Aug 092013
 

I used to stumble upon an ancient BigIP system (version 4.x !!!) where the logins were lost. Time for a litlle fun!

Luckily a config backup (a .ucs) file was still there. The file command identified the .ucs file as gzip compressed data, so I gunziped it and found a lot of files. At first I didn’t find any users, just a grep over all files revealed some binary file matches. It seems that F5 has put the user database into
./config/openldap-ldbm/id2entry.dbb
and
./config/openldap-ldbm/dn2id.dbb

The first one can further be greped using “grep -a userPassword ./config/openldap-ldbm/id2entry.dbb” and it will show you the hashes (as base64 encoded entries). They all start with some strange “{CRYPT}” maybe indicating that they use the UNIX crypt function (you can tell by the $1$ at the beginning of the hash). Anyway, john the ripper identifies them (after base64 decoding) as FreeBSD MD5 [32/32]