I have been testing with some tools on my local network through using public IPs to get credentials with Setoolkit 7.7.9 and I have gotten it to work. The username was passed on to me, however the password is encrypted with what seems to me "evp_aes_256_gcm". How would I use OpenSSL to figure out the password parameter? I'm not even sure if OpenSSL supports that algorithm, but when I use OpenSSL for any other aes decryption, the program asks me for a "decryption password".
Here is the parameter in Setoolkit:
POSSIBLE PASSWORD FIELD FOUND: encpass=#PWD_BROWSER:5:1601126600:AQBQAM/HMFL4DBIJ5ZyBuQGoZGE8YDfhQ6Y6iQa+cWz7jNMr31Tlc1g5eBX+bSBu/SxVtzKxZ5wwaAHHujuhjKuj741rWzlFk0b1EpxvDofHC+fRm9rTjxwyBfx45Zge7jhbYqshJjmFd47g+8qL12o=
Here is what I know:
That the program DID get an input, obviously with user
PWD_BROWSER has some relevancy to the site in which the credential was harvested
"1601126600" refers to some "time"
"5" refers to version
I went on the OpenSSL page on the evp_aes_256_gcm and it was listed, so is it hidden in terminal?
The last part after the colon is the actual encrypted password, or key
What would be an easy fix to this in OpenSSL?
I put this code in my terminal from the OpenSSL site to see if it could find the EVP_aes password in the file saved:
grep -IR EVP_aes * | sed 's/.*\(EVP_aes[^( ;,]*\).*/\1()/; /#/ d' | sort | uniq
And did receive:
EVP_aes_256_gcm()
This is the first time this happened to me, other times the password parameter would be plain text on certain devices, so is there any quick fix to this? If not is there a script that could decrypt the password?
Documentation links would help too.
Related
I have to get rid of the clear text password in ActiveMQ server in the jetty-realm.properties file as part of the security requirements of our project.
I followed the procedure for encrypting passwords found here: https://activemq.apache.org/encrypted-passwords.html.
In Jetty-real.properties I replaced plain password with ${activemq.password}
But I could not login into the web console (http://localhost:8161/admin)
Are there additional config parameters I need to change? Any help would be greatly appreciated.
For ecrypt password we can use jetty utility. This can be downloaded from http://download.eclipse.org/jetty/.
use:
java -cp lib/jetty-util-$JETTY_VERSION.jar org.eclipse.jetty.util.security.Password admin admin
admin
OBF:1u2a1toa1w8v1tok1u30
MD5:21232f297a57a5a743894a0e4a801fc3
CRYPT:adpexzg3FUZAk
Add in bus\conf\jetty.xml\jetty-realm.properties
admin: MD5:21232f297a57a5a743894a0e4a801fc3, admin
A very important note: the sequence of data specified by you should be as follows:
org.eclipse.jetty.util.security.Password [username] password
Also note that in some shells (like default on Ubuntu 20.04) the dollar sign inside the password will effectively truncate your password to the part preceding the dollar sign.
(I meant to put a comment to the answer by #dorin.canepa, but clicked on a wrong button and now it's an answer, oh well)
How can I change the admin password for a Glassfish Domain using a password file? I know the conventional method of manually typing the password upon prompt.
However I want to change the admin password using a script where in I do not have to manually type the password.
This is possible, but you will need 2 password files if you want to script this fully in the easiest way.
Create a temporary file (tmpfile in my example) which will hold the current password (blank by default) and the desired new password:
AS_ADMIN_PASSWORD=
AS_ADMIN_NEWPASSWORD=myNewPassword
Now create a password (pwdfile in my example) file which will contain the changed admin password:
AS_ADMIN_PASSWORD=myNewPassword
You can then use the files to change the password using the commands below, making sure to use tmpfile when changing the password, then pwdfile afterwards
$PAYARA_PATH/bin/asadmin start-domain
$PAYARA_PATH/bin/asadmin --user $ADMIN_USER --passwordfile=/opt/tmpfile change-admin-password
$PAYARA_PATH/bin/asadmin --user $ADMIN_USER --passwordfile=/opt/pwdfile enable-secure-admin
$PAYARA_PATH/bin/asadmin restart-domain
This example was adapted from the way the Payara Server dockerfile works
For anyone still interested in manually setting the admin account password:
I tried to generate the contents of the "admin-keyfile" located in "glassfish/domains/{ACTIVE_DOMAIN_NAME}/config/admin-keyfile" based on the current implementation of the Payara Repo. This file (as the data source for the FileRealm) is used to authenticate the admin user when accessing the admin interface under port 4848.
Each line of this text file represents an account and is structured as
USERNAME;PASSWORD;GROUPS
The field "PASSWORD" is prefixed with a hash algorithm keyword (wrapped in curly braces, e.g. "SSHA" or "SSHA256") followed by a BASE64 encoded hash of the concatenated salted hash and the salt value itself (some random bytes):
{SSHA}BASE64(SHA(password,salt),salt)
Long story short: If you want to generate user accounts manually you could for example use the following Python script:
import hashlib
from base64 import b64encode
from secrets import token_bytes
from getpass import getpass
username = 'admin' # input('Username: ')
plainTextPassword = getpass()
randomSalt = token_bytes(8)
passwordHash = hashlib.sha256()
passwordHash.update(plainTextPassword.encode('utf-8'))
passwordHash.update(randomSalt)
passwordDigest = passwordHash.digest()
# cryptic range reflects the strange implementation... feel free to change it to "range(98)"
# https://github.com/payara/Payara/blob/6488cbdc90fd0f6c42de6a42affcd09f697be715/nucleus/common/common-util/src/main/java/org/glassfish/security/common/SSHA.java#L108
for run in range(2, 101):
passwordHash = hashlib.sha256()
passwordHash.update(passwordDigest)
passwordDigest = passwordHash.digest()
saltedHashAndSalt = b64encode(passwordDigest + randomSalt).decode('utf-8')
result = '{0};{{SSHA256}}{1};asadmin'.format(username, saltedHashAndSalt)
print(result)
Insert the console output into the "admin-keyfile" and (re)start your server.
As far as I know, it is impossible to change it via a file as a parameter for security reasons.
You can consider an alternative solution (pipe) but the confirmation of the password is always necessary. https://docs.oracle.com/cd/E19798-01/821-1758/change-admin-password-1/index.html
When I ssh to my Datapower node like so: ssh user#192.168.0.1 I receive this response:
ssh user#192.168.0.1
(unknown)
Unauthorized access prohibited.
login:
I then enter in the same username, and am also prompted for a password. I type in my credentials and it works! Why didn't it just read my username the first time?
This is hampering my ability to automate a few basic tasks with shell scripts such as fetching logs for processing.
I agree with #Ken and #Stefan that a XML Management is a more appropriate tool for long term automations, howerver, sometimes we need something quick or temporary (or both) ... and for that a CLI automation is easier and faster to develop.
An easy way to push commands to CLI from a shell script is directing the input and output, like this quick sample:
#!/bin/ksh
DPHOST=datapower.device.company.com
DP_USER_ID="myuser"
DP_PASSWORD="mypasword"
TMPFILE=/tmp/tempfile.dp
OUTFILE=/tmp/outfile.dp
TS=`date +%Y%m%d%H%M%S`
cat << EOF > $TMPFILE
DP_USER_ID
DP_PASSWORD
default
echo show cpu
show cpu
echo show memory
show memory
EOF
ssh -T $DPHOST < $TMPFILE > $OUTFILE.$TS
rm $TMPFILE
Note that if you do not have any application domains defined, you may suppress the "default" after the password
And of course, for security reasons you may request the user and password at run time, rather then have it saved on a plain text file, but that is up to you ... the relevant piece here is that you can redirect the file with the commands to an regular ssh session
If you prefer, something like cat $TMPFILE | ssh -T $DPHOST > $OUTFILE.$TS would also works.
That is because DataPower really isn't a SSH server only using the protocol.
What I do in my scripts is that I do the connection, wait for the response and then send the username as the second command and password as third:
ssh [datapower ip]
(unknown)
Unauthorized access prohibited.
login:
your-username
password:
your-password
'#xi52:
DataPower ignores the passed-in username.
Will using the XML Management interface meet your needs? I probably have some scripts laying around.
Ken
We use SFTP in our project to transfer files over an SSH connection. This is done through java code. Assuming that if for characters like ?, ! etc we need to give the encoded value in the sftp command, we encoded the password in the code and generated the command. But SFTP isn't working with these encoded password now, it accepts the password directly. What could be the issue. Please help.
Example username: xyz password: abc!
We use URLEncoder to encode the username and password.
String username= URLEncoder.encode(username, "UTF-8");
String password = URLEncoder.encode(password, "UTF-8");
After encoding Our code would generate SFTP command as : sftp://xyz:abc%21#10.9.10.9/home/documents/xyz.txt
But this isn't working, Authentication fails with wrong password. Where as manually if we give command sftp://xyz:abc!#10.9.10.9/home/documents/xyz.txt it works.
Please let us know if we are going wrong.
Thanks in advance.
That's not actually an issue. SFTP is a subsystem of SSH, and SSH creates a secure channel upon client connection (similarly to what SSL does but at layer 7): once the secure and encrypted connection is established, your username and password will be sent to the SSH server inside such connection, therefore there is no need to encode them nor to encrypt them.
The SSH server expects to receive your username/password as they are, not pre-processed nor encoded. And you can do that safely with SFTP for the reason explained here above. So no reason to be worried.
I'm working on a login system for a website that currently uses Apache's prompt box for login, and stores usernames/passwords in a file on the server (as opposed to a table in the database). I'm running into a problem here because the passwords are encrypted in a way I've never seen before. I was wondering if someone can recognize the encryption used here. Examples:
"budapest" translates to "$apr1$6awtpn87$1PzMKL1M4H6urlEil/z5m/" and "Mario" translates to "$apr1$zhadw0iq$r8plh8o.Jj.V34oJ1tjWV1"
All encrypted passwords have "$apr1" at the beginning, then 8 characters, then "$" and then 22 more characters. This gives 32 characters excluding the "$apr1" so I thought it might be some variation on md5 but I haven't worked with encryption much so I was hoping someone could give me a hand?
This is the content of the .htaccess file:
AuthType Basic
AuthName "Site name here"
AuthUserFile "path to password file here"
require valid-user
It's an APR1-MD5 Hash. The documentation can be found at:
http://httpd.apache.org/docs/2.2/misc/password_encryptions.html
If it stores the username/pass in a file, its probably some form of Basic Authentication.
http://httpd.apache.org/docs/2.1/howto/auth.html
http://httpd.apache.org/docs/1.3/howto/htaccess.html
This is a password hash which is build the following way:
$algorythm$salt$hash
So this is the apache style apr1-md5 algorythm, then the 8byte random salt and then the actual hash of your password - using the salt.
See http://httpd.apache.org/docs/2.1/misc/password_encryptions.html for more information on the supported password hash/encryption methods in HTTP Basic Auth using apache httpd.