Decrypting passwords stored in Oracle SQL DeveloperOracle SQL Developer is a Java client used to connect to Oracle databases. The application does allow you to store several connections, each one with a password.
The password are stored in an encrypted form into an XML file, that on Unix like operating systems is
18.104.22.168.42.151001.541is the SQL Developer version. In other words, the user customized connections are stored as XML into the
connections.xmlfile under the
In that file, there is a
<StringRefAddr>tag that contains the encrypted string for the password, so for example:
<StringRefAddr addrType="password"> <Contents>XyzAbcedf...+7tFuoM</Contents> </StringRefAddr>
In particular, all the XML file is made by tags of type
<StringRefAddr>with different types (
addrType)) and an inner
<Contents>tag that provides the content (in this case the cyphered password).
I don’t know the exact details about the alghoritm that cyphers the passwords, and quite frankly I’m not that interested. One important note is that modern SQL Developer versions use a so called
v4password masking alghoritm, that is based on a dynamic value tied to the machine the program is running on.
This means I cannot simply copy and paste my
connections.xmlfile to another machine and get it magically working!
The key tied to the machine is stored into the file
product-preferences.xmlwithin the directory
~/.sqldeveloper/system22.214.171.124.78/o.sqldeveloper.126.96.36.199.78/with, as usual, the numbering indicating the version of the SQL Developer.
product-preferences.xmlfile contains the dynamic key in the
db.system.idattribute tag, for example:
<value n="db.system.id" v="aaaf8abb-a24b-4852-9d6d-ee11aa933383"/>
The value reminds me an UUID, and is used to cypher the passwords (I guess as a salt).
Unencrypting stored passwordsNow the important part: how to decrypt passwords?
I’ve found this Python program that accepts, as arguments, the encryptde password string and the dynamic key and provides the unencrypted password.
The program is not able to read yet the
connections.xmlfile, so you have to feed it manually with the password and the salt, but it has worked great an all my connections. As an example:
% pip install sqldeveloperpassworddecryptor % /home/luca/.local/bin/sqldeveloperpassworddecryptor \ -p AbggYhjgbkbTEPqGvvTkmUU4I+99FuoM \ -d bb55ac37-a33b-4762-9a6c-bc012345abc3 sqldeveloperpassworddecryptor.py version 2.0 [+] encrypted password: AbggYhjgbkbTEPqGvvTkmUU4I+99FuoM [+] db.system.id value: bb55ac37-a33b-4762-9a6c-bc012345abc3 [+] decrypted password: FLUCA1978
NOTE: the above example has been re-edited to mask the actual hash and id value.
Conclusionssqldeveloperpassworddecryptor can be very useful when trying to find out a password stored on a recovered machine or stuff like that.
Personally I would prefer to have a tool to change all the passwords at once, since this is the activity I do the most, or even a way to update the passwords if the