Advertisements
RSS

Weblogic and Triple-DES decryption

12 Apr

After my earlier post regarding the Triple DES encryption Weblogic uses. The next question could be, can we decrypt the 3DES hash to cleartext again ? The answer is, yes you can.

On the Internet multiple examples are available, but I found this post from Chris Vugrinec ( hi m8 ) very helpfull so muchos credits to Chris.

Off course the java code needs to include the weblogic.jar and on runtime access to the domains SerializedSystemIni.dat which encapsulates a time-variant encrypted key created with the generation of the domain.

import java.io.Console;
import weblogic.security.internal.SerializedSystemIni;
import weblogic.security.internal.encryption.ClearOrEncryptedService;

public class DrieDesDecrypter
{
  static ClearOrEncryptedService ces;
  public static void main(String[] args)
  {
System.out.println("This class decrypts the 3DES string for Weblogic");
    Console console = System.console();
    String var_folder = console.readLine("Give PATH! where SerializedSystemIni.dat for weblogic domain is located: ");
    String var_driedes = console.readLine("Give 3DES string: ");
    ces = new ClearOrEncryptedService(SerializedSystemIni.getEncryptionService(var_folder));
    var_driedes = var_driedes.replace("\\", "");
    System.out.println("Decrypted value: " + ces.decrypt(var_driedes));
  }
}

The 1st input is the Directory where the SerializedSystemIni.dat resides
The 2nd input is the encrypted 3DES String
The output  is what you wanted.
Running would look something like:

c:\Oracle\domains\rbx_dev_wls\bin\setDomainEnv.cmd
java DrieDesDecrypter

This class decrypts the 3DES string for Weblogic
Give PATH! where SerializedSystemIni.dat for weblogic domain is located: C:\Oracle\domains\rbx_dev_wls\security
Give 3DES string: {3DES}OOLr88wGSPx82H1abcYU9Q==
Decrypted waarde: welcome1

This source-code should trigger any Weblogic Administrator to make sure it’s SerializedSystemIni.dat file is secured to prevent unauthorised access and included in the backup procedure.

Update 2012.01.26:

Due to lost passwords on a DEV environment I had to test my class with the new AES encryption used by Weblogic 11g (r1PS4) instead of the older 3DES algoritm it used to store it’s passwords in. And it still works like a charm. :)

Update 2012.06.27:

Make life much easier for those DEV/TST domains: http://recover-weblogic-password.appspot.com/
Don’t think I would like to use it for my PRD domains, but you make your own choice there,

 


Advertisements
 
1 Comment

Posted by on 12-04-2010 in Oracle, Weblogic

 

Tags: , , ,

One response to “Weblogic and Triple-DES decryption

  1. jvzoggel

    27-06-2012 at 13:42

    Added link to Google AppSpot which automates this process for you

     

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: