Crack Linux OpenLDAP SHA Passwords Using oclHashcat-plus

As you know we think that oclHashcat is one of the best password crackers available and along with Hashcat and John The Ripper are pretty much the only password crackers we use at this point. Earlier someone asked me to crack some OpenLDAP hashes which come in SHA and SSHA format and the below example includes only the OpenLDAP SHA format hashes.

Linux OpenLDAP SHA Password Format:

The Linux OpenLDAP SHA password storage format will look something similar to the below.

user 500  {SHA}fDYHuOYbzxlE6ehQOmYPIfS28/E=
user 1000 {SHA}fDYHuOYbzxlE6ehQOmYPIfS28/E=
user 1001 {SHA}fDYHuOYbzxlE6ehQOmYPIfS28/E=

The portion you will need to crack these hashes is not only the part that follows {SHA} but also the {SHA} portion as well. So even though the about OpenLDAP SHA hashes are the same pretend they are different and you would create a file named something like openldap-shas.txt containing the below content if we were using the above as an example.

Example List Of Linux OpenLDAP Hashes To Feed To oclHashcat-plus:

{SHA}fDYHuOYbzxlE6ehQOmYPIfS28/E=
{SHA}fDYHuOYbzxlE6ehQOmYPIfS28/E=
{SHA}fDYHuOYbzxlE6ehQOmYPIfS28/E=

Use oclHashcat-plus To Crack Linux OpenLDAP SHA Passwords:

Once you have obtained the OpenLDAP passwords and created a file as noted above on the server running oclHashcat-plus you will issue a command similar to the below to use only a dictionary to attempt to crack the Linux OpenLDAP hashes.

Use oclHashcat-plus With A Single Dictionary To Crack OpenLDAP SHA Hashes:

[root@dev ~]# ./oclHashcat-plus64.bin --gpu-watchdog=0 -m 101 openldap-sha-hashes.txt -o openldap-sha-hashes.out /path/some-wordlist.lst

Hashes: 3
Unique digests: 1
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Rules: 1
GPU-Loops: 64
GPU-Accel: 40
Password lengths range: 1 - 15
Platform: AMD compatible platform found
Watchdog: Temperature limit disabled
Device #1: Cayman, 2048MB, 0Mhz, 24MCU
Device #2: Cayman, 2048MB, 0Mhz, 24MCU
Device #3: Cayman, 2048MB, 0Mhz, 24MCU
Device #4: Cayman, 2048MB, 0Mhz, 24MCU
Device #1: Allocating 144MB host-memory
Device #1: Kernel kernels/4098/m0100_a0.Cayman.64.kernel (1171020 bytes)
Device #2: Allocating 144MB host-memory
Device #2: Kernel kernels/4098/m0100_a0.Cayman.64.kernel (1171020 bytes)
Device #3: Allocating 144MB host-memory
Device #3: Kernel kernels/4098/m0100_a0.Cayman.64.kernel (1171020 bytes)
Device #4: Allocating 144MB host-memory
Device #4: Kernel kernels/4098/m0100_a0.Cayman.64.kernel (1171020 bytes)

Scanned dictionary /path/some-wordlist.lst: 54 bytes, 7 words, 7 keyspace, starting attack...

Status.......: Exhausted
Input.Mode...: File (/path/some-wordlist.lst)
Hash.Type....: SHA-1(Base64), nsldap, Netscape LDAP SHA
Time.Running.: 0 secs
Time.Left....: 0 secs
Time.Util....: 4.7ms/0.0ms Real/CPU, 0.0% idle
Speed........:     1505 c/s Real,        0 c/s GPU
Recovered....: 1/1 Digests, 0/1 Salts
Progress.....: 7/7 (100.00%)
Rejected.....: 0/7 (0.00%)

Started: Mon Apr  9 23:24:55 2012
Stopped: Mon Apr  9 23:24:56 2012
[root@dev ~]#

The above command is fairly simple however a couple items to note are detailed below. As you can see by the “Recovered” line the hash was cracked.

  • –gpu-watchdog=0: Depending on your setup your GPU’s may get pretty hot and oclHashcat-plus may quit if they get to hot. This command tells oclHashcat to not check the temperature on the GPU’s.
  • -m 101: The -m switch specifies what type of hash which in this case is Linux OpenLDAP SHA’s. The oclHashcat-plus help command lists type 101 as “nsldap, SHA-1(Base64), Netscape LDAP SHA”
  • openldap-sha-hashes.txt: The file including the OpenLDAP SHA hashes to attempt to crack.
  • -o openldap-sha-hashes.out: Specifies the output file which will display the cracked hashes.
  • /path/some-wordlist.lst: The path to the wordlist being used.

Use oclHashcat-plus With A Ruleset & A Single Dictionary To Crack OpenLDAP SHA Hashes:

[root@dev ~]# ./oclHashcat-plus64.bin --gpu-watchdog=0 -m 101 openldap-sha-hashes.txt -o openldap-sha-hashes.out -r rules/d3ad0ne.rule /path/some-wordlist.lst

Use oclHashcat-plus With Directory Of Dictionaries To Crack OpenLDAP SHA Hashes:

[root@dev ~]# ./oclHashcat-plus64.bin --gpu-watchdog=0 -m 101 openldap-sha-hashes.txt -o openldap-sha-hashes.out /path/to/dir/of/wordlists/*

Using GPU’s via oclHashcat-plus is pretty much the only way to go but if you do not have GPU’s available the you could also just JTR or John The Ripper by creating a similar password file (you can also put username: before the SHA hash) and typing something like “john openldap-sha-hashes.txt” from a computer with JTR installed and John will go to work. While it will be much slower you can definitely have success if you are creative with your rules and/or dictionaries.


List Price: $49.99 USD
New From: $27.99 USD In Stock
Used from: $0.94 USD In Stock

OpenLDAP 2.4 (Hardcover)

By (author): John Martin Ungar Oliver Liebel


New From: 0 Out of Stock
Used from: $299.28 USD In Stock

Share