1### Auditing Openfire hashes with JtR 2 3This document describes the process to audit Openfire hashes. 4 5 6#### Extract the hashes from the database 7 8The various database schemas are described at the following link, 9 10https://github.com/igniterealtime/Openfire/tree/master/src/database 11 12For modern Openfire versions (4.x.y) using SCRAM hashing, columns named 13`username`, `storedKey`, `serverKey` (unused), `salt` and `iterations` need to 14be extracted from the `ofUser` table in the database. Here is what the `ofUser` 15table looks like, 16 17 18``` 19CREATE TABLE ofUser ( 20 username VARCHAR(64), 21 storedKey VARCHAR(32), 22 serverKey VARCHAR(32), 23 salt VARCHAR(32), 24 iterations INTEGER, 25 plainPassword VARCHAR(32), 26 encryptedPassword VARCHAR(255), 27.... 28``` 29 30For older Openfire versions (3.x.y), the columns `username`, and 31`encryptedPassword` need to be extracted. Note that there is no cracking / 32brute-forcing involved in this case. 33 34``` 35CREATE TABLE ofUser ( 36 username VARCHAR(64) 37 plainPassword VARCHAR(32), 38 encryptedPassword VARCHAR(255) 39``` 40 41The `encryptedPassword` value is the password which is encrypted using 42Blowfish/AES. The encryption key can be recovered from the database by running 43the `SELECT propValue from ofProperty where name = 'passwordKey'` query. See 44`AuthFactory.java` and `Blowfish.java` in Openfire source code for more 45details. 46 47 48Openfire can also use various other hashing schemes. See `JDBCAuthProvider.java` 49and `passwordType` in Openfire source code for more details. The `dynamic 50compiler` feature of JtR can be quite useful when dealing with "chained hashes" 51in Openfire. 52 53 54#### Format the hashes 55 56The hash format is `username:$xmpp-scram$0$iterations$length(salt)$salt-in-hex$%storedKey-in-hex` when SCRAM 57hashing is being used by Openfire. 58 59For a database row with data -> `('lulu','ruklR2KyOjlQ/XyAPKq19mVFh8g=','SUHs97B/HZJpfatHts1tVI3ALII=','vBvWY4oSMf/VT2CJg0JerPcp2EVaRpGX',4096)` the corresponding hash will be, 60 61`lulu:$xmpp-scram$0$4096$24$bc1bd6638a1231ffd54f608983425eacf729d8455a469197$aee9254762b23a3950fd7c....` 62 63Note: The `salt` and `storedKey` values need to be Base64 decoded first. 64 65 66#### Crack the hashes with JtR 67 68``` 69$ cat hashes 70lulu:$xmpp-scram$0$4096$24$bc1bd6638a1231ffd54f608983425eacf729d8455a469197$aee9254762b23a3950fd7c803caab5f6654587c8 71``` 72 73``` 74$ ../run/john hashes 75Loaded 1 password hash (xmpp-scram [XMPP SCRAM PBKDF2-SHA1 256/256 AVX2 8x]) 76Will run 4 OpenMP threads 77Press 'q' or Ctrl-C to abort, almost any other key for status 78openwall123 (lulu) 79``` 80