Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows Server 2003Windows 2000Windows NTSmall Business ServerVirtual ServerExchange ServerIISHost Integration ServerISA ServerSMSWSUSMOMWindows Media ServerSecurityCertification
Related Topics
SQL ServerMS WindowsMS OfficePC HardwareMore Topics ...
Windows Server Forum / IIS / IIS General Topics / October 2008

Tip: Looking for answers? Try searching our database.

password algorithm in IIS 6.x?

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
b.jeswine - 05 Oct 2008 19:58 GMT
I'm trying to automate the creation of several hundred employee hashed
passwords which will be used to restrict access to their own website pages.

Which algorithm is used in IIS 6.0 please to create password hashes, e.g.:

employee_0:d11b78f9bb0fce83b86f7aac71e3707c

I know the password that results in that particular hash, but trying several
algorithms fails to duplicate the hashed password:

$ for i in md5sum sha1sum sha224sum sha256sum sha384sum sha512sum
do
  echo "${i}: "`echo 8PsaEWI8 | ${i}`
done

md5sum: f709113a08717a88c18d2680fba751ea -
sha1sum: 7ac3bfe99d9a77ff091d08d23ff574c820341588 -
sha224sum: 447ea810262257a35ce613b360282da4ad895d6d76bdd59498443343 -
sha256sum:
f3f87c9d3031c997fd4d8273a5d57a6102d44423d1cfa50ceff41b20532a578c -
sha384sum:
a22f90b62b7d793bc3099ec81b21c6c113aef01d174551cc30c35b937bf1ded27b5dd8c98be6
0bcf78261ba8ce1df71e -
sha512sum:
24cc04c2fed2061568f511ab3d818b46a996ca2a2217427a6a895bf561a78e355ab562aa4aaa
6bc4826d86c98829640e4cb1b548a27c9d0599394de44983f0d5 -
Reply to this Message
David Wang - 06 Oct 2008 11:34 GMT
> I'm trying to automate the creation of several hundred employee hashed
> passwords which will be used to restrict access to their own website pages.
[quoted text clipped - 22 lines]
> 24cc04c2fed2061568f511ab3d818b46a996ca2a2217427a6a895bf561a78e355ab562aa4aa­a
> 6bc4826d86c98829640e4cb1b548a27c9d0599394de44983f0d5 -

If you use a proper Administration API of IIS, you can put in the
clear-text password and IIS will hash it for you.

I'm guessing that you are trying to directly write the value into
metabase.xml. In that case -- I'm sorry, your choices are to either
reverse engineer a solution which will not be guaranteed to work on
future versions or even Windows updates, or use the proper API.

//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
Reply to this Message
.._.. - 06 Oct 2008 16:28 GMT
There's a free ISAPI filter that does that using text based htacss and
htpasswrd files called "Troxio IIS Password Manager"

With a bit of Perl or other text manipulation scripting (I made a batch
file) you could easily dump through their password creation program to hash
several hundred passwords to control access to HTTP with Basic
Authentication.

www.troxo.com (the DL no longer appears on the site)

http://www.iistools.com/en/iispassword.html (download here)(free)

> I'm trying to automate the creation of several hundred employee hashed
> passwords which will be used to restrict access to their own website
[quoted text clipped - 24 lines]
> 24cc04c2fed2061568f511ab3d818b46a996ca2a2217427a6a895bf561a78e355ab562aa4aaa
> 6bc4826d86c98829640e4cb1b548a27c9d0599394de44983f0d5 -
Reply to this Message
b.jeswine - 07 Oct 2008 02:12 GMT
> http://www.iistools.com/en/iispassword.html (download here)(free)

The software doesn't install unless IIS is on the machine, and I'm not
working on the web host machine. The results will be ftp'd to the web host
once I create the hashed password files.

I'm asking for what algorithm was used to create the hash, please.
Reply to this Message
.._.. - 07 Oct 2008 20:08 GMT
>> http://www.iistools.com/en/iispassword.html (download here)(free)
>
[quoted text clipped - 3 lines]
>
> I'm asking for what algorithm was used to create the hash, please.

Well if you don't want to read the manual then feel free to do what you
like.

I personally set up a system for my clients to make hashed passwords of
hundreds of accounts at a time, upload them via FTP to their enabled web
site all using a simple .bat file and an executable that comes with the
ISAPI install.  So don't tell me it can't be done because I did it.
Reply to this Message
b.jeswine - 07 Oct 2008 20:31 GMT
>> The software doesn't install unless IIS is on the machine, and I'm
>> not working on the web host machine....
>
> Well if you don't want to read the manual then feel free to do what
> you like.

How does one read the manual if the software won't install?
Reply to this Message
Joshi, Umesh - 08 Oct 2008 23:39 GMT
B,

Consider combining the username, realm and password prior to performing the
hash function. I don't know your realm, but by just concatenating the
password and username, I was able to get "close"...

> I'm trying to automate the creation of several hundred employee hashed
> passwords which will be used to restrict access to their own website
[quoted text clipped - 24 lines]
> 24cc04c2fed2061568f511ab3d818b46a996ca2a2217427a6a895bf561a78e355ab562aa4aaa
> 6bc4826d86c98829640e4cb1b548a27c9d0599394de44983f0d5 -
Reply to this Message
b.jeswine - 09 Oct 2008 03:34 GMT
> Consider combining the username, realm and password prior to
> performing the hash function. I don't know your realm, but by just
> concatenating the password and username, I was able to get "close"...

Using which algorithm, please ... and what precisely do you mean by "close"?
Reply to this Message
Joshi, Umesh - 09 Oct 2008 09:13 GMT
Performing an MD5 on "8PsaEWI8employee_0"

>> Consider combining the username, realm and password prior to
>> performing the hash function. I don't know your realm, but by just
>> concatenating the password and username, I was able to get "close"...
>
> Using which algorithm, please ... and what precisely do you mean by "close"?
Reply to this Message
b.jeswine - 09 Oct 2008 21:55 GMT
[top-posting corrected to restore context]

>>> Consider combining the username, realm and password prior to
>>> performing the hash function. I don't know your realm, but by just
[quoted text clipped - 5 lines]
>
> Performing an MD5 on "8PsaEWI8employee_0"

It's not at all clear why that would be "close" just because the result has
the same number of hexadecimal digits.

I've tried every permutation (6 of them; N!=6, where N=3) of realm, username
and password and am unable to produce the hash using md5 or any other
algorithm available to us.

Apache uses a program called "htpasswd" to produce the hashes; surely IIS
has something similar?
Reply to this Message
David Wang - 10 Oct 2008 05:08 GMT
> Innews:eUuyhbeKJHA.1156@TK2MSFTNGP04.phx.gbl,
> Joshi, Umesh <ujoshi(at)hotmail.com> typed:
[quoted text clipped - 20 lines]
> Apache uses a program called "htpasswd" to produce the hashes; surely IIS
> has something similar?

Sure. But I still do not understand why you need to know the algorithm
that IIS6 uses.

The correct way set any secured Password in IIS, you use IIS
Administration APIs, accessible via ADSI or WMI interfaces.

If you are trying to write the secured Password directly into
metabase.xml (so you need to know the hash algorithm) -- sorry, that
is not supported, so you'll have to figure it out.

//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.