03-27-2012, 12:25 PM
(also posted to the john-users mailing list just now):
Status is as given in the hashcat thread, except that I also asked @episerver if they could provide any insight:
http://www.twitter.com/thorsheim/status/...0929893377
And they replied:
http://www.twitter.com/episerver/status/...2474875905
..... (break for phone call):
As I started to respond to this e-mail, I got a call from an episerver representative who had both knowledge & interest in helping out, and we talked for quite some time. (Thank you!)
Yes, the episerver format in john is out of date. Somewhere around version 4.x of episerver they dropped using their own crypto implementations and went for using Microsoft .NET provided algorithms instead. episerver is now at 6.2x if I remember correctly.
What I forgot to mention in my post at hashcat forums is that the config also has an option named "passwordformat", with default value of "1". I got that one answered; it is related to the .NET configuration. In fact; depending on your .NET configuration, your episerver could seriously be at risk.
The good news; the default install seems to provide decent security, and probably better than many other solutions floating around. (Oops, marketing talk... sorry)
By default episerver will rely on the SqlMembershipProvider in .NET for securing your passwords. You can do cleartext or reversible encryption if you want, and you can do authentication against Microsoft Active Directory (SSO). Default though is SHA-1 with salt.
More info here: http://msdn.microsoft.com/en-us/library/...ormat.aspx
A list of cryptograhic services provided in .NET can be found here:
http://msdn.microsoft.com/en-us/library/92f9ye3s.aspx
There are also those who tries to implement bcrypt in there as well:
http://stackoverflow.com/questions/64607...rp-asp-net
There is lots more to be read about .NET etc, but I'm nowhere near being a programmer, and will not pretend to be one either.
Again; the good news is anyone running episerver also has .NET, and can pick from a good list of algorithms etc in order to protect their users passwords.
The bad news: I guess many episerver installations are running on default .NET configurations, probably making it easier to crack the password hashes than with a customized configuration. Of course when configured by someone who really understands what he/she is doing.
I hope this will aid in replacing current code for episerver hashes in john (and eventually hashcat + others). There is still some reading to do in Microsofts documentation, even for the default config settings that are supposed to be SHA-1 with salt.
--
Best regards,
Per Thorsheim
Status is as given in the hashcat thread, except that I also asked @episerver if they could provide any insight:
http://www.twitter.com/thorsheim/status/...0929893377
And they replied:
http://www.twitter.com/episerver/status/...2474875905
..... (break for phone call):
As I started to respond to this e-mail, I got a call from an episerver representative who had both knowledge & interest in helping out, and we talked for quite some time. (Thank you!)
Yes, the episerver format in john is out of date. Somewhere around version 4.x of episerver they dropped using their own crypto implementations and went for using Microsoft .NET provided algorithms instead. episerver is now at 6.2x if I remember correctly.
What I forgot to mention in my post at hashcat forums is that the config also has an option named "passwordformat", with default value of "1". I got that one answered; it is related to the .NET configuration. In fact; depending on your .NET configuration, your episerver could seriously be at risk.
The good news; the default install seems to provide decent security, and probably better than many other solutions floating around. (Oops, marketing talk... sorry)
By default episerver will rely on the SqlMembershipProvider in .NET for securing your passwords. You can do cleartext or reversible encryption if you want, and you can do authentication against Microsoft Active Directory (SSO). Default though is SHA-1 with salt.
More info here: http://msdn.microsoft.com/en-us/library/...ormat.aspx
A list of cryptograhic services provided in .NET can be found here:
http://msdn.microsoft.com/en-us/library/92f9ye3s.aspx
There are also those who tries to implement bcrypt in there as well:
http://stackoverflow.com/questions/64607...rp-asp-net
There is lots more to be read about .NET etc, but I'm nowhere near being a programmer, and will not pretend to be one either.
Again; the good news is anyone running episerver also has .NET, and can pick from a good list of algorithms etc in order to protect their users passwords.
The bad news: I guess many episerver installations are running on default .NET configurations, probably making it easier to crack the password hashes than with a customized configuration. Of course when configured by someone who really understands what he/she is doing.
I hope this will aid in replacing current code for episerver hashes in john (and eventually hashcat + others). There is still some reading to do in Microsofts documentation, even for the default config settings that are supposed to be SHA-1 with salt.
--
Best regards,
Per Thorsheim