel-Jan are quite simple to use and also quite 
simple in concept. The default passwords and usernames are loaded into a 
database table in the database being checked. The package procedure created
simply loops through all the users in the database and compares to see if they 
exist in the list of default users and then compares the password hashes to see 
if there is a match. If there is the fact is reported and details of the 
default user are emitted.

The scripts can be downloaded from http://www.petefinnigan.com/default/default_password_checker.htm