LDAP {SSHA} modes
#1
Recently I had a need to recover an LDAP password {SSHA256} and I realized that although hashcat does support the general form of these hashes (specifically modes 101, 111, 1711), it doesn't have one for SSHA256 specifically.

Based on the numbering scheme as i understand it, this would likely be mode 1411, although this mode doesn't exist at this time.

The hashes look like this (this is an example hash for "hashcat"):

{SSHA256}NP4ah+z94wGh/QMkNuKUGkK5IEZZM54BuVvD1RpSmL8BI0VniavN7w==

That said, these modes are basically just convenience wrappers as the underlying hash structures are already supported. If someone does have a need to crack one of these now, you can do so easily enough leveraging mode 1410 - sha256($pass.$salt) and some minor reforming of the data:

echo NP4ah+z94wGh/QMkNuKUGkK5IEZZM54BuVvD1RpSmL8BI0VniavN7w== | base64 -d | xxd -p -c 40 | sed 's/.\{64\}/&:/'

34fe1a87ecfde301a1fd032436e2941a42b9204659339e01b95bc3d51a5298bf:0123456789abcdef

The salt is in hex so just remember to invoke hashcat with --hex-salt

hashcat -m 1410 --hex-salt

Happy cracking!

/PS: Some common LDAP systems (Oracle DSEE for instance) also have support for SHA384 and SSHA384. SSHA384 could be more problematic as there are not, by my reading, generic salted SHA384 modes (i.e. 10810 and 10820) implemented at this point. If you had to you could shoehorn a salt into words or masks you're trying, but it would be messy, and you'd be limited to cracking one hash at a time.
Reply
#2
sounds cool, could you please add a trac ticket?
Reply