SQL Developer:
%APPDATA%\SQL Developer\system*\o.jdeveloper.db.connection*\connections.xml
<StringRefAddr addrType="password">
<Contents>F35q3vdbVrI=</Contents>
</StringRefAddr>
%APPDATA%\SQL Developer\system*\o.sqldeveloper*\product-preferences.xml
<value n="db.system.id" v="3e8efb59-8a5a-4c13-b1d5-ff64f987787f"/>
$ java Decrypt_V4 F35q3vdbVrI= 3e8efb59-8a5a-4c13-b1d5-ff64f987787f
https://github.com/ReneNyffenegger/Oracle-SQL-developer-password-decryptor
$ python sqldeveloperpassworddecryptor.py -d 3e8efb59-8a5a-4c13-b1d5-ff64f987787f -p F35q3vdbVrI=
https://github.com/maaaaz/sqldeveloperpassworddecryptor
++++++++++++++++++
In Oracle 10g and all previous versions, the password is not encrypted at all. It is simply a DES hash that is salted with the username, both of which can be found quite easily in the DBA_USERS view.
In Oracle 11g, if backwards compatibility is not necessary, SHA-1 is used exclusively, uses an unlisted salt, and is a much harder nut to crack.
Question: I need to understand the importance of the spare4 column of the user$ table. This is not documented in Oracle but I understand that spare4 can be used to compromise Oracle passwords. Can you shed some light on the spare4 column?
Answer: Starting in Oracle 11g, the Oracle the hash password is no longer stored in DBA_USERS. Instead, the hash password is stored inside the SYS.USER$ table in the column "password" and "spare4″.
If your password_versions is 11g only then you will need to look in the sys.user$ spare4 column and you will see a much larger hex number. This is because Oracle has switched to the SHA-1 algorithm.
This means that there are different ways password can be set depending on whether "password" and "spare4″ are set in SYS.USER$.
This new SHA-1 algorithm is more secure than the old, and unlike the 10g and lower hashing does not appear to use the username to generate the hash instead a new salt value is added which is stored in the last 20 characters of the SPARE4 hash. It is possible the salt is somehow derived from the username but Oracle has not documented this feature for obvious reasons.
++++++++++++++++
Oracle Password Algorithm (7-10g Rel.2)
Up to 30 characters long. All characters will be converted to uppercase before the hashing starts
8-byte hash, encrypted with a DES encryption algorithm without real salt (just the username).
The algorithm can be found in the book "Special Ops Host And Network Security For Microsoft, Unix, And Oracle" on page 727.
Oracle database 11g offers the (optional) possibility to use passwords up to 30 characters (uppercase/lowercase). In Oracle 11g the passwords are now hashed with DES (column: password) AND using SHA-1 (column: spare4). The SHA-1 passwords are now supporting mixed-case passwords. In 11g the password hashes are no longer available in dba_users.
Oracle (7-10g R2) encrypts the concatenation of (username||password)
and sys/temp1 and system/p1 have the identical hashkey (2E1168309B5B9B7A)
Oracle (11g R1) uses SHA-1 to hash the concatenation of (password||salt)
Location of Oracle password hashes
Database - SYS.USER$ - Password
Oracle Password File
Data File of the system tablespace
(full) Export-Files
archive logs
Show Oracle password hashkey (old DES hash)
You should always select database users from the table not from the views (ALL_USERS, DBA_USERS). An explanation (modification of database views via rootkits) can be found here.
DBA_USERS : SELECT username, password FROM DBA_USERS;
SYS.USER$ : SELECT name,password FROM SYS.USER$ WHERE password is not null;
Show Oracle password hashkey (11g, new SHA-1 hash)
In 11g the password hash is no longer accessible via dba_users
SYS.USER$ : SELECT name,spare4 FROM SYS.USER$ WHERE password is not null;
How to change an Oracle password temporarily?
In Oracle it is possible to change a password temporarily. This can be useful for DBA which act as a different user.
SQL> select username,password from dba_users where username='SCOTT';
USERNAME PASSWORD
-------- ----------------
SCOTT F894844C34402B67
SQL> alter user scott identified by mypassword;
Now login with the following credentials: scott/tiger
After doing your work you can change the password back by using an undocumented feature called "by values"
SQL> alter user scott identified by values 'F894844C34402B67';
Q: How are Oracle passwords encrypted?
A: Oracle passwords are encrypted using the Data Encryption Standard (DES) algorithm to create eight-byte hashes stored in the table SYS.USER$.To create the hash, the username and the password are appended together and broken up into eight-byte pieces.The first eight bytes of the username/password are used as a key to DES encrypt the magic number 0x0123456789ABCDEF.The resulting eight bytes are then encrypted with the next eight bytes of the username/password, resulting in a new eight-byte value.This process is repeated until the entire username/password has been used. One interesting characteristic to note is the “salt” used to create the hash. The salt is actually the username.This adds some additional security in that different users with the same passwords will have different hashes. However, it falls short of a true salt in that the same password will always hash to the same value when used by the same user.
