Full Disclosure: Re: NS1 decryption

[Bojan <bojan99 () gmail com>]

On 1/16/06, Roman Medina-Heigl Hernandez <roman () rs-labs com> wrote:
> Hi,
>
> I've been told that Solaris' NS_LDAP_BINDPASSWD could be decrypted. For
> instance:
>
>     $ ldapclient -l
>     NS_LDAP_FILE_VERSION= 1.0
>     NS_LDAP_BINDDN=
> cn=proxyagent,ou=profile,dc=blr03-01,dc=india,dc=sun,dc=com
>     NS_LDAP_BINDPASSWD= {NS1}3d1a48xxxxxxxxx
> ...
>
>
> The pass is {NS1}3d1a48xxxxxxxxx. Is it really possible to decode it and
> get the plaintext password? I couldn't find any useful info about
> decoding NS1 passwords.

Well, according to the FAQ (
http://blogs.sun.com/roller/resources/raja/ldap-psd.html), it's just some
simple encryption:

" 5.6. What is NS1 format?? How is the NS1 format converted/used to
authenticate against the userPassword in CRYPT format in the LDAP server?

The Native LDAP client library (libsldap) uses an internal and simple
algorithm to encrypt (and tag) the proxyagent password so that it
would not be stored in /var/ldap/ldap_client_cred in plaintext.

The NS1 encrypted password will be decrypted by the libsldap library
before authenticating the proxy agent to the LDAP server. From the
server perspective, it receives and process the plaintext password to
match the crypt userPassword as usual."

The libsldap library obviously can decrypt this, so it should be easy to
write a tool which will do this (once you know how encryption/decryption
works). But, from the text above, it's pretty clear that this is not a one
way function.

Cheers,

Bojan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/