|
Message-ID: <1332843683.23439.34.camel@k>
Date: Tue, 27 Mar 2012 12:21:23 +0200
From: Per Thorsheim <per@...rsheim.net>
To: john-users@...ts.openwall.com
Subject: Re: EPiServer hashes
On Tue, 2012-03-27 at 11:27 +0400, Solar Designer wrote:
> Hi,
>
> This thread was referenced in tweets CC'ed to @Openwall:
>
> http://hashcat.net/forum/thread-987-post-5151.html#pid5151
>
> Maybe our EPiServer format is wrong or out of date.
>
> Per - what's the status on this? Does JtR work right for your hashes?
> Does any change in JtR need to be made?
>
> Alexander
Status is as given in the hashcat thread, except that I also asked
@episerver if they could provide any insight:
http://www.twitter.com/thorsheim/status/183121090929893377
And they replied:
http://www.twitter.com/episerver/status/183127532474875905
..... (break for phone call):
As I started to respond to this e-mail, I got a call from an episerver
representative who had both knowledge & interest in helping out, and we
talked for quite some time. (Thank you!)
Yes, the episerver format in john is out of date. Somewhere around
version 4.x of episerver they dropped using their own crypto
implementations and went for using Microsoft .NET provided algorithms
instead. episerver is now at 6.2x if I remember correctly.
What I forgot to mention in my post at hashcat forums is that the config
also has an option named "passwordformat", with default value of "1". I
got that one answered; it is related to the .NET configuration. In fact;
depending on your .NET configuration, your episerver could seriously be
at risk.
The good news; the default install seems to provide decent security, and
probably better than many other solutions floating around. (Oops,
marketing talk... sorry)
By default episerver will rely on the SqlMembershipProvider in .NET for
securing your passwords. You can do cleartext or reversible encryption
if you want, and you can do authentication against Microsoft Active
Directory (SSO). Default though is SHA-1 with salt.
More info here:
http://msdn.microsoft.com/en-us/library/system.web.security.sqlmembershipprovider.passwordformat.aspx
A list of cryptograhic services provided in .NET can be found here:
http://msdn.microsoft.com/en-us/library/92f9ye3s.aspx
There are also those who tries to implement bcrypt in there as well:
http://stackoverflow.com/questions/6460711/adding-a-custom-hashalgorithmtype-in-c-sharp-asp-net
There is lots more to be read about .NET etc, but I'm nowhere near being
a programmer, and will not pretend to be one either.
Again; the good news is anyone running episerver also has .NET, and can
pick from a good list of algorithms etc in order to protect their users
passwords.
The bad news: I guess many episerver installations are running on
default .NET configurations, probably making it easier to crack the
password hashes than with a customized configuration. Of course when
configured by someone who really understands what he/she is doing.
I hope this will aid in replacing current code for episerver hashes in
john (and eventually hashcat + others). There is still some reading to
do in Microsofts documentation, even for the default config settings
that are supposed to be SHA-1 with salt.
--
Best regards,
Per Thorsheim
CISA, CISM, CISSP-ISSAP
securitynirvana.blogspot.com
Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.