Hashcat / Palo Alto Question

[ZappedComet]

Hey all, I'm doing a pentest engagement and got access to a Palo Alto firewall. In it, the Palo has credentials for a domain that I'm trying to gain access to in order to do Windows account validation stuff.

The appropriate lines in the config are:

wmi-account domain\username;
wmi-password -XX==XXXXXXXXXXXXXXXXXXXXXXXXXXX=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=

With the Xs being what appears to be Base64. It's got a dash and two alpha characters, double-equals, then 27 alphanumerics, an equals, and 43 more alphanumerics followed by an equal and semicolon to end the line.

That said, I'm no expert at hashcat and I've done pretty thorough Google searching and haven't found anything that clearly states what kind of hash it is or how to convert it into a usable format. Does anyone have suggestions or seen this kind of thing before?

Thanks!

[royce]

Since the password must be used in plain text against AD, this must either be A) simple obfuscation, or B) encryption, with a static private key or key construction methodology.

Either way, this is interesting - but it isn't a hashcat-specific question. Even if the obfuscation method is discovered, the end result will be the plaintext password, not a hash for hashcat to crack.