-7

I am doing a penetration test, and i would like to know if i can decrypt passwords stored in LDAP. i tried some sites decrypt MD5 , they give me error message tells that the input is not MD5. Could you please help thanks

This is an example

userPassword: {MD5}KdScezWFVZxY7rHb5C4X1w==
dr jimbob
  • 38,768
  • 8
  • 92
  • 161
user1028
  • 437
  • 4
  • 8
  • 14
  • 7
    Hashing is not encryption. You cannot decrypt an MD5; you can only find a collision. – logicalscope Mar 16 '12 at 15:45
  • 4
    And LDAP is not a storage location, it's a communications protocol. – Graham Hill Mar 16 '12 at 16:03
  • ok, i got the tree stored in LDAP and it contains passwords hashed using MD5, but when i am trying sites to get the original pass, the site gives error message tells "the input is not MD5". i wish it is more clear now. – user1028 Mar 16 '12 at 16:15
  • MD5 is not a difficult "format": it is 16 bytes of pure, raw data (or 32 ASCII-formatted hexadecimal numbers in the range of [0-9a-fA-F]). Anything else is not a valid MD5 signature. – logicalscope Mar 16 '12 at 16:44
  • @user1028: could you post one of the hashes you've got, just to verify if it's a valid md5 hash ? – woliveirajr Mar 16 '12 at 17:05
  • Based on the appending == it looks like it is encoded and not only encrypted. Decoding it with base64 does not provide a valid md5 string. – Chris Dale Mar 16 '12 at 19:44
  • @Karrax - I'm getting a valid MD5 (32 bit ascii-hexidecimal) from decoding. See my answer. – dr jimbob Mar 16 '12 at 19:51
  • wierd @drjimbob ..My Burpsuite pro edition gives the following base64 decode: )Ô{5UXî±Ûä.× – Chris Dale Mar 16 '12 at 19:53
  • @drjimbob , online base64 decoder gives me: S2RTY2V6V0ZWWnhZN3JIYjVDNFgxdz09 which looks more correct. – Chris Dale Mar 16 '12 at 20:02
  • 1
    Other than references in WAHH, not familiar with burpsuite. It seems like burp is assuming some weird encoding for the b64 decode; rather than re-encoding in hexidecimal. A 24 char b64 encoding ending with `==` should be 16 bytes (each set of four-b64 chars corresponds to 3 bytes; except the last with has only one indicated by the two equals). As a byte is two hex chars, this works out right. – dr jimbob Mar 16 '12 at 20:03

4 Answers4

11

Your MD5 hash {MD5}KdScezWFVZxY7rHb5C4X1w== appears to be base64 encoded. MD5 hashes in the rainbow tables probably would be in hexidecimal, so you should convert the two.

In python you can do this with

>>> from base64 import b64decode, b16encode
>>> b16encode(b64decode('KdScezWFVZxY7rHb5C4X1w==')).lower()
'29d49c7b3585559c58eeb1dbe42e17d7'

Or you can use: http://tomeko.net/online_tools/base64.php?lang=en

dr jimbob
  • 38,768
  • 8
  • 92
  • 161
2

In order to try and identify the password that gives you a particular hash, the only real way is to try all passwords and hash them to see what you get.

What those websites have done is already tried a huge number of passwords and stored the calculated hashes so when you input your hash they quickly look up their database and provide you with an answer. Have a look at this question on Rainbow Tables.

They do not cope with salted hashes, however (well, you can create a table for each salt, but that dramatically increases the size of the table space) - so the answer you have had back may just mean they have failed to look up that hash.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
1

John The Ripper knows how to deal with the LDAP hashes. The option -format=nsldap should force it.

If it doesn't recognize your format, use base64.exe -d b64enc.hash | xxd -ps to convert your base64 encoded hashes into a hexdump.

Marcin
  • 2,508
  • 1
  • 15
  • 14
0

dr jimbob right, it seems to be base64 encoded.

you can try http://md5pass.com to find your hash password. that site does not use a very own database but a Google Custom Search Engine (CSE).

Jepes
  • 1