[HACK] Crack IBM Domino LDAP password hashes

hashcat

If you have an IBM Lotus Domino LDAP server, you should know password hashes can be easily cracked. Actually, there are three versions of the hash algoritms:

  • Version 1: 32 characters long, hexadecimal character set (A-F, 0-9), starts and ends in parentheses
  • Version 2: 22 characters long, extended character set (A-Z including upper and lower case, 0-9 plus special characters), starts with (G and ends in )
  • Version 3: 51 characters long, same character set as version 2, starts with (H and ends in )

You can read more details about those algoritms at the following link: Understanding IBM Domino password hashes

In this post we will see how to break V1 password hashes. First of all, download hashcat and search for good dictionaries (weakpass is an awesome resource… ssssh!). Then, before starting with the cracking process, look at mask attack documentation to better understand all charsets used in hashcat.

Good, now you are ready to start…

# All passwords having any-char and length from 1 to 6
 hashcat -m 8600 --increment --increment-min=1 -a 3 hashes.txt ?a?a?a?a?a?a

# All [a-z0-9] passwords having length from 7 to 8
hashcat -m 8600 --increment --increment-min=7 -1 ?l?d -a 3 hashes.txt ?1?1?1?1?1?1?1?1

# All numeric passwords having length from 9 to 10
hashcat -m 8600 --increment --increment-min=7 -a 3 hashes.txt ?d?d?d?d?d?d?d?d?d?d

# All passwords having 5 lowercase letters and 3 numbers
hashcat -m 8600 -a 3 hashes.txt ?l?l?l?l?l?l?d?d?d

# All passwords having 5 lowercase letters, 1 dot and 2 numbers
hashcat -m 8600 -a 3 hashes.txt ?l?l?l?l?l.?d?d

# All passwords having 1 any-char, 5 lowercase letters, 1 any-char and 1 number
hashcat -m 8600 -a 3 hashes.txt ?a?l?l?l?l?l?a?d

# All passwords having 1 [a-zA-Z] char, 6 lowercase letters and 2 numbers
hashcat -m 8600 -1 ?l?u -a 3 hashes.txt ?1?l?l?l?l?l?l?d?d

# All passwords contained in dictionaries
hashcat -m 8600 -a 0 hashes.txt dictionaries/weakpass_2
hashcat -m 8600 -a 0 hashes.txt dictionaries/HashesOrg

# All passwords combining words in dictionaries and masks
hashcat -m 8600 -1 ?l?u?d -a 6 hashes.txt dictionaries/rockyou.txt ?1?1
hashcat -m 8600 -a 6 hashes.txt dictionaries/rockyou.txt ?d?d?d
hashcat -m 8600 -a 6 hashes.txt dictionaries/hk_hlm_founds.txt ?a

# All passwords combining masks and words in dictionaries
hashcat -m 8600 -1 ?l?u?d -a 7 hashes.txt ?1?1 dictionaries/rockyou.txt
hashcat -m 8600 -a 7 hashes.txt ?d?d?d dictionaries/rockyou.txt
hashcat -m 8600 -a 7 hashes.txt ?a dictionaries/hk_hlm_founds.txt

[APACHE] Password Protect a Directory with htaccess

If you like to password protect a directory on your web server, just create a .htaccess file into such a directory and put the following code:

AuthType Basic
AuthName "Restricted Area"
AuthUserFile /path/directory/protect/.htpasswd
require valid-user

Then, generate the corresponding .htpasswd file by executing the following command:

/path/directory/protect$ htpasswd -c .htpasswd admin
New password:
Re-type new password:
Adding password for user admin

Reload your web directory and enter the credentials you’ve just chosen.