RE: getting users passwords in plain text

From: Powell, Mark D <mark.powell_at_eds.com>
Date: Fri, 19 Oct 2007 15:56:41 -0400
Message-ID: <D1DC33E67722D54A93F05F702C99E2A9017E3D03@usahm208.amer.corp.eds.com>

I see no reason why the user passwords are needed.

A DBA can on 10.2 create objects under that belong to the user and perform grants on the users objects without having to logon as the user. (Yes private database links and a couple of objects require using the user id still but most DBA activity no longer requires switching to being the user)

What was the reason given for needing the user passwords?

There is a way for a privileged user to change a user's password and change it back without ever knowing what it was to begin with. This technique has been posted before.

Mark D Powell -- Phone (313) 592-5148

From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of John Darrah

	Sent: Friday, October 19, 2007 1:25 PM
	To: vincent.verpoort_at_gmail.com
	Cc: Oracle-L Freelists
	Subject: Re: getting users passwords in plain text
	
	
	What version of the database?  It sounds like you need to

connect as these users but don't know the passwords. First as was stated above, its a one way hash so you can't get plain text passwords from hash other than by brute force. Here are your options.

log in as a DBA user and type alter session set current_schema=<user>. This won't actually make you the user but you will be able to see the objects in that schema without typing the
<user>.object_name
if your on on 10.2, you can create a proxy user that connects through the user who's password you don't know. google oracle "proxy users" or "connect through". once this user is setup you can sqlplus into the user who's password you don't know.

On 10/16/07, Vincent verpoort <vincent.verpoort_at_gmail.com> wrote:

I think i was not very clear in my email

What i want is to convert the original hashed password to plain text. I need to know that passwords because if i change them

now, the weblogic guys need a weekend to rest them all. And as we don't have the time because where doing a release on production systems,

this weekend i need the passwords of the users.

changing them means that during the installion of new attributes we can't keep the pools open. editing the install to run it from the system user means we have to

go back to the testing servers first and redo all testing.

About the "I have a question that's a bit unethical. "

The user's are appliction weblogic connection pool users. thats why its a bit unethical and not allot or illegal

Also because these are appliction connection users i can't brute force them as it would not be in time unlesse i got about 7.8 year per user

and the big question

I just got here and the dba before me, well lets put it this way: knew the stuff but didn't put it down anywhere. And doesn't really wanne help anymore. why? don't ask me.

tomorrow ill be at work again and ill give http://www.petefinnigan.com/weblog/archives/archive-102007.html ( see october 9th : thanks Paul Drake ) a try, ill update this mail chain with my findings.

and thank you for all the info it really helped

if anyone has anymore info or a quick fix please email

On 10/16/07, Vincent verpoort <
vincent.verpoort_at_gmail.com <mailto:vincent.verpoort_at_gmail.com> > wrote:

i thought of doing a insert into mytable values (username,password); in the

$ORACLE_HOME/rdbms/admin/utlpwdmg.sql
<http://download-uk.oracle.com/docs/cd/B10501_01/server.920/a96536/ch53.
htm#1005955> but i don't wanne edit or write anything more looking for a scritp that converts the hase to plain text

On 10/16/07, Sweetser, Joe <JSweetser_at_icat.com > wrote:

Not exactly sure what you want to do, but you might google for the undocumented "alter user XXX identified by values..." command. It will let you set the passwords back to what they were without knowing them.

hth,

-joe

From: oracle-l-bounce_at_freelists.org
[mailto: oracle-l-bounce_at_freelists.org
<mailto:oracle-l-bounce_at_freelists.org> ] On Behalf Of Vincent verpoort

				Sent: Tuesday, October 16, 2007 7:14 AM
				To: Oracle-L Freelists
				Subject: getting users passwords in

plain text

Hi Experts,

I have a question that's a bit
unethical.

For a company i'm working for i need to find out what the passwords are of oracle users. As changing them means a lot of work for allot of poeple.

Is there anyway i can clear text the password from dba database, i have sysdba and all privs.

any points would be nice also i want to put this into script so if anyone has something ?

				-- 
				                           Vincent

Verpoort

,.-~`"'~-.,_,.-~`"'~-.,_,.-~`"'~-.,_,.-~`"'~-.,_,.-~`"'~-.,_

Communiceren is begrepen worden

^*<-._,.->*^*<-._,.->*^*<-._,.->*^*<-._,.->*^*<-._,.->*^*<-.

			-- 
			                           Vincent Verpoort
			
	
,.-~`"'~-.,_,.-~`"'~-.,_,.-~`"'~-.,_,.-~`"'~-.,_,.-~`"'~-.,_ 
			              Communiceren is begrepen worden

^*<-._,.->*^*<-._,.->*^*<-._,.->*^*<-._,.->*^*<-._,.->*^*<-.

		-- 
		                           Vincent Verpoort 
		
	
,.-~`"'~-.,_,.-~`"'~-.,_,.-~`"'~-.,_,.-~`"'~-.,_,.-~`"'~-.,_ 
		              Communiceren is begrepen worden

^*<-._,.->*^*<-._,.->*^*<-._,.->*^*<-._,.->*^*<-._,.->*^*<-.

--
http://www.freelists.org/webpage/oracle-l

Received on Fri Oct 19 2007 - 14:56:41 CDT