Cracking a Security Console Passsword in RSA Authentication Manager 7.1

I recently had to recover a password from a RSA Authentication Manager Linux server. RSA Authentication Manager 7.1 stores all the credentials in an oracle database. Unfortunately I'm not all that familiar with connecting to oracle databases and pulling data out of them. However, I do like the strings command.

RSA Authentication Manager 7.1 keeps their authentication information in an oracle database located in /usr/local/RSASecurity/RSAAuthenticationManager/db/oradata/[RANDOM STRING]/rsa_data.dat

if we run strings on this file and pipe it into less we can then search within less for the hashes

strings rsa_data.dat | less

There is a segment that consists of just hashes. I'm guessing that this is where the database is storing them in order to verify that a user isn't reusing the last 8 passwords when they set a new one. We're not interested in that part. We should be looking for section that lists usernames as well as passwords. You can also search for SSHA256 and then the username and that should put you in the right location. Once you find the correct location it will look something like the following:

VPN Username
First Name
Last Name
Email Address
Hash

Example:

bob
Bobby
Tables
bob.tables@example.com
={SSHA256}5KyoCH2c4i4f3+rI+EhQr4E0Ce7C77AzaE/R1bkvbQlBQUFBQQ==,

This hash is kept in the Salted SHA256 format where the salt is appened to the hash of the salt + password. This is known in hashcat as sha256($salt.$pass).

Hashcat can't understand the hash when it's base64 encoded. Instead we need to be able to decode it into a string that's hash:salt. We can do this using this command:

echo -n '5KyoCH2c4i4f3+rI+EhQr4E0Ce7C77AzaE/R1bkvbQlBQUFBQQ==' | base64 -d | xxd -c37 -p \
| awk '{printf("%s:%s", substr($0,1,64) , substr($0,65,10))}'

Note: hexdump and xxd will give you the bytes in a different order. You need to use xxd for this, hexdump will not work properly.

This gives us:

e4aca8087d9ce22e1fdfeac8f84850af813409eec2efb033684fd1d5b92f6d09:4141414141

Since oclhashcat-lite doesn't decode sha256($salt.$pass) we need to copy that into a file. You can pipe the command used to extract the hash into a file using the >> operator

echo -n '5KyoCH2c4i4f3+rI+EhQr4E0Ce7C77AzaE/R1bkvbQlBQUFBQQ==' | base64 -d | xxd -c37 -p \
| awk '{printf("%s:%s", substr($0,1,64) , substr($0,65,10))}'  >> hash

You should use hashcat with the following options:

--hex-salt -m 1420

Example:

./cudaHashcat-plus64.bin -a 3 --hex-salt -m 1420 hash pass?l?l?l?l

cudaHashcat-plus v0.14 by atom starting...

Hashes: 1 total, 1 unique salts, 1 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Workload: 64 loops, 80 accel
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: GeForce GTX 460, 1023MB, 1451Mhz, 7MCU
Device #2: GeForce GTX 460, 1023MB, 1350Mhz, 7MCU
Device #1: Kernel ./kernels/4318/m1420_a3.sm_21.64.ptx
Device #2: Kernel ./kernels/4318/m1420_a3.sm_21.64.ptx

e4aca8087d9ce22e1fdfeac8f84850af813409eec2efb033684fd1d5b92f6d09:4141414141:password

Session.Name...: cudaHashcat-plus
Status.........: Cracked
Input.Mode.....: Mask (pass?l?l?l?l)
Hash.Target....: e4aca8087d9ce22e1fdfeac8f84850af813409eec2efb033684fd1d5b92f6d09:4141414141
Hash.Type......: sha256($salt.$pass)
Time.Started...: Fri May  3 10:27:26 2013 (1 sec)
Speed.GPU.#1...: 35137.3k/s
Speed.GPU.#2...: 50038.4k/s
Speed.GPU.#*...: 85175.6k/s
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 143360/456976 (31.37%)
Rejected.......: 0/143360 (0.00%)
HWMon.GPU.#1...: -1% Util, 41c Temp, 52% Fan
HWMon.GPU.#2...: -1% Util, 49c Temp, 20% Fan

Started: Thu May  2 22:27:26 2013
Stopped: Thu May  2 22:27:28 2013

Cracking a Security Console Passsword in RSA Authentication Manager 7.1

I recently had to recover a password from a RSA Authentication Manager Linux server. RSA Authentication Manager 7.1 stores all the credentials in an oracle database. Unfortunately I'm not all that familiar with connecting to oracle databases and pulling data out of them. However, I do like the strings command.

RSA Authentication Manager 7.1 keeps their authentication information in an oracle database located in /usr/local/RSASecurity/RSAAuthenticationManager/db/oradata/[RANDOM STRING]/rsa_data.dat

if we run strings on this file and pipe it into less we can then search within less for the hashes

strings rsa_data.dat | less

There is a segment that consists of just hashes. I'm guessing that this is where the database is storing them in order to verify that a user isn't reusing the last 8 passwords when they set a new one. We're not interested in that part. We should be looking for section that lists usernames as well as passwords. You can also search for SSHA256 and then the username and that should put you in the right location. Once you find the correct location it will look something like the following:

VPN Username
First Name
Last Name
Email Address
Hash

Example:

bob
Bobby
Tables
bob.tables@example.com
={SSHA256}5KyoCH2c4i4f3+rI+EhQr4E0Ce7C77AzaE/R1bkvbQlBQUFBQQ==,

This hash is kept in the Salted SHA256 format where the salt is appened to the hash of the salt + password. This is known in hashcat as sha256($salt.$pass).

Hashcat can't understand the hash when it's base64 encoded. Instead we need to be able to decode it into a string that's hash:salt. We can do this using this command:

echo -n '5KyoCH2c4i4f3+rI+EhQr4E0Ce7C77AzaE/R1bkvbQlBQUFBQQ==' | base64 -d | xxd -c37 -p \
| awk '{printf("%s:%s", substr($0,1,64) , substr($0,65,10))}'

Note: hexdump and xxd will give you the bytes in a different order. You need to use xxd for this, hexdump will not work properly.

This gives us:

e4aca8087d9ce22e1fdfeac8f84850af813409eec2efb033684fd1d5b92f6d09:4141414141

Since oclhashcat-lite doesn't decode sha256($salt.$pass) we need to copy that into a file. You can pipe the command used to extract the hash into a file using the >> operator

echo -n '5KyoCH2c4i4f3+rI+EhQr4E0Ce7C77AzaE/R1bkvbQlBQUFBQQ==' | base64 -d | xxd -c37 -p \
| awk '{printf("%s:%s", substr($0,1,64) , substr($0,65,10))}'  >> hash

You should use hashcat with the following options:

--hex-salt -m 1420

Example:

./cudaHashcat-plus64.bin -a 3 --hex-salt -m 1420 hash pass?l?l?l?l

cudaHashcat-plus v0.14 by atom starting...

Hashes: 1 total, 1 unique salts, 1 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Workload: 64 loops, 80 accel
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: GeForce GTX 460, 1023MB, 1451Mhz, 7MCU
Device #2: GeForce GTX 460, 1023MB, 1350Mhz, 7MCU
Device #1: Kernel ./kernels/4318/m1420_a3.sm_21.64.ptx
Device #2: Kernel ./kernels/4318/m1420_a3.sm_21.64.ptx

e4aca8087d9ce22e1fdfeac8f84850af813409eec2efb033684fd1d5b92f6d09:4141414141:password

Session.Name...: cudaHashcat-plus
Status.........: Cracked
Input.Mode.....: Mask (pass?l?l?l?l)
Hash.Target....: e4aca8087d9ce22e1fdfeac8f84850af813409eec2efb033684fd1d5b92f6d09:4141414141
Hash.Type......: sha256($salt.$pass)
Time.Started...: Fri May  3 10:27:26 2013 (1 sec)
Speed.GPU.#1...: 35137.3k/s
Speed.GPU.#2...: 50038.4k/s
Speed.GPU.#*...: 85175.6k/s
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 143360/456976 (31.37%)
Rejected.......: 0/143360 (0.00%)
HWMon.GPU.#1...: -1% Util, 41c Temp, 52% Fan
HWMon.GPU.#2...: -1% Util, 49c Temp, 20% Fan

Started: Thu May  2 22:27:26 2013
Stopped: Thu May  2 22:27:28 2013

Cracking a Security Console Passsword in RSA Authentication Manager 7.1

I recently had to recover a password from a RSA Authentication Manager Linux server. RSA Authentication Manager 7.1 stores all the credentials in an oracle database. Unfortunately I'm not all that familiar with connecting to oracle databases and pulling data out of them. However, I do like the strings command.

RSA Authentication Manager 7.1 keeps their authentication information in an oracle database located in /usr/local/RSASecurity/RSAAuthenticationManager/db/oradata/[RANDOM STRING]/rsa_data.dat

if we run strings on this file and pipe it into less we can then search within less for the hashes

strings rsa_data.dat | less

There is a segment that consists of just hashes. I'm guessing that this is where the database is storing them in order to verify that a user isn't reusing the last 8 passwords when they set a new one. We're not interested in that part. We should be looking for section that lists usernames as well as passwords. You can also search for SSHA256 and then the username and that should put you in the right location. Once you find the correct location it will look something like the following:

VPN Username
First Name
Last Name
Email Address
Hash

Example:

bob
Bobby
Tables
bob.tables@example.com
={SSHA256}5KyoCH2c4i4f3+rI+EhQr4E0Ce7C77AzaE/R1bkvbQlBQUFBQQ==,

This hash is kept in the Salted SHA256 format where the salt is appened to the hash of the salt + password. This is known in hashcat as sha256($salt.$pass).

Hashcat can't understand the hash when it's base64 encoded. Instead we need to be able to decode it into a string that's hash:salt. We can do this using this command:

echo -n '5KyoCH2c4i4f3+rI+EhQr4E0Ce7C77AzaE/R1bkvbQlBQUFBQQ==' | base64 -d | xxd -c37 -p \
| awk '{printf("%s:%s", substr($0,1,64) , substr($0,65,10))}'

Note: hexdump and xxd will give you the bytes in a different order. You need to use xxd for this, hexdump will not work properly.

This gives us:

e4aca8087d9ce22e1fdfeac8f84850af813409eec2efb033684fd1d5b92f6d09:4141414141

Since oclhashcat-lite doesn't decode sha256($salt.$pass) we need to copy that into a file. You can pipe the command used to extract the hash into a file using the >> operator

echo -n '5KyoCH2c4i4f3+rI+EhQr4E0Ce7C77AzaE/R1bkvbQlBQUFBQQ==' | base64 -d | xxd -c37 -p \
| awk '{printf("%s:%s", substr($0,1,64) , substr($0,65,10))}'  >> hash

You should use hashcat with the following options:

--hex-salt -m 1420

Example:

./cudaHashcat-plus64.bin -a 3 --hex-salt -m 1420 hash pass?l?l?l?l

cudaHashcat-plus v0.14 by atom starting...

Hashes: 1 total, 1 unique salts, 1 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Workload: 64 loops, 80 accel
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: GeForce GTX 460, 1023MB, 1451Mhz, 7MCU
Device #2: GeForce GTX 460, 1023MB, 1350Mhz, 7MCU
Device #1: Kernel ./kernels/4318/m1420_a3.sm_21.64.ptx
Device #2: Kernel ./kernels/4318/m1420_a3.sm_21.64.ptx

e4aca8087d9ce22e1fdfeac8f84850af813409eec2efb033684fd1d5b92f6d09:4141414141:password

Session.Name...: cudaHashcat-plus
Status.........: Cracked
Input.Mode.....: Mask (pass?l?l?l?l)
Hash.Target....: e4aca8087d9ce22e1fdfeac8f84850af813409eec2efb033684fd1d5b92f6d09:4141414141
Hash.Type......: sha256($salt.$pass)
Time.Started...: Fri May  3 10:27:26 2013 (1 sec)
Speed.GPU.#1...: 35137.3k/s
Speed.GPU.#2...: 50038.4k/s
Speed.GPU.#*...: 85175.6k/s
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 143360/456976 (31.37%)
Rejected.......: 0/143360 (0.00%)
HWMon.GPU.#1...: -1% Util, 41c Temp, 52% Fan
HWMon.GPU.#2...: -1% Util, 49c Temp, 20% Fan

Started: Thu May  2 22:27:26 2013
Stopped: Thu May  2 22:27:28 2013

OpenStack Installation Scripts

There are a few OpenStack installation guides available on the internet. One of the guides I've seen used the most is mseknibilel's guide, which is available here. I followed this guide and it took me about 8 hours to get my setup up and running. I found that too much time was spent on troubleshooting issues due to entering everything by hand. Because of this I have created a set of scripts that can be used to setup a multi-node OpenStack test environment. This can be used as a basis for a small production setup. However it does not setup SSL encryption for any of the communication traffic. I plan to write a script in the future that will add SSL to a base install. There is also no support for High Availability. If you are looking to deploy a medium to large scale cluster then I suggest looking into a bare metal provisioning tool such as crowbar.

The scripts are currently split into five sections, which are detailed on the github page. It is setup with three different network architectures in mind:

  • 1NIC - A single network that everything is run through
  • 2NIC - One network for public network access and one for management and data
  • 3NIC - One network for public network access, one for management, and one for data

You should also be able to have anything from a single machine running everything to separate machines running as a controller, quantum server, glance server, cinder server, and compute nodes. It took me less than two hours to get my 4 node cluster up and running.

You can find the scripts here: https://github.com/soleblaze/openstack

OpenStack Installation Scripts

There are a few OpenStack installation guides available on the internet. One of the guides I've seen used the most is mseknibilel's guide, which is available here. I followed this guide and it took me about 8 hours to get my setup up and running. I found that too much time was spent on troubleshooting issues due to entering everything by hand. Because of this I have created a set of scripts that can be used to setup a multi-node OpenStack test environment. This can be used as a basis for a small production setup. However it does not setup SSL encryption for any of the communication traffic. I plan to write a script in the future that will add SSL to a base install. There is also no support for High Availability. If you are looking to deploy a medium to large scale cluster then I suggest looking into a bare metal provisioning tool such as crowbar.

The scripts are currently split into five sections, which are detailed on the github page. It is setup with three different network architectures in mind:

  • 1NIC - A single network that everything is run through
  • 2NIC - One network for public network access and one for management and data
  • 3NIC - One network for public network access, one for management, and one for data

You should also be able to have anything from a single machine running everything to separate machines running as a controller, quantum server, glance server, cinder server, and compute nodes. It took me less than two hours to get my 4 node cluster up and running.

You can find the scripts here: https://github.com/soleblaze/openstack

OpenStack Installation Scripts

There are a few OpenStack installation guides available on the internet. One of the guides I've seen used the most is mseknibilel's guide, which is available here. I followed this guide and it took me about 8 hours to get my setup up and running. I found that too much time was spent on troubleshooting issues due to entering everything by hand. Because of this I have created a set of scripts that can be used to setup a multi-node OpenStack test environment. This can be used as a basis for a small production setup. However it does not setup SSL encryption for any of the communication traffic. I plan to write a script in the future that will add SSL to a base install. There is also no support for High Availability. If you are looking to deploy a medium to large scale cluster then I suggest looking into a bare metal provisioning tool such as crowbar.

The scripts are currently split into five sections, which are detailed on the github page. It is setup with three different network architectures in mind:

  • 1NIC - A single network that everything is run through
  • 2NIC - One network for public network access and one for management and data
  • 3NIC - One network for public network access, one for management, and one for data

You should also be able to have anything from a single machine running everything to separate machines running as a controller, quantum server, glance server, cinder server, and compute nodes. It took me less than two hours to get my 4 node cluster up and running.

You can find the scripts here: https://github.com/soleblaze/openstack

My migration from OSX to Linux

I’ve been moving back and forth between OS X and Linux for the last 5 years or so, mostly due to performance reasons. Currently I’m moving away from OS X and back to Linux, hopefully for the last time. My main reason for this is to gain more control over what my computer does and what data it sends out. I no longer feel like I’m in control of my machine when I use OSX or Windows. However, I do still find OSX applications better from a productivity stand point. My main goal right now is to find good enough alternatives to the software I normally used in OSX. I’ll be making posts over the coming months on most of these programs and why I feel they’re useful to have.

Linux Alternatives for OSX Programs


OSX Program Linux Alternative(s) Reasons for Choosing Alternative
1password lastpass and keepassx I’m using two because lastpass has a good browser plugin so it’s useful for website information. Keepassx is more useful to keep other passwords, such as ssh account passwords.
Acorn GIMP Acorn is an image manipulation program. GIMP is the best Linux image manipulation program that I am aware of.
Adium Pidgin Pidgin isn’t as pretty as adium, but it works the same.
Hazel Custom Script Hazel can run scripts and move files on a regular basis based on filename. This should be able to be accomplished with shell scripts and a cron jobs.
iTunes Audacious I was a big fan of XMMS and Winamp, so I prefer something simple like Audacious over more of a music library manage like amarok.
Launchbar built-in awesome functions or Synapse The awesome windows manager has built in functionality for doing launches. Again, it’s not as nice as launchbar, but it works. Synapse also looks like an interesting alternative and I will be looking in the future to see how well that works in awesome.
NetNewsWire LifeRea LifeRea has a similar layout to NetNewsWire. One drawback is that LifeRea stores the google account password in cleartext. I’m accepting this risk by creating a separate google account that is only used for news feeds.
Notational Velocity ZIM or KeepNote Notational Velocity is a great note taking application that doesn’t require any explicit save option. I’m currently looking into ZIM and KeepNote as a replacement. I’ll be posting a blog post on this soon.
OmniFocus todotxt OmniFocus is hands down the best todo list program I’ve ever used. I haven’t found anything comparable for it in Linux. Instead I’m going back to the basics and using todotxt, which is a bash script that helps manage a text file todo list.
OmniOutliner vim A good outliner program that gets out of the way is hard to find. I haven’t found anything comparable in either Windows or Linux. Instead I’m using vim with some options to make it easier to deal with outlines.
OmniGraffle dia dia is the best diagram program that I’ve found for Linux.
Parallels VirtualBox VirtualBox lacks some of the features of parallels, such as encrypting VMs. However, it has other features that I use, such as VDE and IOMMU/VT-d support.
TextExpander AutoKey AutoKey is a python script that monitors the keyboard and will do a replacement of text when it sees a specific string. You can also have it run a python script and replace a string with the output of that script. I’m currently unsure of the security implications of using this program.
Time Machine deja-dup Deja-Dup is a GUI frontend for duplicity. I’m still in the process of determing if its better to backup to a portable drive or a file server.
Textual weechat I use weechat over irssi since I have an awesome plugin to monitor notifications in it.

Programs That I Haven’t Found Alternatives For


BusyCal - Calendar application.
Coderunner - Simple GUI text editor with color coding syntax.
Day One - Journaling Program
Fantastical - Enter calendar entries via text
Keyboard Maestro - Allows you to run macros via keyboard shortcuts.
Patterns - Used to test regexp strings.
Scrivener - Writing program designed for 10+ page documents. Unison - Usenet reader