EPiServer hash format
#11
OK, that is awesome. Thanks for information. I was able to reproduce it with Per's hash and salt. Here is some demo code:

Code:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include "openssl/sha.h"

#define SWAP(x) ((((x) & 0xff000000) >> 24) | (((x) & 0x00ff0000) >> 8) | (((x) & 0x0000ff00) << 8) | (((x) & 0x000000ff) << 24))

int main (int argc, char **argv)
{
  // hash to find: 510827CFFBCF59AA7D51E0FC0E16B0DE1FDF8050
  // salt: 7c6276c27ff95a5cea4280de080da45c

  unsigned char salt[16] =
  {
    0x7c, 0x62, 0x76, 0xc2,
    0x7f, 0xf9, 0x5a, 0x5c,
    0xea, 0x42, 0x80, 0xde,
    0x08, 0x0d, 0xa4, 0x5c,
  };

  unsigned char pass[24] =
  {
    't', 0, 'e', 0, 's', 0, 't', 0,
    'P', 0, 'a', 0, 's', 0, 's', 0,
    'w', 0, 'o', 0, 'r', 0, 'd', 0,
  };

  unsigned int sha1hash[5];

  SHA_CTX ctx;

  SHA1_Init (&ctx);
  SHA1_Update (&ctx, salt, sizeof (salt));
  SHA1_Update (&ctx, pass, sizeof (pass));
  SHA1_Final ((unsigned char *) sha1hash, &ctx);

  sha1hash[0] = SWAP (sha1hash[0]);
  sha1hash[1] = SWAP (sha1hash[1]);
  sha1hash[2] = SWAP (sha1hash[2]);
  sha1hash[3] = SWAP (sha1hash[3]);
  sha1hash[4] = SWAP (sha1hash[4]);

  printf ("%08x%08x%08x%08x%08x\n", sha1hash[0], sha1hash[1], sha1hash[2], sha1hash[3], sha1hash[4]);

  return 0;
}

Quote:root@sf:~# gcc-4.4 -o tec tec.c -lssl
root@sf:~# ./tec
510827cffbcf59aa7d51e0fc0e16b0de1fdf8050

Hash: UQgnz/vPWap9UeD8Dhaw3h/fgFA= -> 510827cffbcf59aa7d51e0fc0e16b0de1fdf8050
#12
A big thank you to @skradel for telling us the formatting used, and @klingsen for the important note on Microsoft .NET version 4 using sha256 as its default.

I presume episerver will, if they haven't got it already, create a guide for their customers on how to improve the default security provided by .NET. After all .NET does have PBKDF2 support, something I really haven't heard any .NET developers understand or use... (raise your hands if you know someone!)

I'll simply challenge @skradel and @klingsen to come up with a blog post or something that
1) documents the different default encryption/hash algorithms available in .NET with default settings
2) Examples of known user/pass/hash/salt (for the obvious purpose of implementing support for it)
3) Provide examples of DOs and DONTs when configuring anything else than default

I guess there are quite a few .NET developers out there that would gain from such information. :-)
#13
Well, @skradel has made his blog post(s): http://zetetic.net/blog/2012/3/29/strong...spnet.html for those interested, with some timings to go with it: https://gist.github.com/2242252

I'll stand by my feature request for implementing specific support for the default (episerver) .NET format (SHA1), but with .NET 4x it will default to SHA256. After talking to episerver (Thx Steve!), there is every reason to believe that current episerver installations are running with the SHA1 hash/salt default.

Although "upgrading" current installations to utilize SHA256 or better, it will require 1) (simple) code changes in current installations, as well as 2) password resets across all users/accounts in order to bring them over to whatever new format you choose to implement. Easier said than done, episerver will most probably recommend and even implement/deploy better .NET settings for their next major version of episerver.
#14
Rounding off with a blog post with a big THANK YOU to the people involved in this particular case:
http://securitynirvana.blogspot.com/2012...-hash.html
#15
Thanks for the helping Per, always a winning!

I will add this algorithm to oclHashcat-plus.
#16
I've finished a first version. See here:

Quote:root@sf:~/oclHashcat-plus-0.09# echo testPassword | ./oclHashcat-plus64.bin -m 141 hash
** Valid keyfile for beta usage: atom (expires 04.05.2013)

oclHashcat-plus v0.09 by atom starting...

Hashes: 1
Unique salts: 1
Unique digests: 1
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Rules: 1
GPU-Loops: 64
GPU-Accel: 40
Password lengths range: 1 - 15
Platform: AMD compatible platform found
Watchdog: Temperature limit set to 90c
Device #1: Tahiti, 2048MB, 0Mhz, 32MCU
Device #1: Allocating 48MB host-memory
Device #1: Kernel ./kernels/4098/m0140_a0.Tahiti.64.kernel (693644 bytes)

Starting attack in wordlist stdin mode...

$episerver$*0*fGJ2wn/5WlzqQoDeCA2kXA==*zycIUapZz/v84FF93rAWDlCA3x8=:testPassword

Status.......: Cracked
Input.Mode...: Pipe
Hash.Target..: $episerver$*0*fGJ2wn/5WlzqQoDeCA2kXA==*zycIUapZz/v84FF93rAWDlCA3x8=
Hash.Type....: EPiServer 6.x
Time.Running.: 1 sec
Time.Util....: 1000.7ms/0.0ms Real/CPU, 0.0% idle
Speed........: 1 c/s Real, 0 c/s GPU
Recovered....: 1/1 Digests, 1/1 Salts
Progress.....: 1
Rejected.....: 0
HW.Monitor.#1: 0% GPU, 46c Temp

Started: Sun May 6 00:53:29 2012
Stopped: Sun May 6 00:53:31 2012

Tomorrow I will add BF kernel, build a new beta and post some benchmarks
#17
Nice! Thank you atom!

Will also check to see if the same format is valid for "anything" that gets stored through default .NET <=3.5 settings. If so, its not just episerver format support, but ".NET SHA1 hash format".
#18
Sure, I know. I am using the same hash format JtR uses, with the version tag *0* indicating that this is the unmodified algorithm setting (.NET SHA1 hash format).

The new beta version is up on http://hashcat.net/beta/ for testing for both AMD and NVidia.

Here are some stats:

hd7970:

Quote:Speed........: 2110.4M c/s Real, 2110.7M c/s GPU

hd6990:

Quote:Speed........: 3054.4M c/s Real, 3058.3M c/s GPU

gtx560Ti:

Quote:Speed........: 428.9M c/s Real, 428.9M c/s GPU
#19
Hi guys, I've tried get into this today and work out a little proof of concept around cracking the hashes stored by the ASP.NET membership provider which, as we've discussed, should be the same as EPiServer.

Running v0.09 and trying to apply atom's syntax from above (comment 16), I'm a bit stumped - I just can't work out how that command syntax is structured and where the salt / hash is coming from. Judging by the other samples, I was expecting to see something similar to this (assuming cracking against a dict):

-m 141 [hashfile] [dict]

I'm also not sure of how the salt is appended with the hash in the hash file so, yeah, ideas? What am I missing here?
#20
The example hash is structured as following:

$episerver$ <- signature
* sep
0 <- version (currently only 0 allowed. 0 = sha1)
* sep
fGJ2wn/5WlzqQoDeCA2kXA== <- salt value, base64 encoded
* sep
zycIUapZz/v84FF93rAWDlCA3x8= <- sha1 hash, base64 encoded

The dict you are missing can be added as last parameter. If you omit it, oclHashcat accepts arbitrary input via stdin, that why it says piped in the status. In my example I used echo.