Search code examples
pythonpasswordsfilezillasalt-cryptography

Python : Reproduce the encoding of a filezillaserver password

i have the following xml in my FileZilla server (username: toto with password: toto):

<User Name="toto">
        <Option Name="Pass">8112E67312B4EF84DB1A4F969C21E9405577162ACF761F26F1603C62BBA6046E90C7E13F696C1D2737F7196374DB673FB82E59D7C089C4F1134991698A08EC09</Option>
        <Option Name="Salt">`!U3`CQ;a&amp;3IzbXc/4Wpb\)OZ3TsXP;&apos;Wx#^K&quot;Tu_XX.K&apos;o&lt;&apos;c&amp;A:vItTX-M|Z0Y</Option>
        <Option Name="Group"></Option>

I want to reproduce the encoded password with the following script: 

import hashlib, binascii

salt = ""`!U3`CQ;a&amp;3IzbXc/4Wpb\)OZ3TsXP;&apos;Wx#^K&quot;Tu_XX.K&apos;o&lt;&apos;c&amp;A:vItTX-M|Z0Y""".encode('utf-8')
p = "toto".encode('utf-8')

print (hashlib.sha512(salt + p).hexdigest())
print (hashlib.sha512(p + salt).hexdigest())

print (hashlib.sha384(salt + p).hexdigest())
print (hashlib.sha384(p + salt).hexdigest())

print (hashlib.sha256(salt + p).hexdigest())
print (hashlib.sha256(p + salt).hexdigest())

print (hashlib.sha1(salt + p).hexdigest())
print (hashlib.sha1(p + salt).hexdigest())

print (hashlib.md5(salt + p).hexdigest())
print (hashlib.md5(p + salt).hexdigest())

I got the following output which does not match the previous password 

62a7a9220d3b467cb1034c795c4855aace719e56996acca50afad58278b5da357768abda76fccc15b07d6ff669ccbfa7a23c1f9c3852b6a666fe182aefafe52b
d2e4478b5fe105dfb329bfa5360a6ab9c095b3cc6029db2eb50215ab4e0be4229d1f7602ec9804b361760962e3259d53fa5a68f733ff4370c3c09ace3eeaacb3
a1415d389f96134839d4bed2739ebe76099670153af6299d9d7366f68849f352639507d8fa861df383d5bf1d1a36fbe6
36b52cbd8cb3838c4e8e9498e77d3e29e3a12343f54d08019caf2810c12ab0516c978fc7949a3317b2145d0facd8c744
5a72de46d48ea1e645cc9e04b411b61d388b112773aa06eb5a3c62afc0383f33
2d7392648adbca28ea36859e0365e53bfcf06355926d484e5921b62fbf9e7a38
033ddf63dd9ba52117528e8e4a10fcd6f1ef6498
741ad131e5694af4d2332e0fff925b8bc1b25e22
45bbec7d1064d449aef5f3408eef287b
34ddc5c29ecfb76e92d22e5fe4569555

Some one has the solution
Thanks.

Solution

  • The XML escapes the special characters in the following way, don't put them in the code as is but convert the back to the original characters:

    &amp; = &
&lt; = <
&apos; = '
&quot; = "

    Replace these in your salt and the second line will produce the desired output (remember to escape the quote (' or ") and a backslash (\) with a backslash as well!):

    import hashlib, binascii

password = '8112E67312B4EF84DB1A4F969C21E9405577162ACF761F26F1603C62BBA6046E90C7E13F696C1D2737F7196374DB673FB82E59D7C089C4F1134991698A08EC09'.lower()
salt = '`!U3`CQ;a&3IzbXc/4Wpb\\)OZ3TsXP;\'Wx#^K"Tu_XX.K\'o<\'c&A:vItTX-M|Z0Y'.encode('utf-8')
# Alternatively with double quotes
salt = "`!U3`CQ;a&3IzbXc/4Wpb\\)OZ3TsXP;\'Wx#^K\"Tu_XX.K'o<'c&A:vItTX-M|Z0Y".encode('utf-8') #alternative
p = "toto".encode('utf-8')

print (hashlib.sha512(p + salt).hexdigest())
print (password)
print (hashlib.sha512(p + salt).hexdigest() ==  password)