Search
Blog Index
The journal that this archive was targeting has been deleted. Please update your configuration.
Navigation
Main | OpenStack Installation Scripts »
Friday
May032013

Cracking a Security Console Passsword in RSA Authentication Manager 7.1

I recently had to recover a password from a RSA Authentication Manager Linux server. RSA Authentication Manager 7.1 stores all the credentials in an oracle database. Unfortunately I'm not all that familiar with connecting to oracle databases and pulling data out of them. However, I do like the strings command.

RSA Authentication Manager 7.1 keeps their authentication information in an oracle database located in /usr/local/RSASecurity/RSAAuthenticationManager/db/oradata/[RANDOM STRING]/rsa_data.dat

if we run strings on this file and pipe it into less we can then search within less for the hashes

strings rsa_data.dat | less

There is a segment that consists of just hashes. I'm guessing that this is where the database is storing them in order to verify that a user isn't reusing the last 8 passwords when they set a new one. We're not interested in that part. We should be looking for section that lists usernames as well as passwords. You can also search for SSHA256 and then the username and that should put you in the right location. Once you find the correct location it will look something like the following:

VPN Username
First Name
Last Name
Email Address
Hash

Example:

bob
Bobby
Tables
bob.tables@example.com
={SSHA256}5KyoCH2c4i4f3+rI+EhQr4E0Ce7C77AzaE/R1bkvbQlBQUFBQQ==,

This hash is kept in the Salted SHA256 format where the salt is appened to the hash of the salt + password. This is known in hashcat as sha256($salt.$pass).

Hashcat can't understand the hash when it's base64 encoded. Instead we need to be able to decode it into a string that's hash:salt. We can do this using this command:

echo -n '5KyoCH2c4i4f3+rI+EhQr4E0Ce7C77AzaE/R1bkvbQlBQUFBQQ==' | base64 -d | xxd -c37 -p \
| awk '{printf("%s:%s", substr($0,1,64) , substr($0,65,10))}'

Note: hexdump and xxd will give you the bytes in a different order. You need to use xxd for this, hexdump will not work properly.

This gives us:

e4aca8087d9ce22e1fdfeac8f84850af813409eec2efb033684fd1d5b92f6d09:4141414141

Since oclhashcat-lite doesn't decode sha256($salt.$pass) we need to copy that into a file. You can pipe the command used to extract the hash into a file using the >> operator

echo -n '5KyoCH2c4i4f3+rI+EhQr4E0Ce7C77AzaE/R1bkvbQlBQUFBQQ==' | base64 -d | xxd -c37 -p \
| awk '{printf("%s:%s", substr($0,1,64) , substr($0,65,10))}'  >> hash

You should use hashcat with the following options:

--hex-salt -m 1420

Example:

./cudaHashcat-plus64.bin -a 3 --hex-salt -m 1420 hash pass?l?l?l?l

cudaHashcat-plus v0.14 by atom starting...

Hashes: 1 total, 1 unique salts, 1 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Workload: 64 loops, 80 accel
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: GeForce GTX 460, 1023MB, 1451Mhz, 7MCU
Device #2: GeForce GTX 460, 1023MB, 1350Mhz, 7MCU
Device #1: Kernel ./kernels/4318/m1420_a3.sm_21.64.ptx
Device #2: Kernel ./kernels/4318/m1420_a3.sm_21.64.ptx

e4aca8087d9ce22e1fdfeac8f84850af813409eec2efb033684fd1d5b92f6d09:4141414141:password

Session.Name...: cudaHashcat-plus
Status.........: Cracked
Input.Mode.....: Mask (pass?l?l?l?l)
Hash.Target....: e4aca8087d9ce22e1fdfeac8f84850af813409eec2efb033684fd1d5b92f6d09:4141414141
Hash.Type......: sha256($salt.$pass)
Time.Started...: Fri May  3 10:27:26 2013 (1 sec)
Speed.GPU.#1...: 35137.3k/s
Speed.GPU.#2...: 50038.4k/s
Speed.GPU.#*...: 85175.6k/s
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 143360/456976 (31.37%)
Rejected.......: 0/143360 (0.00%)
HWMon.GPU.#1...: -1% Util, 41c Temp, 52% Fan
HWMon.GPU.#2...: -1% Util, 49c Temp, 20% Fan

Started: Thu May  2 22:27:26 2013
Stopped: Thu May  2 22:27:28 2013