12-26-2019, 05:30 PM
Hi all,
I couldn't find this on google, so hopefully it might help someone else. BTW, this is a test hash generated on my machine and doesn't matter to anyone.
First, find config.dat on the server. In config.dat, find the string "plain", e.g.
h m\0\0\0 plainm\0\0\00bl/nSj6e7vZS5KQqHmoTER7Z4cgTcDSL5vZTeaaFEAqCpxpLh m
take 0'b...'h as bolded - lose the initial '0' and the trailing 'h' - and base64 decode, then ASCII hex encode to get
6e5fe74a3e9eeef652e4a42a1e6a13111ed9e1c81370348be6f65379a685100a82a71a4b
The salt is first 16 bytes , hmac result is next 20 bytes
salt 6e5fe74a3e9eeef652e4a42a1e6a1311
hmac 1ed9e1c81370348be6f65379a685100a82a71a4b
For hashcat, construct target hash as hmac : salt, so like this for my example:
1ed9e1c81370348be6f65379a685100a82a71a4b:6e5fe74a3e9eeef652e4a42a1e6a1311
Then crack with hashcat mode 160 and --hex-salt :
hashcat64.exe -m 160 target.txt Top32Million-probable.txt -w3 --hex-salt -O -r rules\InsidePro-PasswordsPro.rule
..
1ed9e1c81370348be6f65379a685100a82a71a4b:6e5fe74a3e9eeef652e4a42a1e6a1311:password
I should code up something to do the extraction for me, but I haven't got round to it as yet.
Tested on Couchbase 6.0.0 Community.
( for completeness, this is basically a copy of my blog post here https://gravitas-shortfall.blogspot.com/...sword.html )
I couldn't find this on google, so hopefully it might help someone else. BTW, this is a test hash generated on my machine and doesn't matter to anyone.
First, find config.dat on the server. In config.dat, find the string "plain", e.g.
h m\0\0\0 plainm\0\0\00bl/nSj6e7vZS5KQqHmoTER7Z4cgTcDSL5vZTeaaFEAqCpxpLh m
take 0'b...'h as bolded - lose the initial '0' and the trailing 'h' - and base64 decode, then ASCII hex encode to get
6e5fe74a3e9eeef652e4a42a1e6a13111ed9e1c81370348be6f65379a685100a82a71a4b
The salt is first 16 bytes , hmac result is next 20 bytes
salt 6e5fe74a3e9eeef652e4a42a1e6a1311
hmac 1ed9e1c81370348be6f65379a685100a82a71a4b
For hashcat, construct target hash as hmac : salt, so like this for my example:
1ed9e1c81370348be6f65379a685100a82a71a4b:6e5fe74a3e9eeef652e4a42a1e6a1311
Then crack with hashcat mode 160 and --hex-salt :
hashcat64.exe -m 160 target.txt Top32Million-probable.txt -w3 --hex-salt -O -r rules\InsidePro-PasswordsPro.rule
..
1ed9e1c81370348be6f65379a685100a82a71a4b:6e5fe74a3e9eeef652e4a42a1e6a1311:password
I should code up something to do the extraction for me, but I haven't got round to it as yet.
Tested on Couchbase 6.0.0 Community.
( for completeness, this is basically a copy of my blog post here https://gravitas-shortfall.blogspot.com/...sword.html )