Get password from a Keystore Stash File

NOTE: The Keystash has been enhanced, and is no longer accessible this way. If you’ve lost your keystore password now – all bets are off. Sorry.

On the other hand, if you at least have the stash, you can likely export the keys and move them into a new keystore of your choice, with a new password.

This is an oldie, but a goodie, just encountered a customer who’d lost the password to their WebSEAL keystore. Fortunately, assuming you have the stash file (<keystore name>.sth – in the same directory as the keystore .kdb file). Which you would – if the keystore is still being used actively, then you can easily extract the obfuscated keystore password.

Here is a Perl script that can unstash the password.

————— begin ————————

use strict;

die "Usage: $0 <stash file>n" if $#ARGV != 0;

my $file=$ARGV[0];
open(F,$file) || die "Can't open $file: $!";

my $stash;
read F,$stash,1024;

my @unstash=map { $_^0xf5 } unpack("C*",$stash);

foreach my $c (@unstash) {
last if $c eq 0;
printf "%c",$c;
printf "n";

——————— end—————–


perl keystore.sth

Perl Source:
Have copied locally – since I’ve used this a few times.

The stash file is just an XOR’ed copy of the password – XOR’d with 0xf5.

Comments are closed.

Website Built with

Up ↑

%d bloggers like this: