ibm security directory server hash

[raist2]

Hello, I extracted hashes from a IBM security directory server (LDAP) ; they look like SHA256 salt+hash to me but so far I'm not able to make them work with oclHashcat:
SHA-256:Zjk**********W8y:G3YJBMaNQHrLq********************yhwaejSxlE=
Hope that substituting chars with stars allow me to post the hash.
Do you guys have any ideas?
Regards,
r.

[atom]

Please post the full hash and the plaintext password on trac or by PM to me. If you don't know the plaintext password, generate a new one that you know.

[dikiy]

Trailing "=" symbol makes me think it is binary and base64 encoded. How much of them ends with '=' ? if many then it IS base64 encoded

[raist2]

BINARY|ESHA-256:MWw4MjlrM2loajFz:qu0VLHJPa2dNL6+7bRIpcRGcdInpFO6B5OGMgnyEeyM=SHA-256:c25vc2d5bmtzYmhq:Jfe38uU5jk5RCLz5WMi5BdSsW9RV1o55rEX5lf1BS/I=


one of this two hash clear test should be "CieloAzzurro.1", while the other is a previous password (history).
It wasn't extracted from the LDAP by me but I trust enough who did it.
r.

[dikiy]

Try to use these hex values as hex-salt

Code:

@dikiy [11:03] ~ %echo "qu0VLHJPa2dNL6+7bRIpcRGcdInpFO6B5OGMgnyEeyM=" | b64decode -r | hexdump
0000000 edaa 2c15 4f72 676b 2f4d bbaf 126d 7129
0000010 9c11 8974 14e9 81ee e1e4 828c 847c 237b
0000020
@dikiy [11:03] ~ %echo "Jfe38uU5jk5RCLz5WMi5BdSsW9RV1o55rEX5lf1BS/I=" | b64decode -r | hexdump
0000000 f725 f2b7 39e5 4e8e 0851 f9bc c858 05b9
0000010 acd4 d45b d655 798e 45ac 95f9 41fd f24b
0000020

[raist2]

Try to use these hex values as hex-salt

Code:

@dikiy [11:03] ~ %echo "qu0VLHJPa2dNL6+7bRIpcRGcdInpFO6B5OGMgnyEeyM=" | b64decode -r | hexdump
0000000 edaa 2c15 4f72 676b 2f4d bbaf 126d 7129
0000010 9c11 8974 14e9 81ee e1e4 828c 847c 237b
0000020
@dikiy [11:03] ~ %echo "Jfe38uU5jk5RCLz5WMi5BdSsW9RV1o55rEX5lf1BS/I=" | b64decode -r | hexdump
0000000 f725 f2b7 39e5 4e8e 0851 f9bc c858 05b9
0000010 acd4 d45b d655 798e 45ac 95f9 41fd f24b
0000020

Sorry for my ignorance Dikiy, can you be more specific?
The string you base64 decoded should be the hash and not the salt, right?
r.

[epixoip]

Assuming the plaintext provided is a valid password for one of the two hashes, it doesn't appear to be any of the modes Hashcat supports. Tried 1410, 1420, 1430, 1440, 1450, and 1460 to no avail.

[atom]

Same, I've also tryed with a decoded the salt and a non-decoded salt. Still there's a good possiblity this is just -m 1410 as ldap server usually work like this. If that's the case then either the hash or the salt was exported wrongly or the Plaintext is wrong.

[raist2]

Same, I've also tryed with a decoded the salt and a non-decoded salt. Still there's a good possiblity this is just -m 1410 as ldap server usually work like this. If that's the case then either the hash or the salt was exported wrongly or the Plaintext is wrong.

Which command line would you run with -m 1410 and decoded salt and how you decoded them?
I didn't extract the hash so I can't assure they are valid (even if I trust enough the guy) but I've 100 hash and using a good dict maybe I can hit some.
r.

[epixoip]

Well, you have the hash string "MWw4MjlrM2loajFz:qu0VLHJPa2dNL6+7bRIpcRGcdInpFO6B5OGMgnyEeyM=", we assume the first part is the salt and the second part is the hash. Just convert it from base64 encoding to hex encoding:

Code:

epixoip@token:~$ echo MWw4MjlrM2loajFz | base64 -d | xxd -p
316c3832396b3369686a3173

epixoip@token:~$ echo qu0VLHJPa2dNL6+7bRIpcRGcdInpFO6B5OGMgnyEeyM= | base64 -d | xxd -p
aaed152c724f6b674d2fafbb6d122971119c7489e914ee81e4e18c827c847b23

Then combine them in hash : salt format and run with --hex-salt.

Code:

./oclHashcat64.bin -m 1410 --hex-salt aaed152c724f6b674d2fafbb6d122971119c7489e914ee81e4e18c827c847b23:316c3832396b3369686a3173 -a 3 CieloAzzurro.1