def test_pbkdf2_password(self):
brahms_hashed_pw = ('{PKCS5S2}TGF1K1olIoY5a4HHy89R+LcT8E/V5P+'
'u92L0ClePbhzqWikJUGmS0lyHSibsj4th')
brahms_pw = 'brahms123'
res = atlassian_pbkdf2_sha1.verify(brahms_pw, brahms_hashed_pw)
assert res
hash_type, _sep, hash_value = brahms_hashed_pw.partition('}')
hash_type = hash_type.strip('{')
res = _check_hash_type(brahms_pw, hash_type, hash_value)
assert res
wrong_hash_type = 'OKCS5S2'
res = _check_hash_type(brahms_pw, wrong_hash_type, hash_value)
assert res == False
wrong_hash_value = hash_value.replace('+', '-')
res = _check_hash_type(brahms_pw, hash_type, wrong_hash_value)
assert res == False
wrong_hash_value = hash_value.replace('G', 'Q')
res = _check_hash_type(brahms_pw, hash_type, wrong_hash_value)
assert res == False
def testHash(p,h):
global Found
try:
test = atlassian_pbkdf2_sha1.verify(p, h)
if (test == True):
print '[+] Password Found: ' + p
Found = True
exit(0)
elif (test == False):
lock.release()
except (KeyboardInterrupt):
print '[!] Exception / User cancelled!'
def test_pbkdf2_password(self):
brahms_hashed_pw = ("{PKCS5S2}TGF1K1olIoY5a4HHy89R+LcT8E/V5P+"
"u92L0ClePbhzqWikJUGmS0lyHSibsj4th==")
brahms_pw = "brahms123"
res = atlassian_pbkdf2_sha1.verify(brahms_pw, brahms_hashed_pw)
assert res
res = check_password(brahms_pw, brahms_hashed_pw)
assert res
wrong_brahms_hashed_pw = brahms_hashed_pw.replace("PKCS5S2", "OKCS5S2")
res = check_password(brahms_pw, wrong_brahms_hashed_pw)
assert not res
wrong_brahms_hashed_pw = brahms_hashed_pw.replace("+", "-")
res = check_password(brahms_pw, wrong_brahms_hashed_pw)
assert not res
wrong_brahms_hashed_pw = brahms_hashed_pw.replace("G", "Q")
res = check_password(brahms_pw, wrong_brahms_hashed_pw)
assert not res
def test_pbkdf2_password(self):
brahms_hashed_pw = ('{PKCS5S2}TGF1K1olIoY5a4HHy89R+LcT8E/V5P+'
'u92L0ClePbhzqWikJUGmS0lyHSibsj4th==')
brahms_pw = 'brahms123'
res = atlassian_pbkdf2_sha1.verify(brahms_pw, brahms_hashed_pw)
assert res
res = check_password(brahms_pw, brahms_hashed_pw)
assert res
wrong_brahms_hashed_pw = brahms_hashed_pw.replace('PKCS5S2', 'OKCS5S2')
res = check_password(brahms_pw, wrong_brahms_hashed_pw)
assert res == False
wrong_brahms_hashed_pw = brahms_hashed_pw.replace('+', '-')
res = check_password(brahms_pw, wrong_brahms_hashed_pw)
assert res == False
wrong_brahms_hashed_pw = brahms_hashed_pw.replace('G', 'Q')
res = check_password(brahms_pw, wrong_brahms_hashed_pw)
assert res == False
def test_sqlresolver_passwords(self):
"""
test that we can use pbkdf2 and bcrypt passwords with an sql resolver
"""
users = {}
# ------------------------------------------------------------------ --
# create the User schema
self.createUserTable()
# ------------------------------------------------------------------ --
# add users
bach_password = "******"
bach_password_hash = ('{PKCS5S2}ZYIjvFLd99ldgx5b7sqOlDCKNt31'
'UBX9HQKxTZwU50WfuZlWTNG5qBsCsFUMWwxC')
users['bach'] = {
'login': '******',
'uid': '21.3.1685',
'telephonenumber': '',
'mobile': bach_password,
'surname': 'Bach',
'givenname': 'Johann Sebastian',
'password': bach_password_hash,
'mail': '*****@*****.**'
}
assert atlassian_pbkdf2_sha1.verify(bach_password, bach_password_hash)
self.addUser(**users['bach'])
# ------------------------------------------------------------------ --
chopin_password = "******"
chopin_password_hash = atlassian_pbkdf2_sha1.hash(chopin_password)
users['chopin'] = {
'login': '******',
'uid': '22.10.1849',
'telephonenumber': '',
'mobile': chopin_password,
'surname': 'Chopin',
'givenname': 'Fryderyk Franciszek',
'password': chopin_password_hash,
'mail': '*****@*****.**'
}
assert atlassian_pbkdf2_sha1.verify(chopin_password,
chopin_password_hash)
self.addUser(**users['chopin'])
# ------------------------------------------------------------------ --
brahms_password = '******'
brahms_password_hash = ('$2a$12$NT0I31Sa7ihGEWpka9ASYrEFk'
'huTNeBQ2xfZskIiiJeyFXhRgS.Sy')
users['brahms'] = {
'login': '******',
'uid': '7.5.1833',
'telephonenumber': '',
'mobile': brahms_password,
'surname': 'Brahms',
'givenname': 'Johannes',
'password': brahms_password_hash,
'mail': '*****@*****.**'
}
assert passlib_bcrypt.verify(brahms_password, brahms_password_hash)
self.addUser(**users['brahms'])
# ------------------------------------------------------------------ --
mozart_password = '******'
mozart_password_hash = passlib_bcrypt.hash(mozart_password)
users['mozart'] = {
'login': '******',
'uid': '27.1.1756',
'telephonenumber': '',
'mobile': mozart_password,
'surname': 'Mozart',
'givenname': 'Wolfgang Amadeus',
'password': mozart_password_hash,
'mail': '*****@*****.**'
}
assert passlib_bcrypt.verify(mozart_password, mozart_password_hash)
self.addUser(**users['mozart'])
# ------------------------------------------------------------------ --
schubert_password = '******'
schubert_password_hash = '$P$8ohUJ.1sdFw09/bMaAQPTGDNi2BIUt1'
users['schubert'] = {
'login': '******',
'uid': '31.1.1797',
'telephonenumber': '',
'mobile': schubert_password,
'surname': 'Schubert',
'givenname': 'Franz Peter',
'password': schubert_password_hash,
'mail': '*****@*****.**'
}
assert passlib_phpass.verify(schubert_password, schubert_password_hash)
self.addUser(**users['schubert'])
# ------------------------------------------------------------------ --
mendelssohn_password = '******'
mendelssohn_password_hash = passlib_phpass.hash(mendelssohn_password)
users['mendelssohn'] = {
'login': '******',
'uid': '31.2.1809',
'telephonenumber': '',
'mobile': mendelssohn_password,
'surname': 'Mendelssohn',
'givenname': 'Jakob Ludwig',
'password': mendelssohn_password_hash,
'mail': '*****@*****.**'
}
assert passlib_phpass.verify(mendelssohn_password,
mendelssohn_password_hash)
self.addUser(**users['mendelssohn'])
# ------------------------------------------------------------- --
# define resolver and realm
realm = 'sqlRealm'
self.addSqlResolver('my_sql_users')
self.addSqlRealm(realm, 'my_sql_users', defaultRealm=True)
# ------------------------------------------------------------- --
# run the pbkdf2 atlasian test with user bach
user = users['bach']['login']
password = users['bach']['mobile']
self.run_password_check(user, password, realm=realm)
# run the pbkdf2 atlasian test with user chopin
user = users['chopin']['login']
password = users['chopin']['mobile']
self.run_password_check(user, password, realm=realm)
# run the bcrypt test with user brahms
user = users['brahms']['login']
password = users['brahms']['mobile']
self.run_password_check(user, password, realm=realm)
# run the bcrypt test with user mozart
user = users['mozart']['login']
password = users['mozart']['mobile']
self.run_password_check(user, password, realm=realm)
# run the php test with user schubert
user = users['schubert']['login']
password = users['schubert']['mobile']
self.run_password_check(user, password, realm=realm)
# run the php test with user mendelssohn
user = users['mendelssohn']['login']
password = users['mendelssohn']['mobile']
self.run_password_check(user, password, realm=realm)
return
def _check_hash_type(password, hash_type, hash_value, salt=None):
'''
Checks, if the password matches the given hash.
:param password: The user password in clear text
:type password: string
:param hash_type: possible values are sha, ssha, sha256, ssha256
:type hash_type: string
:param hash_value: The hash value, base64 encoded
:type hash_value: string
:return: True or False
'''
log.debug("[_check_hash_type] hash type %r, hash_value %r" %
(hash_type, hash_value))
res = False
if hash_type.lower() == "sha":
hash_type = "sha1"
if hash_type.lower() == "ssha":
hash_type = "ssha1"
if (hash_type.lower()[0:3] == "sha"):
log.debug("[_check_hash_type] found a non-salted hash.")
try:
H = hashlib.new(hash_type)
H.update(password)
hashed_password = base64.b64encode(H.digest())
res = (hashed_password == hash_value)
except ValueError:
log.exception("[_check_hash_type] Unsupported Hash type: %r",
hash_type)
elif (hash_type.lower()[0:4] == "ssha"):
log.debug("[_check_hash_type] found a salted hash.")
try:
new_hash_type = hash_type[1:]
# decode the base64 hash value to binary
bin_value = base64.b64decode(hash_value)
H = hashlib.new(new_hash_type)
hash_len = H.digest_size
# Carefully check for ASP.NET format (salt separated from hash)
if salt and len(bin_value) == hash_len:
# Salt separated from hash - probably ASP.NET format
# For ASP.NET the format is 'hash(salt + password)' with
# 'password' being a UTF-16 little-endian string
bin_hash = bin_value
password = password.encode('utf-16-le')
bin_salt = base64.b64decode(salt)
H.update(bin_salt + password)
else:
# split the hashed password from the binary salt
bin_hash = bin_value[:hash_len]
bin_salt = bin_value[hash_len:]
H.update(password + bin_salt)
bin_hashed_password = H.digest()
res = (bin_hashed_password == bin_hash)
except ValueError:
log.exception("[_check_hash_type] Unsupported Hash type: %r",
hash_type)
elif hash_type == 'PKCS5S2':
# ------------------------------------------------------------------ --
# support the atlasion pkdf sha1 password hashes
# s. https://passlib.readthedocs.io/en/stable/lib/\
# passlib.hash.atlassian_pbkdf2_sha1.html
try:
pw_hash = "{%s}%s" % (hash_type, hash_value)
return atlassian_pbkdf2_sha1.verify(password, pw_hash)
except TypeError as exx:
# raised for example if the padding of the hash of the
# sql entry is broken
log.exception("problem checking atlassian_pbkdf2_sha1")
return False
except Exception as exx:
log.exception("unknown problem checking atlassian_pbkdf2_sha1")
raise exx
return res
def test_sqlresolver_passwords(self):
"""
test that we can use pbkdf2 and bcrypt passwords with an sql resolver
"""
users = {}
# ------------------------------------------------------------------ --
# create the User schema
self.createUserTable()
# ------------------------------------------------------------------ --
# add users
bach_password = "******"
bach_password_hash = ("{PKCS5S2}ZYIjvFLd99ldgx5b7sqOlDCKNt31"
"UBX9HQKxTZwU50WfuZlWTNG5qBsCsFUMWwxC")
users["bach"] = {
"login": "******",
"uid": "21.3.1685",
"telephonenumber": "",
"mobile": bach_password,
"surname": "Bach",
"givenname": "Johann Sebastian",
"password": bach_password_hash,
"mail": "*****@*****.**",
}
assert atlassian_pbkdf2_sha1.verify(bach_password, bach_password_hash)
self.addUser(**users["bach"])
# ------------------------------------------------------------------ --
chopin_password = "******"
chopin_password_hash = atlassian_pbkdf2_sha1.hash(chopin_password)
users["chopin"] = {
"login": "******",
"uid": "22.10.1849",
"telephonenumber": "",
"mobile": chopin_password,
"surname": "Chopin",
"givenname": "Fryderyk Franciszek",
"password": chopin_password_hash,
"mail": "*****@*****.**",
}
assert atlassian_pbkdf2_sha1.verify(chopin_password,
chopin_password_hash)
self.addUser(**users["chopin"])
# ------------------------------------------------------------------ --
brahms_password = "******"
brahms_password_hash = (
"$2a$12$NT0I31Sa7ihGEWpka9ASYrEFkhuTNeBQ2xfZskIiiJeyFXhRgS.Sy")
users["brahms"] = {
"login": "******",
"uid": "7.5.1833",
"telephonenumber": "",
"mobile": brahms_password,
"surname": "Brahms",
"givenname": "Johannes",
"password": brahms_password_hash,
"mail": "*****@*****.**",
}
assert passlib_bcrypt.verify(brahms_password, brahms_password_hash)
self.addUser(**users["brahms"])
# ------------------------------------------------------------------ --
mozart_password = "******"
mozart_password_hash = passlib_bcrypt.hash(mozart_password)
users["mozart"] = {
"login": "******",
"uid": "27.1.1756",
"telephonenumber": "",
"mobile": mozart_password,
"surname": "Mozart",
"givenname": "Wolfgang Amadeus",
"password": mozart_password_hash,
"mail": "*****@*****.**",
}
assert passlib_bcrypt.verify(mozart_password, mozart_password_hash)
self.addUser(**users["mozart"])
# ------------------------------------------------------------------ --
schubert_password = "******"
schubert_password_hash = "$P$8ohUJ.1sdFw09/bMaAQPTGDNi2BIUt1"
users["schubert"] = {
"login": "******",
"uid": "31.1.1797",
"telephonenumber": "",
"mobile": schubert_password,
"surname": "Schubert",
"givenname": "Franz Peter",
"password": schubert_password_hash,
"mail": "*****@*****.**",
}
assert passlib_phpass.verify(schubert_password, schubert_password_hash)
self.addUser(**users["schubert"])
# ------------------------------------------------------------------ --
mendelssohn_password = "******"
mendelssohn_password_hash = passlib_phpass.hash(mendelssohn_password)
users["mendelssohn"] = {
"login": "******",
"uid": "31.2.1809",
"telephonenumber": "",
"mobile": mendelssohn_password,
"surname": "Mendelssohn",
"givenname": "Jakob Ludwig",
"password": mendelssohn_password_hash,
"mail": "*****@*****.**",
}
assert passlib_phpass.verify(mendelssohn_password,
mendelssohn_password_hash)
self.addUser(**users["mendelssohn"])
# ------------------------------------------------------------- --
# define resolver and realm
realm = "sqlRealm"
self.addSqlResolver("my_sql_users")
self.addSqlRealm(realm, "my_sql_users", defaultRealm=True)
# ------------------------------------------------------------- --
# run the pbkdf2 atlasian test with user bach
user = users["bach"]["login"]
password = users["bach"]["mobile"]
self.run_password_check(user, password, realm=realm)
# run the pbkdf2 atlasian test with user chopin
user = users["chopin"]["login"]
password = users["chopin"]["mobile"]
self.run_password_check(user, password, realm=realm)
# run the bcrypt test with user brahms
user = users["brahms"]["login"]
password = users["brahms"]["mobile"]
self.run_password_check(user, password, realm=realm)
# run the bcrypt test with user mozart
user = users["mozart"]["login"]
password = users["mozart"]["mobile"]
self.run_password_check(user, password, realm=realm)
# run the php test with user schubert
user = users["schubert"]["login"]
password = users["schubert"]["mobile"]
self.run_password_check(user, password, realm=realm)
# run the php test with user mendelssohn
user = users["mendelssohn"]["login"]
password = users["mendelssohn"]["mobile"]
self.run_password_check(user, password, realm=realm)
return