RE: Netscape Ldap ldif file SHA password cracking

From: David Cross (davidcross@post-n-track.com)
Date: Tue Dec 07 2004 - 18:32:01 EST


Your decode will be 4 bytes to 3. By my count you should have a value 21
characters in length (the standard size of a Sha1 hash value).

The value decoded will likely be unprintable characters.

Cheers!

David Cross, CISSP
www.TrustSecurityConsulting.com

-----Original Message-----
From: m a [mailto:aznxy@yahoo.com]
Sent: Saturday, December 04, 2004 2:46 PM
To: pen-test@securityfocus.com
Subject: Re: Netscape Ldap ldif file SHA password cracking

In-Reply-To: <1101926493.2987.8.camel@kupson.fdns.net>

So for instance I have:

Ufg2qpbbabSRrOGhVLsvpZHshTc=
(Base-64)

The decode would be:
Q6iT/7

Does that look right?

Thanks

Ufg2qpbbabSRrOGhVLsvpZHshTc=

>Received: (qmail 5416 invoked from network); 1 Dec 2004 22:47:31 -0000
>Received: from outgoing.securityfocus.com (HELO
outgoing2.securityfocus.com) (205.206.231.26)
> by mail.securityfocus.com with SMTP; 1 Dec 2004 22:47:31 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
> by outgoing2.securityfocus.com (Postfix) with QMQP
> id 603E01436F3; Wed, 1 Dec 2004 15:37:11 -0700 (MST)
>Mailing-List: contact pen-test-help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <pen-test.list-id.securityfocus.com>
>List-Post: <mailto:pen-test@securityfocus.com>
>List-Help: <mailto:pen-test-help@securityfocus.com>
>List-Unsubscribe: <mailto:pen-test-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:pen-test-subscribe@securityfocus.com>
>Delivered-To: mailing list pen-test@securityfocus.com
>Delivered-To: moderator for pen-test@securityfocus.com
>Received: (qmail 14333 invoked from network); 1 Dec 2004 18:40:39 -0000
>Subject: Re: Netscape Ldap ldif file SHA password cracking
>From: =?iso-8859-2?Q?Rafa=B3?= Kupka <rkupka@wdg.pl>
>To: pen-test@securityfocus.com
>In-Reply-To:
<OFFACE3FD4.DFF865D5-ON80256F5D.0058AC4E-80256F5D.0059B474@EU.novartis.net>
>References:
>
<OFFACE3FD4.DFF865D5-ON80256F5D.0058AC4E-80256F5D.0059B474@EU.novartis.net>
>Content-Type: text/plain
>Date: Wed, 01 Dec 2004 19:41:33 +0100
>Message-Id: <1101926493.2987.8.camel@kupson.fdns.net>
>Mime-Version: 1.0
>X-Mailer: Evolution 2.0.2
>Content-Transfer-Encoding: 7bit
>
>Miguel.dilaj@pharma.novartis.com wrote:
>Hello,
>
>[cut]
>
>> My first guess is some kind of Base64 encoding (or similar) of the string

>> without the '{SHA}'.
>> Example:
>> plaintext: password
>> SHA-1: 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
>> Base64 encoding of the above:
>> NUJBQTYxRTRDOUI5M0YzRjA2ODIyNTBCNkNGODMzMUI3RUU2OEZEOA==
>>
>> So you see the similarities, but still no cigar!
>
>It's {SHA1}<base64 encoded binary form of sha1 hash>.
>
>for eg.,
>$perl -e 'use Digest::SHA1 qw(sha1); print sha1(@ARGV[0]);' password |
>base64-encode
>W6ph5Mm5Pz8GgiULbPgzG37mj9g=
>
>Plaintext: password
>SHA-1: <binary data>
>Base64 of above data: W6ph5Mm5Pz8GgiULbPgzG37mj9g=
>
>Cheers,
>--
>Rafal Kupka <rkupka@wdg.pl>
>
>



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:09 EDT