Friday, July 31, 2009

Identifying default passwords in Oracle databases.

If you want to scan an Oracle database for accounts with default passwords Oracle provide patch 4926128 which includes script dfltpass.sql, documented in Metalink note 227010.1.

From 11g Oracle the database includes table SYS.DEFAULT_PWD$ which includes default password hashes, and you can get a list of users with default passwords by just selecting from DBA_USERS_WITH_DEFPWD.

SQL> select * from DBA_USERS_WITH_DEFPWD;

USERNAME
------------------------------
XDB
MDSYS
TSMSYS
EXFSYS
LBACSYS
SI_INFORMTN_SCHEMA
SPATIAL_CSW_ADMIN_USR
SPATIAL_WFS_ADMIN_USR
DIP
ORACLE_OCM
ORDSYS
SCOTT
WMSYS
CTXSYS
MDDATA
ORDPLUGINS
DBSNMP
DMSYS
OUTLN