Splunk Password Hashing
[Back] Splunk is used in security analytics, and uses SHA-512 hashed passwords for users. In this case we will generate a Splunk password hash for a given salt value and password.
Splunk is a great tool. Under the hood it actually operates like a Linux type environment (even on a Windows OS). Each of the users are then stored in the passwd file in the /etc folder. And so I was having a looking, and found that the following created the user named "csn01":
:csn01:$6$Uk8SVGLsBuSmD75R$Lhp5yjwRUAM.LbH5IIthZ1u0bAUdJwBvvccBshAvpFPiRn62EYeiKOaP8xh97aV4UaNfVykRZhUy/3ZOZd1oc.:::user::::18161So what is the method used for hashing the password. Well, we split the hashed password into three main groups (seperated by the "$" symbol):
6 Uk8SVGLsBuSmD75R Lhp5yjwRUAM.LbH5IIthZ1u0bAUdJwBvvccBshAvpFPiRn62EYeiKOaP8xh97aV4UaNfVykRZhUy/3ZOZd1oc.
and where "6" is the hashing method (SHA-512), "Uk8SVGLsBuSmD75R" is the salt value, and "Lhp5yjwRUA..d1oc." is the hashed version. When the user logs into Splunk, their password will be added to the salt value, and the same hashed version should be created. Well, the "$6" part identifies that it is SHA-512, but when I try to hash with SHA-512, it gives the wrong hashed value. The answer lies in slowing the hashing process down by performing a number of rounds. For this 5000 rounds works to give the right result, and so here is the Python code:
import hashlib; import passlib.hash; import base64; import sys; password="qwerty123" salt="Uk8SVGLsBuSmD75R" # csn01:$6$Uk8SVGLsBuSmD75R$ Lhp5yjwRUAM.LbH5IIth user="fred" if (len(sys.argv)>1): user=str(sys.argv) if (len(sys.argv)>2): password=str(sys.argv) if (len(sys.argv)>3): salt=str(sys.argv) h=passlib.hash.sha512_crypt.encrypt(password, salt=salt,rounds=5000) hash=user+":"+h print hash
A sample run:
===Splunk hashed password=== User: Fred Password: qwerty123 Salt: Uk8SVGLsBuSmD75R ===Hashed password Fred:$6$Uk8SVGLsBuSmD75R$Lhp5yjwRUAM.LbH5IIthZ1u0bAUdJwBvvccBshAvpFPiRn62EYeiKOaP8xh97aV4UaNfVykRZhUy/3ZOZd1oc.
and this matches the Splunk entry. With hashcat, the default is also 5000 rounds.
If we now use Hashcat on the hashed version, we should be able to discover the orginal password:
root@kali:~# hashcat -m 1800 1.txt -a 0 /usr/share/wordlists/rockyou.txt Initializing hashcat v0.49 with 1 threads and 32mb segment-size... Added hashes from file 1.txt: 1 (1 salts) Activating quick-digest mode for single-hash with salt NOTE: press enter for status-screen $6$Uk8SVGLsBuSmD75R$Lhp5yjwRUAM.LbH5IIthZ1u0bAUdJwBvvccBshAvpFPiRn62EYeiKOaP8xh97aV4UaNfVykRZhUy/3ZOZd1oc.:qwerty123 All hashes have been recovered Input.Mode: Dict (/usr/share/wordlists/rockyou.txt) Index.....: 1/5 (segment), 3627172 (words), 33550339 (bytes) Recovered.: 1/1 hashes, 1/1 salts Speed/sec.: - plains, 461 words Progress..: 2172/3627172 (0.06%) Running...: 00:00:00:05 Estimated.: 00:02:11:03
In this case we use the rockyou.txt list of common passwords, and where it only takes five seconds to find the password. The advantage of using SHA-512 with a number of rounds is highlighted when we run a benchmark:
root@kali:~# hashcat -b -m 1800 Initializing hashcat v0.49 with 1 threads and 32mb segment-size… Device………..: Intel(R) Core(TM) i7–8850H CPU 2.60GHz Instruction set..: x86_64 Number of threads: 1 Hash type: sha512crypt, SHA512(Unix) Speed/sec: 454 words root@kali:~# hashcat -b -m 0 Initializing hashcat v0.49 with 1 threads and 32mb segment-size… Device: Intel(R) Core(TM) i7–8850H CPU 2.60GHz Instruction set..: x86_64 Number of threads: 1 Hash type: MD5 Speed/sec: 17.33M words
In this hashcat can process 454 words per second with SHA512crypt and over 17 million per second with MD5.