SHA1 Password Cracking

I looked online for a bit, but could not find any real reference to cracking SHA1 passwords. Well, there are some like John the Ripper with the SHA1 patch.

I found a few posts asking how to pen test LDAP SHA1 databases, but other than JTR not much.

So - here you go:

Netscape LDAP SHA1 passwords are stored in base64 with {SHA} prepended e.g.
{SHA}v83z5sps70VUO/u1dQnJKuyaOfs=, which is my personal super secret password. With a little perl, it is easy to decode them to the SHA1 values we know and love, like: bfcdf3e6ca6cef45543bfbb57509c92aec9a39fb.

Key perl statements from ascii to SHA1 base64 and hex:
#! /usr/bin/perl
#
use Digest::SHA1;
use MIME::Base64;
my $secret = $ARGV[0];

$ctx = Digest::SHA1->new;
$ctx->add($secret);
$hashedPasswd = '{SHA}' . $ctx->hexdigest,'';
print 'userPassword: ' . $hashedPasswd . "\n";

$ctx = Digest::SHA1->new;
$ctx->add($secret);
$hashedPasswd = '{SHA}' . encode_base64($ctx->digest,'');
print 'userPassword: ' . $hashedPasswd . "\n";


Now you can use JTR and my choice - rainbow tables. Breaking the load over 4 or 5 machines I built out the SHA1 1-8 lowercase [a-z] [0-9], plus 14 symbols tables in about a week.

It's about 26GB and will cover most bad user passwords.
rtgen sha1 loweralpha-numeric-symbol14 1 8 x39x 2400 40000000 x00
(Replace x39x) with your table number. I took it from 0-39 for my tables.

For a nice 6GB, you can get lowercase [a-z][0-9] for 1 to 7 characters, which will cover a lot.
rtgen sha1 loweralpha-numeric 1 8 x10x 2400 40000000 x00
(Replace x10x) with your table number, 1-10.

I stripped out the username and userpassword attributes from LDAP and stored them into a protected file, converting the base 64 password into hex.

davesmith:bfcdf3e6ca6cef45543bfbb57509c92aec9a39fb

Next, I stripped out the SHA1 hash to be stored in my working file - hashs.txt.

Crack away!
rcrack sha1*.rt -l hashs.txt

So now, I see all of the weak passwords created by users, which is always tragic fun. Match the cracked hashes to the usernames by matching in the original file - and you have pen tested your LDAP access.