unstash in Java
March 8th, 2009 Posted in workIt has been ten years ago – 1999 – since the (in)famous unstash-script came out. It was a cryptic PERL script, which could read IBM’s stash files and deliver you the ‘encrypted’ password.
I was in need of the script, as I lost a password from a cryptocraphic key database and got stuck as I had no PERL installed. So I decided to create a Java-version of this script, because Java is always available when you are installing most IBM products. You may use it to your liking.
For an explanation how it works and a link to download the jar-file, please read on!
IBM uses iKeyman or GSKIT to create a key database (keyDB) for storing security certificates, which you need to run SSL-enabled protocols. These keyDBs need to be read by machines while starting the actual processes. You can either do that by giving the application the password of the KeyDB or by creating a so-called stashfile, which is not human readable but stores the password. IBM uses this mechanism for WebSphere products, Tivoli Access Manager components like WebSEAL, and IBM HTTP Server.
So if you want to open up a keyDB, you’ll need the password. And the easiest way of obtaining it is by reversing the storage method of the stashfile.
Since 1999 (!) a PERL script existed which did exactly that. The original script is this:
#!/usr/bin/perl -w
#
# unstash.pl - "decrypt" IBM HTTP server stash files. No, really. They *are* this pathetic.
#
# sploit (BoByRiTe) 1999, Major Malfunction, code by Ben Laurie, cos I dudn't dud perly thing.
use strict;
die "Usage: $0 \n" if $#ARGV != 0;
my $file=$ARGV[0];
open(F,$file) || die "Can't open $file: $!";
my $stash;
read F,$stash,1024;
my @unstash=map { $_^0xf5 } unpack("C*",$stash);
foreach my $c (@unstash) {
last if $c eq 0;
printf "%c",$c;
}
printf "\n";
This piece of code has puzzled me for quite a while, because it is pretty cryptic. It is even more cryptic if you do not know PERL.
What it does is actually quite simple:
- read the stash-file byte by byte, until you encounter 0 (zero)
- display the read byte, after XORring it with 0xF5 (or 245 in decimals) and print out the according ASCII code.
- This is your ‘stashed’ password
It is as pathetic as that. Stash-file are a security problem. So be very careful when storing them.
I have rewritten this in java, which you can download. (update: now compiled with Java 1.4)
The usage is
java -jar unstash.jar <stahsfile>.sth
Please let me know if it works for you!
7 Responses to “unstash in Java”
By Mike on May 23, 2009
Hi, nice posts there
thank’s for the interesting information
By Aar Emm on Aug 26, 2009
Thanks for the pretty nice analysis. However, when we try to use the JAR file, we get the following error. Our Java version is 1.5, on AIX 5.3 system; Please advise.
HostXYZ:/home/userX>> java -jar unstash.jar keyfile.sth
class cannot be loaded: java.lang.UnsupportedClassVersionError: (nl/axxiu/Unsta sh) bad major version at offset=6 – java.lang.UnsupportedClassVersionError: (nl /axxius/Unstash) bad major version at offset=6
By jzomer on Aug 27, 2009
I think I compiled it with Java 1.6.0_07 on Windows. I can provide you with a 1.5 version if you want to. Perhaps I need to add the source to it as well
By Aar Emm on Aug 27, 2009
Please email me a version 1.5 JAR file, if possible. Thanks for publishing the details about the intricate logic of this neat important tool.
By jzomer on Sep 9, 2009
I updated the file. It is now compiled with JDK 1.4 so more compatible. Sorry for the delay. I hope it is still useful.
By Aar Emm on Oct 3, 2009
No problem. Yeah, the updated JAR file now unstashes the passwds like a song. Thanks much.
By Sorina Mocanu on Dec 30, 2009
thanx great help