Full Disclosure mailing list archives
Re: NS1 decryption
From: Bojan <bojan99 () gmail com>
Date: Tue, 17 Jan 2006 11:33:03 +1300
On 1/16/06, Roman Medina-Heigl Hernandez <roman () rs-labs com> wrote:
Hi, I've been told that Solaris' NS_LDAP_BINDPASSWD could be decrypted. For instance: $ ldapclient -l NS_LDAP_FILE_VERSION= 1.0 NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=blr03-01,dc=india,dc=sun,dc=com NS_LDAP_BINDPASSWD= {NS1}3d1a48xxxxxxxxx ... The pass is {NS1}3d1a48xxxxxxxxx. Is it really possible to decode it and get the plaintext password? I couldn't find any useful info about decoding NS1 passwords.
Well, according to the FAQ ( http://blogs.sun.com/roller/resources/raja/ldap-psd.html), it's just some simple encryption: " 5.6. What is NS1 format?? How is the NS1 format converted/used to authenticate against the userPassword in CRYPT format in the LDAP server? The Native LDAP client library (libsldap) uses an internal and simple algorithm to encrypt (and tag) the proxyagent password so that it would not be stored in /var/ldap/ldap_client_cred in plaintext. The NS1 encrypted password will be decrypted by the libsldap library before authenticating the proxy agent to the LDAP server. From the server perspective, it receives and process the plaintext password to match the crypt userPassword as usual." The libsldap library obviously can decrypt this, so it should be easy to write a tool which will do this (once you know how encryption/decryption works). But, from the text above, it's pretty clear that this is not a one way function. Cheers, Bojan
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- NS1 decryption Roman Medina-Heigl Hernandez (Jan 16)
- Re: NS1 decryption Bojan (Jan 16)
- Re: NS1 decryption Roman Medina-Heigl Hernandez (Jan 16)
- Re: NS1 decryption Bojan (Jan 16)