With the string "123456Adrian Wapcaplet" I need to
generate the SHA-256 hash
take the least significant 128 bits of the hash
represent these bits in base64 encoding
I need help with #1 and #3. Below is how I generate this in Linux
$ echo -n "123456Adrian Wapcaplet" | shasum -a 256 | cut -c33-64 | xxd -r -p | base64
jNWe9TyaqmgxG3N2fgl15w==
Install the pgcrypto extension:
create extension pgcrypto;
Then you can use the digest function to do sha256. The rest of the functions you'll need are built in:
select encode(substring(digest('123456Adrian Wapcaplet', 'sha256') from 17), 'base64');
Note that there's an implicit cast from text to bytea performed here when calling digest. It will use the default encoding for the database. To avoid problems due to environmental differences you can specify the encoding for the conversion:
digest(convert_to('123456Adrian Wapcaplet', 'utf8'), 'sha256')
Related
I am desperately trying to recover a veracrypt password with hashcat.
I got the hash file of the encrypted device with dd command and then used the sha512sum command to get the hash so it should be :
c21cd34530e01d4f31f329a9c53643984894e1411ee6400551d7f614d4e3409ec643e3a0c3684238b9656c2793239666aa907f7739055197b094804679026810
I remember a part of the password so I guessed a mask attack with hashcat should be helpful.
But I keep getting "separator unmatched"
I typed the following command :
hashcat --force -m 1800 -a 3 -i --increment-min 20 --increment-max 21 c21cd34530e01d4f31f329a9c53643984894e1411ee6400551d7f614d4e3409ec643e3a0c3684238b9656c2793239666aa907f7739055197b094804679026810 ?u?1?1?s?u?1?1?s?d?d?d?d?s?l?l
Hash 'c21cd34530e01d4f31f329a9c53643984894e1411ee6400551d7f614d4e3409ec643e3a0c3684238b9656c2793239666aa907f7739055197b094804679026810': Separator unmatched
No hashes loaded.
I do not understand my mistake, the mask is after the hash however.
When first connecting to a new SSH host in Putty it displays a message asking me to verify the RSA fingerprint:
When viewing this same information on the network (e.g. through Wireshark), the same value is not shown, instead is shown as:
How can I calculate the fingerprint from the information shown in the Packet Capture?
The value shown in wireshark is the full public key from the server. The fingerprint (MD5 Hash value) of this value is shown to the user in putty as it's much easier (shorter) to read that expecting the user to match up the entire key.
To calculate the public key fingerprint it is necessary to first convert the hex stream given by Wireshark to the the byte stream equivilent then to calculate the MD5 hash from this and output in hexadecimal format.
A crude implementation of this in python is below which will take the wireshark value (HEX DH host Key copied as a HEX Stream) on STDIN and output the fingerprint on STDOUT:
import md5
import sys
# Accepts a wireshark encoded string on STDIN an outputs MD5 fingerprint to STDOUT
# The value copied from the 'HEX DH host Key' as a HEX Stream
wireshark_key = sys.stdin.readline()
# Change the HEX value into the raw byte stream, which will include non-printable characters
hex_string = wireshark_key.strip().decode("hex")
# Calculate the MD5 Hash of the byte stream and output in Hexidecimal format
md5_fingerprint = md5.new(hex_string).hexdigest()
# Tidy up the output so it matches what Putty displays
putty_fingerprint = ":".join([md5_fingerprint[i:i+2] for i in range(0, len(md5_fingerprint), 2)])
print(putty_fingerprint)
To run this, save the wireshark value (public key) to a file and then execute:
cat <key.txt> | python scriptname.py
The output should then match what is displayed by Putty on first connect as well as in the Event Log.
The following web pages were very useful in figured this all out:
http://passionateaboutis.blogspot.co.uk/2015/07/ssh-fingerprint-from-pcap.html
https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Public_Key_Authentication
Whilst this script may be useful for one off cases, if you need to obtain fingerprints for a large number of hosts, nmap and one of it's NSE scripts may be more efficient:
https://nmap.org/nsedoc/scripts/ssh-hostkey.html
Saving the output from NMAP to XML will automatically store the calculated fingerprint for all hsots.
Trying to brute force a basic hash of a plaintext password and a hash... But having difficulty with the hashcat commands.
I'm unsure how to specify what my salt is. I've selected that the -m command is (10) and -a 3 for brute force, but whenever I try to load my hash + salt I get "Line-length exception"
My command is:
hashcat64.exe -m 10 hash.txt -a 3
You "specify" the salt by having the correct format for the hashing algorithm.
For -m 10, or md5($pass.$salt), see this example is directly from the hashcat website:
01dfae6e5d4d90d9892622325959afbe:7050461
Note the colon after the password hash, which separates it from the salt. If your file already looks like this, maybe try adding a new line to the end?
I am creating a "change password" form where the user is required to enter the previous password first, then a new password (twice).
I should compare the entered "previous password" to the one already stored.
My web application uses an LDAP server to store user credentials. Password is apparently stored using SHA.
So what I do is get the previous password entered by the user, digest it using SHA1, then compare it.
String oldPass = request.getParameter("oldpass");
String enteredOldPass= App.getInstance().getCipher().cipher(oldPass);
String ldapPassword= ctx.get("userpassword");
But this isn't working, because the passwords are different. When I store "test" in the LDAP I obtain {sha}qUqP5cyxm6YcTAhz05Hph5gvu9M= when calling .get("userPassword"), whilst I get a94a8fe5ccb19ba61c4c0873d391e987982fbbd3 when hashing "test" by myself.
What am I doing wrong here? It seems that a step is missing since my result is purely hex, while the one I get from the LDAP is ASCII. But I tried converting the string to hex (using string to hex online converters) but the result is still differnet.
You don't do any of this.
You attempt to rebind as the user with that password. It either succeeds or fails. That tells you whether it was right or wrong. The API and protocol and server will take care of any hashing required.
Or, if you're using an LDAP server that supports the extended change-password operation, you provide the old and new passwords in the extended operation.
you must convert to binary, then convert to base64. Try this:
echo -n "test" | sha1sum | awk '{print $1}' <br>
The result will be a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
echo -n "test" | sha1sum | awk '{print $1}' | xxd -r -p | base64
The result will be qUqP5cyxm6YcTAhz05Hph5gvu9M=
If I run the openssl command line in hmac mode (as below), is the key used for the hmac used directly or is it hashed before using it as the key?
echo "foo" | openssl dgst -sha256 -binary -hmac "test" | openssl base64
Similarly, when encrypting a file with openssl (as below)is the pass phrase hashed with the salt? (If so how is it done? A pointer to the right source file would be even better.)
openssl enc -salt
The hmac option does not use salting or hashing; it just uses the passphrase directly as the key. See apps/dgst.c in the source distribution:
else if (!strcmp(*argv,"-hmac"))
{
if (--argc < 1)
break;
hmac_key=*++argv;
}
...
if (hmac_key)
{
sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, e,
(unsigned char *)hmac_key, -1);
if (!sigkey)
goto end;
}
The enc command does seem to use some form of salting, at least in some cases. The relevant source file is apps/enc.c, but seems to come with some caveats:
/* Note that str is NULL if a key was passed on the command
* line, so we get no salt in that case. Is this a bug?
*/
if (str != NULL)
{
/* Salt handling: if encrypting generate a salt and
* write to output BIO. If decrypting read salt from
* input BIO.
*/
It then uses the function EVP_BytesToKey (in crypto/evp/evp_key.c) to generate a random key. This function seems to be a non-standard algorithm, which looked perhaps plausibly OK at a very brief glance but I couldn't attest to it beyond that.
Source snippets and comments are all from the OpenSSL 1.0.0 release.