Penetration Testing mailing list archives

Re: Cracking Base64 Passwords Perl Script.

From: Brian Hatch <bri () ifokr org>
Date: Tue, 12 Nov 2002 08:15:33 -0800




(Pen-test/Sectools, only bother sending this through if you allow
the original.)

Tool to crack Base64 passwords - could not find anything similar on the
Internet.


'Crack'?  Base64 is an encoding algorithm, just like uuencode.
It's not encryption.  It's supposed to be easily reversable.

I find it hard to believe this person "could not find anything similar
on the Internet".  What he's using is MIME::Base64 from perl's CPAN.
This is command-line stuff.

   $ perl -MMIME::Base64 -le 'print decode_base64("dGVzdDpwYXNzd29yZA==")'
   test:password

For gods sake, I have this as an alias in my .bashrc.

Perhaps the reason there aren't any tools out there listed to
'crack' this is because it isn't a crack, and no one bothers
trying to market their genius in 'use module; call subroutine'

While pen testing and looking around for something to crack a Base64
encoded password I could not find much in the  way of a simple script,
so I decided to right a Perl script myself...


No, you took the work of Gisle Aas, MIME::Base64, and put it in a
perl script and slapped a few print statements on it.

Many weak security mechanisms rely on base64 encoding scheme. IIS server
is one such example, from  the below example we see IIS Basic
authenication in action on a GET request:


This is HTTP basic authorization, it's not IIS specific.  It's not used
for security, it's used to make sure that the password, regardless of
ugly characters, is able to be represented in a portable form.  (For a
very vague description, Base64 takes input and turns it into ASCII
printable output.)  This is why you should only use it over HTTPS if
you don't want your password getting out.

Enjoy and please send comments...


Hope you receive lots of fame and fortune.

--
Brian Hatch                  You have that vacant
   Systems and                look in your eyes that
   Security Engineer          says "Hold your ear up
http://www.ifokr.org/bri/     to my head and you
                              will hear the sea"
Every message PGP signed

Attachment: _bin
Description:

Current thread:

Cracking Base64 Passwords Perl Script. Singapore Dragon (Nov 11)
- Re: Cracking Base64 Passwords Perl Script. Javier Liendo (Nov 12)
- Re: Cracking Base64 Passwords Perl Script. Javier Fernández-Sanguino Peña (Nov 12)
- <Possible follow-ups>
- Re: Cracking Base64 Passwords Perl Script. Brian Hatch (Nov 13)