Posts: 45
Threads: 18
Joined: May 2015
Hey guys,
in AEM (Adobe Experience Manager), I can see the the following data on every app user:
rep:password "{SHA-256}fe90d85cdcd7e79c-1000-ef182cdc47e60b472784e42a6e167d26242648c6b2e063dfd9e27eec9aa38912"
the actual password in this case is: "Aa12345678!@"
how do i put this into Hashcat? do i need to change/rewrite the format? which module do i use?
thanks!
Posts: 2,301
Threads: 11
Joined: Jul 2010
first you need to find out how exactly the hash is generated
Posts: 197
Threads: 0
Joined: Nov 2017
Having never used Adobe Experience Manager, I googled and saw on
http://experience-aem.blogspot.nl/2014/0...gging.html that you can change the hashing from SHA-256 to SHA-512 which also shows an interesting image with the following information:
Hash Algorithm: in this case SHA-256
Hash Iterations: 1000
Hash Salt Size: 8
This seems to be correlated with your hash {
SHA-256}
fe90d85cdcd7e79c-
1000-ef182cdc47e60b472784e42a6e167d26242648c6b2e063dfd9e27eec9aa38912
If this is correct then you would need to find an algorithm on
https://hashcat.net/wiki/doku.php?id=example_hashes where you can give a salt and iterations for SHA-265. Maybe sha256crypt $5$, SHA256 (Unix) (only available in oclhashcat unfortunately)? I'm not sure yet.
Posts: 2,301
Threads: 11
Joined: Jul 2010
It could also be some custom scheme. There is an unlimited number of ways to do salted iterated hashing.
Posts: 197
Threads: 0
Joined: Nov 2017
05-01-2018, 04:22 PM
(This post was last modified: 05-01-2018, 04:37 PM by DanielG.)
I tried the following schemes (with different iterations), but no luck:
- most likely, sha_265(salt+password) then rehash the hash 1000 times
- most likely too, sha_265(password+salt) then rehash the hash 1000 times
- less likely sha_265(password) then rehash the hash 1000 times prepending salt every time
- less likely sha_265(password) then rehash the hash 1000 times appending salt every time
- even less likely sha_265(salt) then rehash the hash 1000 times prepending password every time
- even less likely sha_265(salt) then rehash the hash 1000 times appending password every time
- same scenario's as above, but instead of using the raw bytes from the hash, print it as 'hex string' (very unlikely)
I have added the python code to replicate if you want different schemes.
I used the 'default' password of admin from this script:
https://gist.github.com/andrewmkhoury/da...50d4d83795
Code:
import hashlib
# {SHA-256}a9d4b340cb43807b-1000-33b8875ff3f9619e6ae984add262fb6b6f043e8ff9b065f4fb0863021aada275
# https://gist.github.com/andrewmkhoury/da868236e16a2415439b7750d4d83795, reset account admin to password admin
password = b'admin'
salt = bytearray.fromhex("a9d4b340cb43807b")
thehash = "33b8875ff3f9619e6ae984add262fb6b6f043e8ff9b065f4fb0863021aada275\n"
iterations = 1001
#most likely, sha_265(salt+password) then rehash the hash 1000 times
m = hashlib.sha256()
m.update(salt)
m.update(password)
for i in range(iterations):
m.update(m.digest())
print m.hexdigest()
print thehash
#most likely too, sha_265(password+salt) then rehash the hash 1000 times
m = hashlib.sha256()
m.update(password)
m.update(salt)
for i in range(iterations):
m.update(m.digest())
print m.hexdigest()
print thehash
#less likely sha_265(password) then rehash the hash 1000 times prepending salt every time
m = hashlib.sha256()
m.update(password)
for i in range(iterations):
m.update(salt)
m.update(m.digest())
print m.hexdigest()
print thehash
#less likely sha_265(password) then rehash the hash 1000 times appending salt every time
m = hashlib.sha256()
m.update(password)
for i in range(iterations):
m.update(m.digest())
m.update(salt)
print m.hexdigest()
print thehash
#even less likely sha_265(salt) then rehash the hash 1000 times prepending password every time
m = hashlib.sha256()
m.update(salt)
for i in range(iterations):
m.update(password)
m.update(m.digest())
print m.hexdigest()
print thehash
#even less likely sha_265(salt) then rehash the hash 1000 times appending password every time
m = hashlib.sha256()
m.update(salt)
for i in range(iterations):
m.update(m.digest())
m.update(password)
print m.hexdigest()
print thehash
#from here the same scenario's as above, but instead of using the raw bytes from the hash, print it as 'hex string' (very unlikely)
m = hashlib.sha256()
m.update(salt)
m.update(password)
for i in range(iterations):
m.update(m.hexdigest())
print m.hexdigest()
print thehash
m = hashlib.sha256()
m.update(password)
m.update(salt)
for i in range(iterations):
m.update(m.hexdigest())
print m.hexdigest()
print thehash
m = hashlib.sha256()
m.update(password)
for i in range(iterations):
m.update(salt)
m.update(m.hexdigest())
print m.hexdigest()
print thehash
m = hashlib.sha256()
m.update(password)
for i in range(iterations):
m.update(m.hexdigest())
m.update(salt)
print m.hexdigest()
print thehash
m = hashlib.sha256()
m.update(salt)
for i in range(iterations):
m.update(password)
m.update(m.hexdigest())
print m.hexdigest()
print thehash
m = hashlib.sha256()
m.update(salt)
for i in range(iterations):
m.update(m.hexdigest())
m.update(password)
print m.hexdigest()
print thehash
edit: had to change tabs into spaces because this forum removed the tabs
Posts: 930
Threads: 4
Joined: Jan 2015
Looks like this is the same as:
https://github.com/magnumripper/JohnTheRipper/pull/3240
... so John the Ripper (jumbo edition) may have it soon?
~