Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 28 Nov 2014 15:21:43 -0300
From: Nahuel Grisolia <>
Subject: Re: Palo Alto Networks Web Admin Console "phash"


> On Nov 27, 2014, at 8:08 PM, magnum <> wrote:
> On 2014-11-27 22:37, Nahuel Grisolia wrote:
>> Hi all! hope you're doing well!
>> I'm playing with a Palo Alto Networks device, and noticed that, at least for the Web Console, a "phash" type of hash algorithm.
>> I'm using JtR Bleeding Jumbo and it recognizes the hash, as an AIX-smd5, AIX LPA, modified crypt-md5. However, as I know the password, I tried it with a dictionary with my password in there, but It didn't crack it, thus I believe that the format is not correct.
>> Any thoughts? Have you ever tried to crack this type of passwords?
> We can probably work it out. Please supply an example hash with a known plain for us to work with. If applicable, please supply at least two hashes with same password but different user names.

Well, let me explain a little bit more the situation.

This "phash" is not the way they are storing user's passwords in the DB (I can't tell because I can't access the DB).

This is where I obtained the phash: When using a "read-only" user, if you browse to "See Admin Users", you'll see within the JSON response, these hashes... But they actually change every time you log out and log in again... so I don't think it's related directly to the user and nothing else.

Anyone here with access to this box to test? I can't do a lot of tests, sorry. I'll try and let you know in that case. Perhaps, Palo Alto has some Test device facing the Internet...


> magnum


Download attachment "signature.asc" of type "application/pgp-signature" (496 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.