(Pen-test/Sectools, only bother sending this through if you allow the original.) > Tool to crack Base64 passwords - could not find anything similar on the > Internet. 'Crack'? Base64 is an encoding algorithm, just like uuencode. It's not encryption. It's supposed to be easily reversable. I find it hard to believe this person "could not find anything similar on the Internet". What he's using is MIME::Base64 from perl's CPAN. This is command-line stuff. $ perl -MMIME::Base64 -le 'print decode_base64("dGVzdDpwYXNzd29yZA==")' test:password For gods sake, I have this as an alias in my .bashrc. Perhaps the reason there aren't any tools out there listed to 'crack' this is because it isn't a crack, and no one bothers trying to market their genius in 'use module; call subroutine' > While pen testing and looking around for something to crack a Base64 > encoded password I could not find much in the way of a simple script, > so I decided to right a Perl script myself... No, you took the work of Gisle Aas, MIME::Base64, and put it in a perl script and slapped a few print statements on it. > Many weak security mechanisms rely on base64 encoding scheme. IIS server > is one such example, from the below example we see IIS Basic > authenication in action on a GET request: This is HTTP basic authorization, it's not IIS specific. It's not used for security, it's used to make sure that the password, regardless of ugly characters, is able to be represented in a portable form. (For a very vague description, Base64 takes input and turns it into ASCII printable output.) This is why you should only use it over HTTPS if you don't want your password getting out. > Enjoy and please send comments... Hope you receive lots of fame and fortune. -- Brian Hatch You have that vacant Systems and look in your eyes that Security Engineer says "Hold your ear up http://www.ifokr.org/bri/ to my head and you will hear the sea" Every message PGP signed
This archive was generated by hypermail 2b30 : Wed Nov 13 2002 - 02:24:11 PST