忘记oracle 用户密码怎么办？

本站文章除注明转载外，均为本站原创： 转载自love wife love life —Roger的Oracle/MySQL/PostgreSQL数据恢复博客

昨天一网友问到，oracle 10g中关于用户密码忘记如何处理的问题？下面进行解答。 本文的目的不是
想说使用alter user去更改或通过orapwd去重建密码文件，因为在很 多情况下是不允许的，比如这个
网友的情况，应用马上要上线，如果alter user修改 密码了，那么势必要去修改应用配置，在10g以
前的版本中容易处理，在10g以及以后版本 这个问题就不那么容易了。

昨天一网友问到，oracle 10g中关于用户密码忘记如何处理的问题？下面进行解答。本文的目的不是

想说使用alter user去更改或通过orapwd去重建密码文件，因为在很多情况下是不允许的，比如这个

网友的情况，应用马上要上线，如果alter user修改密码了，那么势必要去修改应用配置，在10g以

前的版本中容易处理，在10g以及以后版本这个问题就不那么容易了。

[ora10g@killdb ~]$ sqlplus "/as sysdba"
SQL*Plus: Release 10.2.0.5.0 - Production on Sat Nov 5 21:00:31 2011
Copyright (c) 1982, 2010, Oracle.  All Rights Reserved.
Connected to an idle instance.
SQL&gt; startup
ORACLE instance started.
Total System Global Area  167772160 bytes
Fixed Size                  1272600 bytes
Variable Size              83887336 bytes
Database Buffers           79691776 bytes
Redo Buffers                2920448 bytes
Database mounted.
Database opened.
SQL&gt; alter user roger identified by roger;
User altered.
SQL&gt; alter user SCOTT identified by scott;
User altered.
SQL&gt; alter user SCOTT account unlock;
User altered.
SQL&gt; select username,password from dba_users where
2  username in('ROGER','SCOTT');
USERNAME                       PASSWORD
------------------------------ ------------------------------
ROGER                          F445AB203A65C4DB
SCOTT                          CDC57F9E62A38D03
SQL&gt;
SQL&gt; select name,password from user$ where name in('ROGER','SCOTT');
NAME                           PASSWORD
------------------------------ ------------------------------
ROGER                          F445AB203A65C4DB
SCOTT                          CDC57F9E62A38D03
SQL&gt; alter user roger identified by values 'CDC57F9E62A38D03';
User altered.
SQL&gt; conn roger/scott
ERROR:
ORA-01017: invalid username/password; logon denied
Warning: You are no longer connected to ORACLE.
SQL&gt;
SQL&gt; conn /as sysdba
Connected.
SQL&gt; select name,password from user$ where name in('ROGER','SCOTT');
NAME                           PASSWORD
------------------------------ ------------------------------
ROGER                          CDC57F9E62A38D03
SCOTT                          CDC57F9E62A38D03
SQL&gt;
SQL&gt; alter user roger identified by scott;
User altered.
SQL&gt; select name,password from user$ where name in('ROGER','SCOTT');
NAME                           PASSWORD
------------------------------ ------------------------------
ROGER                          0212881AEAA22C4F
SCOTT                          CDC57F9E62A38D03
SQL&gt;
SQL&gt; conn roger/scott
Connected.
SQL&gt;

[ora10g@killdb ~]$ sqlplus "/as sysdba"

SQL*Plus: Release 10.2.0.5.0 - Production on Sat Nov 5 21:00:31 2011

Connected to an idle instance.

SQL> startup

ORACLE instance started.

Total System Global Area 167772160 bytes

Fixed Size 1272600 bytes

Variable Size 83887336 bytes

Database Buffers 79691776 bytes

Redo Buffers 2920448 bytes

Database mounted.

Database opened.

SQL> alter user roger identified by roger;

User altered.

SQL> alter user SCOTT identified by scott;

User altered.

SQL> alter user SCOTT account unlock;

User altered.

SQL> select username,password from dba_users where

2 username in('ROGER','SCOTT');

USERNAME PASSWORD

------------------------------ ------------------------------

ROGER F445AB203A65C4DB

SCOTT CDC57F9E62A38D03

SQL>

SQL> select name,password from user$ where name in('ROGER','SCOTT');

NAME PASSWORD

------------------------------ ------------------------------

ROGER F445AB203A65C4DB

SCOTT CDC57F9E62A38D03

SQL> alter user roger identified by values 'CDC57F9E62A38D03';

User altered.

SQL> conn roger/scott

ERROR:

ORA-01017: invalid username/password; logon denied

Warning: You are no longer connected to ORACLE.

SQL>

SQL> conn /as sysdba

Connected.

SQL> select name,password from user$ where name in('ROGER','SCOTT');

NAME PASSWORD

------------------------------ ------------------------------

ROGER CDC57F9E62A38D03

SCOTT CDC57F9E62A38D03

SQL>

SQL> alter user roger identified by scott;

User altered.

SQL> select name,password from user$ where name in('ROGER','SCOTT');

NAME PASSWORD

------------------------------ ------------------------------

ROGER 0212881AEAA22C4F

SCOTT CDC57F9E62A38D03

SQL>

SQL> conn roger/scott

Connected.

SQL>

我们可以看到，传统的方式在10g中已经不好使了，即使password hash值相同，其密码也可能不一样的。
我们来看看dba_users的定义，如下：

我们可以看到，传统的方式在10g中已经不好使了，即使password hash值相同，其密码也可能不一样的。

我们来看看dba_users的定义，如下：

SQL&gt; select owner,object_name,object_type from dba_objects
2  where object_name='DBA_USERS';
OWNER                          OBJECT_NAME                    OBJECT_TYPE
------------------------------ ------------------------------ -------------------
SYS                            DBA_USERS                      VIEW
PUBLIC                         DBA_USERS                      SYNONYM
SQL&gt; select dbms_metadata.get_ddl('VIEW','DBA_USERS','SYS') from dual;
DBMS_METADATA.GET_DDL('VIEW','DBA_USERS','SYS')
--------------------------------------------------------------------------------
CREATE OR REPLACE FORCE VIEW "SYS"."DBA_USERS" ("USERNAME", "USER_ID", "PASSWO
RD", "ACCOUNT_STATUS", "LOCK_DATE", "EXPIRY_DATE", "DEFAULT_TABLESPACE", "TEMPOR
ARY_TABLESPACE", "CREATED", "PROFILE", "INITIAL_RSRC_CONSUMER_GROUP", "EXTERNAL_
NAME") AS
select u.name, u.user#, u.password,
m.status,
decode(u.astatus, 4, u.ltime,
5, u.ltime,
6, u.ltime,
8, u.ltime,
9, u.ltime,
10, u.ltime, to_date(NULL)),
decode(u.astatus,
1, u.exptime,
2, u.exptime,
5, u.exptime,
6, u.exptime,
9, u.exptime,
10, u.exptime,
decode(u.ptime, '', to_date(NULL),
decode(pr.limit#, 2147483647, to_date(NULL),
decode(pr.limit#, 0,
decode(dp.limit#, 2147483647, to_date(NULL), u.ptime +
dp.limit#/86400),
u.ptime + pr.limit#/86400)))),
dts.name, tts.name, u.ctime, p.name,
nvl(cgm.consumer_group, 'DEFAULT_CONSUMER_GROUP'),
u.ext_username
from sys.user$ u left outer join sys.resource_group_mapping$ cgm
on (cgm.attribute = 'ORACLE_USER' and cgm.status = 'ACTIVE' and
cgm.value = u.name),
sys.ts$ dts, sys.ts$ tts, sys.profname$ p,
sys.user_astatus_map m, sys.profile$ pr, sys.profile$ dp
where u.datats# = dts.ts#
and u.resource$ = p.profile#
and u.tempts# = tts.ts#
and u.astatus = m.status#
and u.type# = 1
and u.resource$ = pr.profile#
and dp.profile# = 0
and dp.type#=1
and dp.resource#=1
and pr.type# = 1
and pr.resource# = 1
其中很关键的一个基表是user$,其定义如下：
create table user$                                             /* user table */
( user#         number not null,                   /* user identifier number */
name          varchar2("M_IDEN") not null,                 /* name of user */
type#         number not null,                       /* 0 = role, 1 = user */
password      varchar2("M_IDEN"),                    /* encrypted password */
datats#       number not null, /* default tablespace for permanent objects */
tempts#       number not null,  /* default tablespace for temporary tables */
ctime         date not null,                 /* user account creation time */
ptime         date,                                /* password change time */
exptime       date,                     /* actual password expiration time */
ltime         date,                         /* time when account is locked */
resource$     number not null,                        /* resource profile# */
audit$        varchar2("S_OPFL"),                    /* user audit options */
defrole       number not null,                  /* default role indicator: */
/* 0 = no roles, 1 = all roles granted, 2 = roles in defrole$ */
defgrp#       number,                                /* default undo group */
defgrp_seq#   number,               /* global sequence number for  the grp *
spare         varchar2("M_IDEN"),                   /* reserved for future */
astatus       number default 0 not null,          /* status of the account */
/* 1 = Locked, 2 = Expired, 3 = Locked and Expired, 0 - open */
lcount        number default 0 not null, /* count of failed login attempts */
defschclass   varchar2("M_IDEN"),                /* initial consumer group */
ext_username  varchar2("M_VCSZ"),                     /* external username */
spare1        number, /* used for schema level supp. logging: see ktscts.h */
spare2        number,
spare3        number,
spare4        varchar2(1000),
spare5        varchar2(1000),
spare6        date
)

SQL> select owner,object_name,object_type from dba_objects

2 where object_name='DBA_USERS';

OWNER OBJECT_NAME OBJECT_TYPE

------------------------------ ------------------------------ -------------------

SYS DBA_USERS VIEW

PUBLIC DBA_USERS SYNONYM

SQL> select dbms_metadata.get_ddl('VIEW','DBA_USERS','SYS') from dual;

DBMS_METADATA.GET_DDL('VIEW','DBA_USERS','SYS')

--------------------------------------------------------------------------------

CREATE OR REPLACE FORCE VIEW "SYS"."DBA_USERS" ("USERNAME", "USER_ID", "PASSWO

RD", "ACCOUNT_STATUS", "LOCK_DATE", "EXPIRY_DATE", "DEFAULT_TABLESPACE", "TEMPOR

ARY_TABLESPACE", "CREATED", "PROFILE", "INITIAL_RSRC_CONSUMER_GROUP", "EXTERNAL_

NAME") AS

select u.name, u.user#, u.password,

m.status,

decode(u.astatus, 4, u.ltime,

5, u.ltime,

6, u.ltime,

8, u.ltime,

9, u.ltime,

10, u.ltime, to_date(NULL)),

decode(u.astatus,

1, u.exptime,

2, u.exptime,

5, u.exptime,

6, u.exptime,

9, u.exptime,

10, u.exptime,

decode(u.ptime, '', to_date(NULL),

decode(pr.limit#, 2147483647, to_date(NULL),

decode(pr.limit#, 0,

decode(dp.limit#, 2147483647, to_date(NULL), u.ptime +

dp.limit#/86400),

u.ptime + pr.limit#/86400)))),

dts.name, tts.name, u.ctime, p.name,

nvl(cgm.consumer_group, 'DEFAULT_CONSUMER_GROUP'),

u.ext_username

from sys.user$ u left outer join sys.resource_group_mapping$ cgm

on (cgm.attribute = 'ORACLE_USER' and cgm.status = 'ACTIVE' and

cgm.value = u.name),

sys.ts$ dts, sys.ts$ tts, sys.profname$ p,

sys.user_astatus_map m, sys.profile$ pr, sys.profile$ dp

where u.datats# = dts.ts#

and u.resource$ = p.profile#

and u.tempts# = tts.ts#

and u.astatus = m.status#

and u.type# = 1

and u.resource$ = pr.profile#

and dp.profile# = 0

and dp.type#=1

and dp.resource#=1

and pr.type# = 1

and pr.resource# = 1

其中很关键的一个基表是user$,其定义如下：

create table user$ /* user table */

( user# number not null, /* user identifier number */

name varchar2("M_IDEN") not null, /* name of user */

type# number not null, /* 0 = role, 1 = user */

password varchar2("M_IDEN"), /* encrypted password */

datats# number not null, /* default tablespace for permanent objects */

tempts# number not null, /* default tablespace for temporary tables */

ctime date not null, /* user account creation time */

ptime date, /* password change time */

exptime date, /* actual password expiration time */

ltime date, /* time when account is locked */

resource$ number not null, /* resource profile# */

audit$ varchar2("S_OPFL"), /* user audit options */

defrole number not null, /* default role indicator: */

/* 0 = no roles, 1 = all roles granted, 2 = roles in defrole$ */

defgrp# number, /* default undo group */

defgrp_seq# number, /* global sequence number for the grp *

spare varchar2("M_IDEN"), /* reserved for future */

astatus number default 0 not null, /* status of the account */

/* 1 = Locked, 2 = Expired, 3 = Locked and Expired, 0 - open */

lcount number default 0 not null, /* count of failed login attempts */

defschclass varchar2("M_IDEN"), /* initial consumer group */

ext_username varchar2("M_VCSZ"), /* external username */

spare1 number, /* used for schema level supp. logging: see ktscts.h */

spare2 number,

spare3 number,

spare4 varchar2(1000),

spare5 varchar2(1000),

spare6 date

)

我们可以看到这里的password是经过DES加密以后的密码，在11g中，直接通过查询dba_users
已经无法查到其加密密码了。
下面我们用orabf来进行10g，11g  用户密码的暴力破解。

我们可以看到这里的password是经过DES加密以后的密码，在11g中，直接通过查询dba_users

已经无法查到其加密密码了。

下面我们用orabf来进行10g，11g 用户密码的暴力破解。

F:\orabf-v0.7.6&gt;orabf 0212881AEAA22C4F:ROGER
orabf v0.7.6, (C)2005 orm@toolcrypt.org
---------------------------------------
Trying default passwords...done
Starting brute force session using charset:
#$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_
press 'q' to quit. any other key to see status
current password: GA7PB
16190190 passwords tried. elapsed time 00:00:12. t/s:1302291
password found: ROGER:SCOTT
44096071 passwords tried. elapsed time 00:00:33. t/s:1315172
F:\orabf-v0.7.6&gt;
SQL&gt; alter user roger identified by killdb$;
User altered.
SQL&gt; conn /as sysdba
Connected.
SQL&gt; select name,password from user$ where name in('ROGER','SCOTT');
NAME                           PASSWORD
------------------------------ ------------------------------
ROGER                          6885905A13FAFAA9
SCOTT                          CDC57F9E62A38D03
SQL&gt; 
F:\orabf-v0.7.6&gt;orabf 6885905A13FAFAA9:ROGER
orabf v0.7.6, (C)2005 orm@toolcrypt.org
---------------------------------------
Trying default passwords...done
Starting brute force session using charset:
#$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_
press 'q' to quit. any other key to see status
current password: CW4KD
8236685 passwords tried. elapsed time 00:00:06. t/s:1282510
wrote resume data to ROGER.res
794380208 passwords tried. elapsed time 00:10:05. t/s:1312408
F:\orabf-v0.7.6&gt; ---可以看到，密码比较复杂以后，暴力破解时间就非常漫长了。
我们来看下11g中的情况：
SQL&gt; select * from v$version where rownum &lt;3;
BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - Production
PL/SQL Release 11.2.0.2.0 - Production
SQL&gt;
SQL&gt; select username,password from dba_users where username='ROGER';
USERNAME                       PASSWORD
------------------------------ ------------------------------
ROGER
SQL&gt; select name,password from user$ where name='ROGER';
NAME                           PASSWORD
------------------------------ ------------------------------
ROGER                          F445AB203A65C4DB
F:\orabf-v0.7.6&gt;orabf F445AB203A65C4DB:ROGER
orabf v0.7.6, (C)2005 orm@toolcrypt.org
---------------------------------------
Trying default passwords...
password found: ROGER:ROGER
F:\orabf-v0.7.6&gt;
SQL&gt; conn roger/roger
Connected.
SQL&gt; --对于较为简单的密码，破解速度是非常快的。
老外还有有个更猛的暴力破解工具ops_sse2，不过该工具仅仅只能破解
sys密码，可能软件作者是出于安全考虑吧，下面来试试：
[ora10g@killdb pw_cracker]$ cat filename.txt
SYS:EF78257248B5860C:159
[ora10g@killdb pw_cracker]$
[ora10g@killdb pw_cracker]$ ./ops_sse2 --hashlist=filename.txt
Oracle passwords (DES) solver 0.3 (SSE2) -- Dennis Yurichev
Compiled @ Apr  5 2011 12:25:36
Demo version, supporting only SYS usernames.
username=SYS: 1 unsolved hash(es) left
Checking 1-symbol passwords for username SYS
overall progress=  0%
username=SYS: 1 unsolved hash(es) left
Checking 2-symbol passwords for username SYS
overall progress=  0%
username=SYS: 1 unsolved hash(es) left
Checking 3-symbol passwords for username SYS
overall progress=  0%
username=SYS: 1 unsolved hash(es) left
Checking 4-symbol passwords for username SYS
overall progress=  0%
username=SYS: 1 unsolved hash(es) left
Checking 5-symbol passwords for username SYS
overall progress= 61% / time remaining: 3s
time elapsed: 7s, ~ 5783305 passwords/hashes per second
SYS/159: Found password: ROGER
SYS:ROGER:159
SQL&gt; conn sys/roger as sysdba
Connected.
SQL&gt; show user
USER is "SYS"
SQL&gt; 
大家可以去http://conus.info/utils/ops_SIMD/ 下载该软件。

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

F:\orabf-v0.7.6>orabf 0212881AEAA22C4F:ROGER

---------------------------------------

Trying default passwords...done

Starting brute force session using charset:

#$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_

press 'q' to quit. any other key to see status

current password: GA7PB

16190190 passwords tried. elapsed time 00:00:12. t/s:1302291

password found: ROGER:SCOTT

44096071 passwords tried. elapsed time 00:00:33. t/s:1315172

F:\orabf-v0.7.6>

SQL> alter user roger identified by killdb$;

User altered.

SQL> conn /as sysdba

Connected.

SQL> select name,password from user$ where name in('ROGER','SCOTT');

NAME PASSWORD

------------------------------ ------------------------------

ROGER 6885905A13FAFAA9

SCOTT CDC57F9E62A38D03

SQL>

F:\orabf-v0.7.6>orabf 6885905A13FAFAA9:ROGER

---------------------------------------

Trying default passwords...done

Starting brute force session using charset:

#$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_

press 'q' to quit. any other key to see status

current password: CW4KD

8236685 passwords tried. elapsed time 00:00:06. t/s:1282510

wrote resume data to ROGER.res

794380208 passwords tried. elapsed time 00:10:05. t/s:1312408

F:\orabf-v0.7.6> ---可以看到，密码比较复杂以后，暴力破解时间就非常漫长了。

我们来看下11g中的情况：

SQL> select * from v$version where rownum <3;

BANNER

--------------------------------------------------------------------------------

Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - Production

PL/SQL Release 11.2.0.2.0 - Production

SQL>

SQL> select username,password from dba_users where username='ROGER';

USERNAME PASSWORD

------------------------------ ------------------------------

ROGER

SQL> select name,password from user$ where name='ROGER';

NAME PASSWORD

------------------------------ ------------------------------

ROGER F445AB203A65C4DB

F:\orabf-v0.7.6>orabf F445AB203A65C4DB:ROGER

---------------------------------------

Trying default passwords...

password found: ROGER:ROGER

F:\orabf-v0.7.6>

SQL> conn roger/roger

Connected.

SQL> --对于较为简单的密码，破解速度是非常快的。

老外还有有个更猛的暴力破解工具ops_sse2，不过该工具仅仅只能破解

sys密码，可能软件作者是出于安全考虑吧，下面来试试：

[ora10g@killdb pw_cracker]$ cat filename.txt

SYS:EF78257248B5860C:159

[ora10g@killdb pw_cracker]$

[ora10g@killdb pw_cracker]$ ./ops_sse2 --hashlist=filename.txt

Oracle passwords (DES) solver 0.3 (SSE2) -- Dennis Yurichev

Compiled @ Apr 5 2011 12:25:36

Demo version, supporting only SYS usernames.