Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Netscape Ldap ldif file SHA password cracking

From: "David Cross" <davidcross () post-n-track com>
Date: Tue, 7 Dec 2004 16:32:01 -0700
Your decode will be 4 bytes to 3.  By my count you should have a value 21
characters in length (the standard size of a Sha1 hash value).

The value decoded will likely be unprintable characters.

Cheers!


David Cross, CISSP
www.TrustSecurityConsulting.com


-----Original Message-----
From: m a [mailto:aznxy () yahoo com] 
Sent: Saturday, December 04, 2004 2:46 PM
To: pen-test () securityfocus com
Subject: Re: Netscape Ldap ldif file SHA password cracking

In-Reply-To: <1101926493.2987.8.camel () kupson fdns net>


So for instance I have:

Ufg2qpbbabSRrOGhVLsvpZHshTc=
(Base-64)

The decode would be:
Q6iT/7

Does that look right?

Thanks

Ufg2qpbbabSRrOGhVLsvpZHshTc=



Received: (qmail 5416 invoked from network); 1 Dec 2004 22:47:31 -0000
Received: from outgoing.securityfocus.com (HELO

outgoing2.securityfocus.com) (205.206.231.26)

 by mail.securityfocus.com with SMTP; 1 Dec 2004 22:47:31 -0000
Received: from lists.securityfocus.com (lists.securityfocus.com

[205.206.231.19])

      by outgoing2.securityfocus.com (Postfix) with QMQP
      id 603E01436F3; Wed,  1 Dec 2004 15:37:11 -0700 (MST)
Mailing-List: contact pen-test-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <pen-test.list-id.securityfocus.com>
List-Post: <mailto:pen-test () securityfocus com>
List-Help: <mailto:pen-test-help () securityfocus com>
List-Unsubscribe: <mailto:pen-test-unsubscribe () securityfocus com>
List-Subscribe: <mailto:pen-test-subscribe () securityfocus com>
Delivered-To: mailing list pen-test () securityfocus com
Delivered-To: moderator for pen-test () securityfocus com
Received: (qmail 14333 invoked from network); 1 Dec 2004 18:40:39 -0000
Subject: Re: Netscape Ldap ldif file SHA password cracking
From: =?iso-8859-2?Q?Rafa=B3?= Kupka <rkupka () wdg pl>
To: pen-test () securityfocus com
In-Reply-To:

<OFFACE3FD4.DFF865D5-ON80256F5D.0058AC4E-80256F5D.0059B474 () EU novartis net>

References:


<OFFACE3FD4.DFF865D5-ON80256F5D.0058AC4E-80256F5D.0059B474 () EU novartis net>

Content-Type: text/plain
Date: Wed, 01 Dec 2004 19:41:33 +0100
Message-Id: <1101926493.2987.8.camel () kupson fdns net>
Mime-Version: 1.0
X-Mailer: Evolution 2.0.2 
Content-Transfer-Encoding: 7bit

Miguel.dilaj () pharma novartis com wrote:
Hello,

[cut]


My first guess is some kind of Base64 encoding (or similar) of the string



without the '{SHA}'.
Example:
plaintext:     password
SHA-1:     5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
Base64 encoding of the above: 
NUJBQTYxRTRDOUI5M0YzRjA2ODIyNTBCNkNGODMzMUI3RUU2OEZEOA==

So you see the similarities, but still no cigar!


It's {SHA1}<base64 encoded binary form of sha1 hash>.

for eg.,
$perl -e 'use Digest::SHA1 qw(sha1); print sha1(@ARGV[0]);' password |
base64-encode
W6ph5Mm5Pz8GgiULbPgzG37mj9g=

Plaintext: password
SHA-1: <binary data>
Base64 of above data: W6ph5Mm5Pz8GgiULbPgzG37mj9g=

Cheers,
-- 
Rafal Kupka <rkupka () wdg pl>
Previous By Date Next
Previous By Thread Next

Current thread: