Check Password

Checkpwd 1.22 is a very fast, (if not the fastest), dictionary based password checker for 

Oracle databases. This is a useful tool for DBAs to identify Oracle accounts with weak or 

default passwords. Checkpwd reads the password hashes from the view dba_users and 

compares the hashkeys with the hashkeys calculated from the supplied dictionary file. 

One of the benefits of using this is the fact that is passwords are found, the tool will 

actually tell you if the account is locked or expired, something similar tools do not give 

you. 

It is available for both Windows and Linux from here.

Installation:

Simply download and extract the file to the required directory:

Note: - For this to work you will need to have the tnsnames.ora file corrected configured 

with all details of the Oracle Instance (SID) you are going to test.

Execution:

checkpwd <-quiet> <connect_string or user:password_hash> <password_file>

i.e. checkpwd -quiet system/manager@mydbserver password_file.txt

or: checkpwd SCOTT:F894844C34402B67 password_file.txt

Expected Output:

C:\Documents and Settings\hacker\chkpwd>checkpwd.exe dbsnmp/password@test passwords.txt

Checkpwd 1.10 - (c) 2005 by Red-Database-Security GmbH

Oracle Security Consulting, Security Audits & Security Trainings

http://www.red-database-security.com

initializing Oracle client library

connecting to the database

retrieving users and password hash values

opening weak password list file

reading weak passwords list

checking passwords

MGMT_VIEW       OK [OPEN]

SYS has weak password PASSWORD [OPEN]

SYSTEM has weak password PASSWORD [OPEN]

DBSNMP has weak password PASSWORD [OPEN]

SYSMAN has weak password PASSWORD [OPEN]

OUTLN has weak password OUTLN [EXPIRED & LOCKED]

MDSYS has weak password MDSYS [EXPIRED & LOCKED]

ORDSYS has weak password ORDSYS [EXPIRED & LOCKED]

EXFSYS has weak password EXFSYS [EXPIRED & LOCKED]

DMSYS has weak password DMSYS [EXPIRED & LOCKED]

WMSYS has weak password WMSYS [EXPIRED & LOCKED]

CTXSYS has weak password CHANGE_ON_INSTALL [EXPIRED & LOCKED]

ANONYMOUS       OK [EXPIRED & LOCKED]

XDB has weak password CHANGE_ON_INSTALL [EXPIRED & LOCKED]

ORDPLUGINS has weak password ORDPLUGINS [EXPIRED & LOCKED]

SI_INFORMTN_SCHEMA has weak password SI_INFORMTN_SCHEMA [EXPIRED & LOCKED]

OLAPSYS has weak password MANAGER [EXPIRED & LOCKED]

SCOTT has weak password TIGER [EXPIRED & LOCKED]

TSMSYS has weak password TSMSYS [EXPIRED & LOCKED]

BI has weak password CHANGE_ON_INSTALL [EXPIRED & LOCKED]

PM has weak password CHANGE_ON_INSTALL [EXPIRED & LOCKED]

MDDATA has weak password MDDATA [EXPIRED & LOCKED]

IX has weak password CHANGE_ON_INSTALL [EXPIRED & LOCKED]

SH has weak password CHANGE_ON_INSTALL [EXPIRED & LOCKED]

DIP has weak password DIP [EXPIRED & LOCKED]

OE has weak password CHANGE_ON_INSTALL [EXPIRED & LOCKED]

HR has weak password CHANGE_ON_INSTALL [EXPIRED & LOCKED]

Done. Summary:

  Passwords checked      : 9201

  Weak passwords found   : 25

  Elapsed time (min:sec) : 0:1

  Passwords / second     : 9201