Re: Cracking Base64 Passwords Perl Script.

From: Brian Hatch (bri@ifokr.org)
Date: 11/12/02 

Date: Tue, 12 Nov 2002 08:15:33 -0800
From: Brian Hatch <bri@ifokr.org>
To: Singapore Dragon <dragon@securityassoc.com>

(Pen-test/Sectools, only bother sending this through if you allow
the original.)

> Tool to crack Base64 passwords - could not find anything similar on the
> Internet.

'Crack'? Base64 is an encoding algorithm, just like uuencode.
It's not encryption. It's supposed to be easily reversable.

I find it hard to believe this person "could not find anything similar
on the Internet". What he's using is MIME::Base64 from perl's CPAN.
This is command-line stuff.

   $ perl -MMIME::Base64 -le 'print decode_base64("dGVzdDpwYXNzd29yZA==")'
   test:password

For gods sake, I have this as an alias in my .bashrc.

Perhaps the reason there aren't any tools out there listed to
'crack' this is because it isn't a crack, and no one bothers
trying to market their genius in 'use module; call subroutine'

> While pen testing and looking around for something to crack a Base64
> encoded password I could not find much in the way of a simple script,
> so I decided to right a Perl script myself...

No, you took the work of Gisle Aas, MIME::Base64, and put it in a
perl script and slapped a few print statements on it.

> Many weak security mechanisms rely on base64 encoding scheme. IIS server
> is one such example, from the below example we see IIS Basic
> authenication in action on a GET request:

This is HTTP basic authorization, it's not IIS specific. It's not used
for security, it's used to make sure that the password, regardless of
ugly characters, is able to be represented in a portable form. (For a
very vague description, Base64 takes input and turns it into ASCII
printable output.) This is why you should only use it over HTTPS if
you don't want your password getting out.

> Enjoy and please send comments...

Hope you receive lots of fame and fortune. 

--
Brian Hatch                  You have that vacant
   Systems and                look in your eyes that
   Security Engineer          says "Hold your ear up
http://www.ifokr.org/bri/     to my head and you
                              will hear the sea"
Every message PGP signed

Relevant Pages

  • Re: [SLE] Where are logins recorded?
    ... With the current state-of-the-art programming, no it isn't, short of turning ... If you are offering a service to the internet, and that service contains a bug ... that the effort required to crack it isn't worth whatever is found on the ... If you stay up to date with all the security patches released, ...
    (SuSE)
  • If Columbia crew had only spotted the UFO -- their RCC fragment drifting away....
    ... Lone sleuth uses the Internet and his wits to solve UFO mysteries ... By James Oberg, NBC News space analyst // Special to MSNBC ... But it didn't take long to crack the case, thanks to the power of the ... Internet and one amateur space sleuth's passion to find out. ...
    (sci.space.shuttle)
  • Re: Reinstallation av XP on new HD and new MB
    ... Crack wrote: ... Shenan Stanley wrote: ... > than by Internet. ... If your license of Windows XP is retail (not OEM) and/or you haven't ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: Password Protect a worksheet
    ... Please be aware that a password cracker, easily downloaded from the internet ... should crack your password in oh - er a couple of seconds so should not be ... >> anyone opening rather than making changes. ...
    (microsoft.public.excel.worksheet.functions)