Crack Linux OpenLDAP SHA Passwords Using oclHashcat-plus

As you know we think that oclHashcat is one of the best password crackers available and along with Hashcat and John The Ripper are pretty much the only password crackers we use at this point. Earlier someone asked me to crack some OpenLDAP hashes which come in SHA and SSHA format and the below example includes only the OpenLDAP SHA format hashes.

Linux OpenLDAP SHA Password Format:

The Linux OpenLDAP SHA password storage format will look something similar to the below.

text

  1. user 500  {SHA}fDYHuOYbzxlE6ehQOmYPIfS28/E=
  2. user 1000 {SHA}fDYHuOYbzxlE6ehQOmYPIfS28/E=
  3. user 1001 {SHA}fDYHuOYbzxlE6ehQOmYPIfS28/E=

The portion you will need to crack these hashes is not only the part that follows {SHA} but also the {SHA} portion as well. So even though the about OpenLDAP SHA hashes are the same pretend they are different and you would create a file named something like openldap-shas.txt containing the below content if we were using the above as an example.

Example List Of Linux OpenLDAP Hashes To Feed To oclHashcat-plus:

text

  1. {SHA}fDYHuOYbzxlE6ehQOmYPIfS28/E=
  2. {SHA}fDYHuOYbzxlE6ehQOmYPIfS28/E=
  3. {SHA}fDYHuOYbzxlE6ehQOmYPIfS28/E=

Use oclHashcat-plus To Crack Linux OpenLDAP SHA Passwords:

Once you have obtained the OpenLDAP passwords and created a file as noted above on the server running oclHashcat-plus you will issue a command similar to the below to use only a dictionary to attempt to crack the Linux OpenLDAP hashes.

Use oclHashcat-plus With A Single Dictionary To Crack OpenLDAP SHA Hashes:

text

  1. [root@dev ~]# ./oclHashcat-plus64.bin --gpu-watchdog=0 -m 101 openldap-sha-hashes.txt -o openldap-sha-hashes.out /path/some-wordlist.lst
  2.  
  3. Hashes: 3
  4. Unique digests: 1
  5. Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
  6. Rules: 1
  7. GPU-Loops: 64
  8. GPU-Accel: 40
  9. Password lengths range: 1 - 15
  10. Platform: AMD compatible platform found
  11. Watchdog: Temperature limit disabled
  12. Device #1: Cayman, 2048MB, 0Mhz, 24MCU
  13. Device #2: Cayman, 2048MB, 0Mhz, 24MCU
  14. Device #3: Cayman, 2048MB, 0Mhz, 24MCU
  15. Device #4: Cayman, 2048MB, 0Mhz, 24MCU
  16. Device #1: Allocating 144MB host-memory
  17. Device #1: Kernel kernels/4098/m0100_a0.Cayman.64.kernel (1171020 bytes)
  18. Device #2: Allocating 144MB host-memory
  19. Device #2: Kernel kernels/4098/m0100_a0.Cayman.64.kernel (1171020 bytes)
  20. Device #3: Allocating 144MB host-memory
  21. Device #3: Kernel kernels/4098/m0100_a0.Cayman.64.kernel (1171020 bytes)
  22. Device #4: Allocating 144MB host-memory
  23. Device #4: Kernel kernels/4098/m0100_a0.Cayman.64.kernel (1171020 bytes)
  24.  
  25. Scanned dictionary /path/some-wordlist.lst: 54 bytes, 7 words, 7 keyspace, starting attack...
  26.  
  27. Status.......: Exhausted
  28. Input.Mode...: File (/path/some-wordlist.lst)
  29. Hash.Type....: SHA-1(Base64), nsldap, Netscape LDAP SHA
  30. Time.Running.: 0 secs
  31. Time.Left....: 0 secs
  32. Time.Util....: 4.7ms/0.0ms Real/CPU, 0.0% idle
  33. Speed........:     1505 c/s Real,        0 c/s GPU
  34. Recovered....: 1/1 Digests, 0/1 Salts
  35. Progress.....: 7/7 (100.00%)
  36. Rejected.....: 0/7 (0.00%)
  37.  
  38. Started: Mon Apr  9 23:24:55 2012
  39. Stopped: Mon Apr  9 23:24:56 2012
  40. [root@dev ~]#

The above command is fairly simple however a couple items to note are detailed below. As you can see by the “Recovered” line the hash was cracked.

  • –gpu-watchdog=0: Depending on your setup your GPU’s may get pretty hot and oclHashcat-plus may quit if they get to hot. This command tells oclHashcat to not check the temperature on the GPU’s.
  • m 101: The -m switch specifies what type of hash which in this case is Linux OpenLDAP SHA’s. The oclHashcat-plus help command lists type 101 as “nsldap, SHA-1(Base64), Netscape LDAP SHA”
  • openldap-sha-hashes.txt: The file including the OpenLDAP SHA hashes to attempt to crack.
  • -o openldap-sha-hashes.out: Specifies the output file which will display the cracked hashes.
  • /path/some-wordlist.lst: The path to the wordlist being used.

Use oclHashcat-plus With A Ruleset & A Single Dictionary To Crack OpenLDAP SHA Hashes:

text

  1. [root@dev ~]# ./oclHashcat-plus64.bin --gpu-watchdog=0 -m 101 openldap-sha-hashes.txt -o openldap-sha-hashes.out -r rules/d3ad0ne.rule /path/some-wordlist.lst

Use oclHashcat-plus With Directory Of Dictionaries To Crack OpenLDAP SHA Hashes:

text

  1. [root@dev ~]# ./oclHashcat-plus64.bin --gpu-watchdog=0 -m 101 openldap-sha-hashes.txt -o openldap-sha-hashes.out /path/to/dir/of/wordlists/*

Using GPU’s via oclHashcat-plus is pretty much the only way to go but if you do not have GPU’s available the you could also just JTR or John The Ripper by creating a similar password file (you can also put username: before the SHA hash) and typing something like “john openldap-sha-hashes.txt” from a computer with JTR installed and John will go to work. While it will be much slower you can definitely have success if you are creative with your rules and/or dictionaries.

Mastering OpenLDAP: Configuring, Securing and Integrating Directory Services (Paperback)


List Price: $49.99 USD
New From: $39.94 USD In Stock
Used from: $4.82 USD In Stock

OpenLDAP 2.4 (Hardcover)


List Price: Click For Price
New From: 0 Out of Stock
Used from: $172.71 USD In Stock

Share