Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: NS1 decryption
From: Bojan <bojan99 () gmail com>
Date: Tue, 17 Jan 2006 11:33:03 +1300

On 1/16/06, Roman Medina-Heigl Hernandez <roman () rs-labs com> wrote:


I've been told that Solaris' NS_LDAP_BINDPASSWD could be decrypted. For

    $ ldapclient -l
    NS_LDAP_BINDPASSWD= {NS1}3d1a48xxxxxxxxx

The pass is {NS1}3d1a48xxxxxxxxx. Is it really possible to decode it and
get the plaintext password? I couldn't find any useful info about
decoding NS1 passwords.

Well, according to the FAQ (
http://blogs.sun.com/roller/resources/raja/ldap-psd.html), it's just some
simple encryption:

" 5.6. What is NS1 format?? How is the NS1 format converted/used to
authenticate against the userPassword in CRYPT format in the LDAP server?

The Native LDAP client library (libsldap) uses an internal and simple
algorithm to encrypt (and tag) the proxyagent password so that it
would not be stored in /var/ldap/ldap_client_cred in plaintext.

The NS1 encrypted password will be decrypted by the libsldap library
before authenticating the proxy agent to the LDAP server. From the
server perspective, it receives and process the plaintext password to
match the crypt userPassword as usual."

The libsldap library obviously can decrypt this, so it should be easy to
write a tool which will do this (once you know how encryption/decryption
works). But, from the text above, it's pretty clear that this is not a one
way function.


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]