Home  •  Downloads  •  Software  •  Public Services  •  Contact Us  •  Search  •  Global WebTraffic
 Give us feedback

Simple SSHA Hash Attack Tool

/*
SSHA Attack is only to be used on targets that have given you permission to take such action. The intention of this prog is to give security personnel the ability to audit the strength of passwords in environments where they have full permission to audit such data. This tool is not created, or intended to be used, for malicious purposes.
*/
/* Use it at your own risk. */

SSHA Attack is written in ANSI C and released under the MIT License.

Author

=Andres Andreu

Requirements

SSHA Attack has the following requirements/caveats:

  • An x-86 (little endian) based Linux platform
  • An up to date kernel, the prog was written and compiled on a Fedora Core 6 sys.
  • The OpenSSL lib's version 0.9.7 or above.

    • Description

    This simple prog is a release of a tool to attack, or try to figure out the clear text component of, salted SHA hashes (SSHA) as they are used in some of today's modern day apps and/or data stores, especially LDAP. RFC-3112 provides more details on this technology. The original concept came about when auditing some production LDAP systems. The tool proved to be effective at detecting weak passwords masked by salted one-way SHA1 hashes. The prog is being released so that the rest of the security/pen-testing community could benefit from the effort.


    This is not a silver bullet prog and simply works against a very specific type of data - that of Salted SHA hashes the way they are used in LDAP systems (written in 2007/2008).

    Some simple videos showing usage are available here.

    Read the usage statement for more details, ./ssha_attack -h


    The prog currently supports dictionary style attacks as well as some brute-force models.

    Before using the prog decide what attack model you want to follow. Your current choices are:

    Dictionary based attack (-d)
    Brute force incremental attack with a predefined alphabet (that you choose) (-a [1 - 11] and -u)
    Brute force attack with a custom alphabet you provide (-a 20 and -c)
    Brute force incremental attack with a custom alphabet you provide (-a 20 and -c and -u)



    The following hash forms are supported:

    SSHA
    SSHA256
    SSHA384
    SSHA512

    Usage Statement

    Usage: ./ssha_attack -m mode [-d attack_dictionary_file | [-n min] -u max -a alphabet | -a 20 -c custom_alphabet] -s SSHA_hash_string


    -m This is the mode for the prog to operate under. The currently supported modes are "dictionary" and "brute-force". This switch is required.

    -d This option is to be used to engage "dictionary" mode. The dictionary is a regular text file containing one entry per line. The data from this file is what will be used as the clear text data to which the discovered salt will get applied.

    -l The minimum amount of attack characters to begin with.

    -u The maximum amount of attack characters to use. If -l is not used processing will start with size 1

    -a The numerical index of the attack alphabet to use:

    1. Numbers only
    2. lowercase hex
    3. UPPERCASE HEX
    4. lowercase alpha characters
    5. UPPERCASE ALPHA characters
    6. lowercase alphanumeric characters
    7. UPPERCASE ALPHANUMERIC characters
    8. lowercase & UPPERCASE ALPHA characters
    9. lowercase & UPPERCASE ALPHAnumeric characters
    10. All printable ASCII characters
    11. lowercase & UPPERCASE ALPHAnumeric characters, as well as:
    !"£$%^&*()_+-=[]{}'#@~,.<>?/|
    20. Custom alphabet - must be used with -c switch

    -c The custom attack alphabet to use, for example abcABC123! Take note that this forces a permutation based process so the larger the alphabet the longer the process will take. Also, when used with the -a 20 switch, but not the -u switch, the permutations are all based on the size of the alphabet you submit. Using the example from above all permutations would be 10 characters in length. This can also force an incremental attack when coupled with the -n switch

    -s The SSHA hash string that will be attacked. This must be a Base64 encoded string. This switch is required.



    To run the prog:

    ############### Dictionary attack
    Dictionary based attack

    ./ssha_attack -m dictionary -d dictionary.txt -s {SSHA}1sx3RjtI6KLpqb3hHPDTKqIVBd9UukC3

    ############### Dictionary attack

    ############### Brute-Force incremental
    Brute force attack with a predefined alphabet (that you choose)

    ./ssha_attack -m brute-force -a 4 -u 5 -s {SSHA}Ig272xI9C9H4kvL8vHA6UcK57Y4ad97O


    Here are some examples:

    ./ssha_attack -m brute-force -u 3 -a 9 -s {SSHA}EEiUTlF29/g8H6GlqVJT8JtGhmMkeU4S

    Hash Algorithm Detected: SHA1

    Trying Word Length: 1
    No hits for Word Length: 1

    Trying Word Length: 2
    No hits for Word Length: 2

    Trying Word Length: 3

    There is a match on value "3ee"

    Elapsed time in seconds for successful attack: 0


    ./ssha_attack -m brute-force -a 9 -l 3 -u 5 -s Tt8H7clbL9y8ryN4/RLYrCEsKqbjJsWcPmKb4wOdZDJzYWx0

    Hash Algorithm Detected: SHA256

    Trying Word Length: 3
    No hits for Word Length: 3

    Trying Word Length: 4

    There is a match on value "test"

    Elapsed time in seconds for successful attack: 96

    ./ssha_attack -m brute-force -l 3 -u 6 -a 9 -s {SSHA}PT8wnRusJxl3E7JnW6ufaFNiO6RWy6qH

    Hash Algorithm Detected: SHA1

    Trying Word Length: 3
    No hits for Word Length: 3

    Trying Word Length: 4
    No hits for Word Length: 4

    Trying Word Length: 5

    There is a match on value "Yt35T"

    Elapsed time in seconds for successful attack: 10796

    ############### Brute-Force incremental


    ############### Custom Alphabet
    Brute force attack with a custom alphabet you provide

    ./ssha_attack -m brute-force -a 20 -c custom -s {SSHA}iLWyP3dJamxdFc6sHLSJErt69+mb6en+

    Here are some examples:

    ./ssha_attack -m brute-force -a 20 -c "#hlsas" -s {SSHA}NhLfEHbVFjgBswQEgmnQdMf7/WmrPayi

    Hash Algorithm Detected: SHA1

    No hits with identical values for the alphabet ...

    There is a match on value "sl#ash"

    Elapsed time in seconds for successful attack: 0


    ./ssha_attack -m brute-force -a 20 -c "#slsah" -s CtUnKbdMFKl4lX7/82QYX4aZXrENlR8gRhM0ViB504JzYWx0

    Hash Algorithm Detected: SHA256

    No hits with identical values for the alphabet ...

    There is a match on value "sl#ash"

    Elapsed time in seconds for successful attack: 0

    ############### Custom Alphabet


    ############### Brute Force incremental with Custom Alphabet
    Brute force incremental attack with a custom alphabet you provide

    ./ssha_attack -m brute-force -a 20 -c custom -u 2 -s {SSHA}owN4fkZDoCeXo4iw1fzqWe9u4/79vrfQ

    Here is an example:

    ./ssha_attack -m brute-force -a 20 -c tse -u 8 -s {SSHA256}H0fvfbrcXAzg3uAYesE5babwQGbTsFdhphdJ1jaUEUxzYWx0

    Hash Algorithm Detected: SHA256

    Trying Word Length: 1
    No hits for Word Length: 1

    Trying Word Length: 2
    No hits for Word Length: 2

    Trying Word Length: 3
    No hits for Word Length: 3

    Trying Word Length: 4
    No hits for Word Length: 4

    Trying Word Length: 5
    No hits for Word Length: 5

    Trying Word Length: 6
    No hits for Word Length: 6

    Trying Word Length: 7

    There is a match on value "testees"

    Elapsed time in seconds for successful attack: 0

    ############### Brute Force incremental with Custom Alphabet


    Download

    http://sourceforge.net/projects/ssha-attack

    If you have any suggestions/feedback please send them to wsfuzzer [at] neurofuzz dot com.
     Counter
    User*count is developed by MusS (http://www.foreach.fr/)
    33490 Visit33490 Visit33490 Visit33490 Visit33490 Visit


     

    andres [at] neurofuzz dot com