It has been ten years ago – 1999 – since the (in)famous unstash-script came out. It was a cryptic PERL script, which could read IBM’s stash files and deliver you the ‘encrypted’ password.
I was in need of the script, as I lost a password from a cryptocraphic key database and got stuck as I had no PERL installed. So I decided to create a Java-version of this script, because Java is always available when you are installing most IBM products. You may use it to your liking.
For an explanation how it works and a link to download the jar-file, please read on!
IBM uses iKeyman or GSKIT to create a key database (keyDB) for storing security certificates, which you need to run SSL-enabled protocols. These keyDBs need to be read by machines while starting the actual processes. You can either do that by giving the application the password of the KeyDB or by creating a so-called stashfile, which is not human readable but stores the password. IBM uses this mechanism for WebSphere products, Tivoli Access Manager components like WebSEAL, and IBM HTTP Server.
So if you want to open up a keyDB, you’ll need the password. And the easiest way of obtaining it is by reversing the storage method of the stashfile.
Since 1999 (!) a PERL script existed which did exactly that. The original script is this:
#!/usr/bin/perl -w # unstash.pl - "decrypt" IBM HTTP server stash files. No, really. They *are* this pathetic. # sploit (BoByRiTe) 1999, Major Malfunction, code by Ben Laurie, cos I dudn't dud perly thing. use strict; die "Usage: $0 \n" if $#ARGV != 0; my $file=$ARGV[0];open(F,$file) || die "Can't open $file: $!"; my $stash; read F,$stash,1024; my @unstash=map { $_^0xf5 } unpack("C*",$stash); foreach my $c (@unstash) { last if $c eq 0; printf "%c",$c; } printf "\n";
This piece of code has puzzled me for quite a while, because it is pretty cryptic. It is even more cryptic if you do not know PERL.
What it does is actually quite simple:
- read the stash-file byte by byte, until you encounter 0 (zero)
- display the read byte, after XORring it with 0xF5 (or 245 in decimals) and print out the according ASCII code.
- This is your ‘stashed’ password
It is as pathetic as that. Stash-file are a security problem. So be very careful when storing them.
I have rewritten this in java, which you can download. (update: now compiled with Java 1.4)
The usage is
java -jar unstash.jar <stashfile>.sth
update: I added the source code (as Unstash.java)
Please let me know if it works for you!
Hi, nice posts there thank’s for the interesting information
Thanks for the pretty nice analysis. However, when we try to use the JAR file, we get the following error. Our Java version is 1.5, on AIX 5.3 system; Please advise.
HostXYZ:/home/userX>> java -jar unstash.jar keyfile.sth
class cannot be loaded: java.lang.UnsupportedClassVersionError: (nl/axxiu/Unsta sh) bad major version at offset=6 – java.lang.UnsupportedClassVersionError: (nl /axxius/Unstash) bad major version at offset=6
I think I compiled it with Java 1.6.0_07 on Windows. I can provide you with a 1.5 version if you want to. Perhaps I need to add the source to it as well 😉
Please email me a version 1.5 JAR file, if possible. Thanks for publishing the details about the intricate logic of this neat important tool.
I updated the file. It is now compiled with JDK 1.4 so more compatible. Sorry for the delay. I hope it is still useful.
No problem. Yeah, the updated JAR file now unstashes the passwds like a song. Thanks much.
thanx great help
Hi,
i am unable to download the java file and it is landing me always to the home page
hmm. weird. I had quite some 404’s after changing something to my site.
I recreated the link and it seems to function once again. Thanks for pointing this out!
Hey
Thanks for your comments on my blog.
Your post is interesting.
-Bhaskar Ramaraju
worked for me. Thank you very much
Vooow…Thanks boss for the java version, it saved me from a potential issue …
Hello Jeroen Zomer,
Can you please share source code of unstash.jar?
Thank you, it’s really helped me. ! )
Great!
thanks for sharing this
here is a Python 3 code to do the unstash:
———————————————–
import sys
with open(sys.argv[1], ‘rb’) as input:
line = input.readline()
xbytes = bytearray(c ^ 0xf5 for c in line)
print(xbytes[:xbytes.index(0x00)].decode())
———————————————–
… indentation was not keeped properly, you have to indent “line = input.readline()” to make it work
Thanks for sharing, worked for me in c#.
Here is the c# code:
using System;
using System.IO;
namespace ConsoleApplication4
{
class Program
{
static void Main(string[] args)
{
unstash(@”HERE YOURE FILENAME”);
}
private static void unstash(string aFile)
{
byte x = (byte)0xf5;
var bytes = File.ReadAllBytes(aFile);
for (int i = 0; i < bytes.Length; i++)
{
byte b = (byte)(bytes[i] ^ x);
if (b == 0) break;
Console.Write((char)b);
}
Console.ReadLine();
}
}
}
Just want to say your article is as astonishing. The clearness in your
submit is simply spectacular and that i could assume you are an expert in this subject.
Well together with your permission let me to take hold
of your RSS feed to stay up to date with imminent post. Thank you
one million and please continue the gratifying work.
i just stopped by to say thanks and that i have used your blog to retrieve .sth password.
it was really of help to me!!
thanks Again!
I constantly spent my half an hour to read this webpage’s
articles daily along with a mug of coffee.
Hi to every body, it’s my first pay a visit of this weblog; this weblog contains amazing and in fact good stuff in support of visitors.
I’ll right away grab your rss feed as I can not to find your email
subscription hyperlink or e-newsletter service. Do you have
any? Kindly permit me recognize in order that I could subscribe.
Thanks.
Thanks for finally talking about >strelitzia.net | unstash
in Java <Loved it!
I am truly thankful to the owner of this site who has shared
this fantastic piece of writing at at this time.
If you would like to increase your familiarity simply keep visiting
this site and be updated with the most up-to-date
news posted here.
I am using this script to find the password of kdb file generated with new version of MQv9. I am unable to decrypt as the algorithm has changed . I am not too sure how to decrypt in latest version as the unstash.pl script fails.
Hi,
I am generating the P12 keystore using bouncy castle API, but I want to generate stashed file of my Keystore . I am not sure how to do that. Can this program help me in creating the Stashed file.
The same stashed file will be used by IHS server for SSL communication. I do not want to use any tool for stashing my p12 keystore rather want to genrate using java code.
Regards
Sandeep
It does not work for me, I am creating a stashed password file but not able to retrieve the password from stashed file using the above code. The method must return the password after unstashing it.
Thank you very much for this. Worked flawlessly.
Good day very cool web site!! Man .. Excellent .. Amazing .. I will bookmark your site and take the feeds additionally…I am glad to search out so many helpful information here within the submit, we want work out more strategies on this regard, thank you for sharing.
Merely wanna remark on few general things, The website style and design is perfect, the content is really great. “I delight in men over seventy. They always offer one the devotion of a lifetime.” by Oscar Fingall O’Flahertie Wills Wilde.
Any ideas regarding the applied algorithm of version 2 stash? Would post a working Java impl the same day …
can you suggest how this be done using windows command line?
Hey very nice site!! Man .. Excellent .. Amazing ..
I’ll bookmark your site and take the feeds also?
I am satisfied to find numerous useful information right here within the post, we want
work out extra techniques on this regard, thank you
for sharing. . . . . .
So imagine it. The family left for the weekend and you stayed home alone. Your sexual life is boring and completely ruined. Try our escort services of young girls that will make your love and sex unforgettable. Any sexual practices, masturbating, licking your penis, licking your ass, you can get everything from young girls at great prices. Do not hesitate and experience brutal sex, even with lesbians and homosexuals. We are extremely discreet with no hidden cameras. Don’t worry all your sexual practices will be accepted.
Aw, this was an incrеdibly good post. Finding
the time and actual effort to geneгate a very good article…
but what can I say… I procrastinate a whole lot and never
seem to get nearâ…¼y anything done.