Penetration Testing: RE: Netscape Ldap ldif file SHA password cracking

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Penetration Testing mailing list archives

RE: Netscape Ldap ldif file SHA password cracking

From: "David Cross" <davidcross () post-n-track com>
Date: Tue, 7 Dec 2004 16:32:01 -0700

Your decode will be 4 bytes to 3.  By my count you should have a value 21
characters in length (the standard size of a Sha1 hash value).

The value decoded will likely be unprintable characters.

Cheers!


David Cross, CISSP
www.TrustSecurityConsulting.com


-----Original Message-----
From: m a [mailto:aznxy () yahoo com] 
Sent: Saturday, December 04, 2004 2:46 PM
To: pen-test () securityfocus com
Subject: Re: Netscape Ldap ldif file SHA password cracking

In-Reply-To: <1101926493.2987.8.camel () kupson fdns net>


So for instance I have:

Ufg2qpbbabSRrOGhVLsvpZHshTc=
(Base-64)

The decode would be:
Q6iT/7

Does that look right?

Thanks

Ufg2qpbbabSRrOGhVLsvpZHshTc=

Received: (qmail 5416 invoked from network); 1 Dec 2004 22:47:31 -0000
Received: from outgoing.securityfocus.com (HELO

outgoing2.securityfocus.com) (205.206.231.26)

 by mail.securityfocus.com with SMTP; 1 Dec 2004 22:47:31 -0000
Received: from lists.securityfocus.com (lists.securityfocus.com

[205.206.231.19])

      by outgoing2.securityfocus.com (Postfix) with QMQP
      id 603E01436F3; Wed,  1 Dec 2004 15:37:11 -0700 (MST)
Mailing-List: contact pen-test-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <pen-test.list-id.securityfocus.com>
List-Post: <mailto:pen-test () securityfocus com>
List-Help: <mailto:pen-test-help () securityfocus com>
List-Unsubscribe: <mailto:pen-test-unsubscribe () securityfocus com>
List-Subscribe: <mailto:pen-test-subscribe () securityfocus com>
Delivered-To: mailing list pen-test () securityfocus com
Delivered-To: moderator for pen-test () securityfocus com
Received: (qmail 14333 invoked from network); 1 Dec 2004 18:40:39 -0000
Subject: Re: Netscape Ldap ldif file SHA password cracking
From: =?iso-8859-2?Q?Rafa=B3?= Kupka <rkupka () wdg pl>
To: pen-test () securityfocus com
In-Reply-To:

<OFFACE3FD4.DFF865D5-ON80256F5D.0058AC4E-80256F5D.0059B474 () EU novartis net>

References:

<OFFACE3FD4.DFF865D5-ON80256F5D.0058AC4E-80256F5D.0059B474 () EU novartis net>

Content-Type: text/plain
Date: Wed, 01 Dec 2004 19:41:33 +0100
Message-Id: <1101926493.2987.8.camel () kupson fdns net>
Mime-Version: 1.0
X-Mailer: Evolution 2.0.2 
Content-Transfer-Encoding: 7bit

Miguel.dilaj () pharma novartis com wrote:
Hello,

[cut]

My first guess is some kind of Base64 encoding (or similar) of the string

without the '{SHA}'.
Example:
plaintext:     password
SHA-1:     5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
Base64 encoding of the above: 
NUJBQTYxRTRDOUI5M0YzRjA2ODIyNTBCNkNGODMzMUI3RUU2OEZEOA==

So you see the similarities, but still no cigar!


It's {SHA1}<base64 encoded binary form of sha1 hash>.

for eg.,
$perl -e 'use Digest::SHA1 qw(sha1); print sha1(@ARGV[0]);' password |
base64-encode
W6ph5Mm5Pz8GgiULbPgzG37mj9g=

Plaintext: password
SHA-1: <binary data>
Base64 of above data: W6ph5Mm5Pz8GgiULbPgzG37mj9g=

Cheers,
-- 
Rafal Kupka <rkupka () wdg pl>

By Date By Thread

Current thread:

Re: Netscape Ldap ldif file SHA password cracking Anders Thulin (Dec 01)
- <Possible follow-ups>
- Re: Netscape Ldap ldif file SHA password cracking miguel . dilaj (Dec 01)
  - Re: Netscape Ldap ldif file SHA password cracking Rafał Kupka (Dec 01)
- Re: Netscape Ldap ldif file SHA password cracking m a (Dec 06)
  - RE: Netscape Ldap ldif file SHA password cracking David Cross (Dec 09)
- Re: Netscape Ldap ldif file SHA password cracking noconflic (Dec 09)
- RE: Netscape Ldap ldif file SHA password cracking Bénoni MARTIN (Dec 09)