Cracking Couchbase Admin Password
#1
Hi all,

I couldn't find this on google, so hopefully it might help someone else. BTW, this is a test hash generated on my machine and doesn't matter to anyone.

First, find config.dat on the server. In config.dat, find the string "plain", e.g.

h m\0\0\0 plainm\0\0\00bl/nSj6e7vZS5KQqHmoTER7Z4cgTcDSL5vZTeaaFEAqCpxpLh m

take 0'b...'h as bolded - lose the initial '0' and the trailing 'h' - and base64 decode, then ASCII hex encode to get

6e5fe74a3e9eeef652e4a42a1e6a13111ed9e1c81370348be6f65379a685100a82a71a4b

The salt is first 16 bytes , hmac result is next 20 bytes

salt 6e5fe74a3e9eeef652e4a42a1e6a1311
hmac 1ed9e1c81370348be6f65379a685100a82a71a4b

For hashcat, construct target hash as hmac : salt, so like this for my example: 

1ed9e1c81370348be6f65379a685100a82a71a4b:6e5fe74a3e9eeef652e4a42a1e6a1311

Then crack with hashcat mode 160 and --hex-salt :

hashcat64.exe -m 160 target.txt Top32Million-probable.txt -w3 --hex-salt -O  -r rules\InsidePro-PasswordsPro.rule

..

1ed9e1c81370348be6f65379a685100a82a71a4b:6e5fe74a3e9eeef652e4a42a1e6a1311:password


I should code up something to do the extraction for me, but I haven't got round to it as yet. 

Tested on Couchbase 6.0.0 Community. 

( for completeness, this is basically a copy of my blog post here  https://gravitas-shortfall.blogspot.com/...sword.html )
Reply