unstash in Java

It has been ten years ago – 1999 – since the (in)famous unstash-script came out. It was a cryptic PERL script, which could read IBM’s stash files and deliver you the ‘encrypted’ password.

I was in need of the script, as I lost a password from a cryptocraphic key database and got stuck as I had no PERL installed. So I decided to create a Java-version of this script, because Java is always available when you are installing most IBM products. You may use it to your liking.

For an explanation how it works and a link to download the jar-file, please read on!

IBM uses iKeyman or GSKIT to create a key database (keyDB) for storing security certificates, which you need to run SSL-enabled protocols. These keyDBs need to be read by machines while starting the actual processes. You can either do that by giving the application the password of the KeyDB or by creating a so-called stashfile, which is not human readable but stores the password. IBM uses this mechanism for WebSphere products, Tivoli Access Manager components like WebSEAL, and IBM HTTP Server.

So if you want to open up a keyDB, you’ll need the password. And the easiest way of obtaining it is by reversing the storage method of the stashfile.

Since 1999 (!) a PERL script existed which did exactly that. The original script is this:

#!/usr/bin/perl -w
# unstash.pl - "decrypt" IBM HTTP server stash files. No, really. They *are* this pathetic.
# sploit (BoByRiTe) 1999, Major Malfunction, code by Ben Laurie, cos I dudn't dud perly thing.
use strict;
die "Usage: $0 \n" if $#ARGV != 0;
my $file=$ARGV[0];open(F,$file) || die "Can't open $file: $!";
my $stash;
read F,$stash,1024;
my @unstash=map { $_^0xf5 } unpack("C*",$stash);
foreach my $c (@unstash) {
  last if $c eq 0;
  printf "%c",$c;
}
printf "\n";

This piece of code has puzzled me for quite a while, because it is pretty cryptic. It is even more cryptic if you do not know PERL.

What it does is actually quite simple:

  • read the stash-file byte by byte, until you encounter 0 (zero)
  • display the read byte, after XORring it with 0xF5 (or 245 in decimals) and print out the according ASCII code.
  • This is your ‘stashed’ password

It is as pathetic as that. Stash-file are a security problem. So be very careful when storing them.

I have rewritten this in java, which you can download. (update: now compiled with Java 1.4)

The usage is
java -jar unstash.jar <stashfile>.sth

update: I added the source code (as Unstash.java)

Please let me know if it works for you!


27 responses to “unstash in Java”

  1. Mike says:

    Hi, nice posts there :-) thank’s for the interesting information

  2. Aar Emm says:

    Thanks for the pretty nice analysis. However, when we try to use the JAR file, we get the following error. Our Java version is 1.5, on AIX 5.3 system; Please advise.

    HostXYZ:/home/userX>> java -jar unstash.jar keyfile.sth
    class cannot be loaded: java.lang.UnsupportedClassVersionError: (nl/axxiu/Unsta sh) bad major version at offset=6 – java.lang.UnsupportedClassVersionError: (nl /axxius/Unstash) bad major version at offset=6

  3. jzomer says:

    I think I compiled it with Java 1.6.0_07 on Windows. I can provide you with a 1.5 version if you want to. Perhaps I need to add the source to it as well 😉

  4. Aar Emm says:

    Please email me a version 1.5 JAR file, if possible. Thanks for publishing the details about the intricate logic of this neat important tool.

  5. jzomer says:

    I updated the file. It is now compiled with JDK 1.4 so more compatible. Sorry for the delay. I hope it is still useful.

  6. Aar Emm says:

    No problem. Yeah, the updated JAR file now unstashes the passwds like a song. Thanks much.

  7. Sorina Mocanu says:

    thanx great help

  8. Nambi says:

    Hi,

    i am unable to download the java file and it is landing me always to the home page

  9. jzomer says:

    hmm. weird. I had quite some 404’s after changing something to my site.
    I recreated the link and it seems to function once again. Thanks for pointing this out!

  10. Hey
    Thanks for your comments on my blog.
    Your post is interesting.

    -Bhaskar Ramaraju

  11. gp says:

    worked for me. Thank you very much

  12. Venu says:

    Vooow…Thanks boss for the java version, it saved me from a potential issue …

  13. ceva says:

    Hello Jeroen Zomer,
    Can you please share source code of unstash.jar?

  14. Ceva says:

    Thank you, it’s really helped me. ! )

  15. Gea says:

    Great!
    thanks for sharing this :)

  16. Guillaume says:

    here is a Python 3 code to do the unstash:

    ———————————————–
    import sys

    with open(sys.argv[1], ‘rb’) as input:
    line = input.readline()
    xbytes = bytearray(c ^ 0xf5 for c in line)
    print(xbytes[:xbytes.index(0x00)].decode())
    ———————————————–

  17. Guillaume says:

    … indentation was not keeped properly, you have to indent “line = input.readline()” to make it work

  18. Niek says:

    Thanks for sharing, worked for me in c#.
    Here is the c# code:

    using System;
    using System.IO;

    namespace ConsoleApplication4
    {
    class Program
    {
    static void Main(string[] args)
    {
    unstash(@”HERE YOURE FILENAME”);
    }

    private static void unstash(string aFile)
    {
    byte x = (byte)0xf5;
    var bytes = File.ReadAllBytes(aFile);
    for (int i = 0; i < bytes.Length; i++)
    {
    byte b = (byte)(bytes[i] ^ x);
    if (b == 0) break;
    Console.Write((char)b);
    }
    Console.ReadLine();
    }
    }
    }

  19. porn says:

    Just want to say your article is as astonishing. The clearness in your
    submit is simply spectacular and that i could assume you are an expert in this subject.
    Well together with your permission let me to take hold
    of your RSS feed to stay up to date with imminent post. Thank you
    one million and please continue the gratifying work.

  20. Rajesh says:

    i just stopped by to say thanks and that i have used your blog to retrieve .sth password.

    it was really of help to me!!

    thanks Again!

  21. หนัง says:

    I constantly spent my half an hour to read this webpage’s
    articles daily along with a mug of coffee.

  22. Hi to every body, it’s my first pay a visit of this weblog; this weblog contains amazing and in fact good stuff in support of visitors.

  23. หนัง says:

    I’ll right away grab your rss feed as I can not to find your email
    subscription hyperlink or e-newsletter service. Do you have
    any? Kindly permit me recognize in order that I could subscribe.
    Thanks.

  24. Thanks for finally talking about >strelitzia.net | unstash
    in Java <Loved it!

  25. I am truly thankful to the owner of this site who has shared
    this fantastic piece of writing at at this time.

  26. If you would like to increase your familiarity simply keep visiting
    this site and be updated with the most up-to-date
    news posted here.

  27. Diwakar says:

    I am using this script to find the password of kdb file generated with new version of MQv9. I am unable to decrypt as the algorithm has changed . I am not too sure how to decrypt in latest version as the unstash.pl script fails.

Leave a Reply

strelitzia.net