Archive for the ‘computers’ Category

Immediately Patch Microsoft 0 day vulnerabilities being used to spread SPYWARE!

Thursday, September 14th, 2017

 

Windows 0-Day Flaw

Get ready to install a fairly large batch of security patches onto your Windows computers.

As part of its September Patch Tuesday, Microsoft has released a large batch of security updates to patch a total of 81 CVE-listed vulnerabilities, on all supported versions of Windows and other MS products.

 The latest security update addresses 27 critical and 54 important vulnerabilities in severity, of which 38 vulnerabilities are impacting Windows, 39 could lead to Remote Code Execution (RCE).

Affected Microsoft products include:

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • .NET Framework
  • Skype for Business and Lync
  • Microsoft Exchange Server
  • Microsoft Office, Services and Web Apps
  • Adobe Flash Player

.NET 0-Day Flaw Under Active Attack

According to the company, four of the patched vulnerabilities are publicly known, one of which has already been actively exploited by the attackers in the wild.

Here’s the list of publically known flaws and their impact:

Windows .NET Framework RCE (CVE-2017-8759)—A zero-day flaw, discovered by researchers at cybersecurity firm FireEye and privately reported it to Microsoft, resides in the way Microsoft .NET Framework processes untrusted input data.

Microsoft says the flaw could allow an attacker to take control of an affected system, install programs, view, change, or delete data by tricking victims into opening a specially crafted document or application sent over an email.

The flaw could even allow an attacker to create new accounts with full user rights. Therefore users with fewer user rights on the system are less impacted than users who operate with admin rights.

According to FireEye, this zero-day flaw has actively been exploited by a well-funded cyber espionage group to deliver FinFisher Spyware (FinSpy) to a Russian-speaking “entity” via malicious Microsoft Office RTF files in July this year.

FinSpy is a highly secret surveillance software that has previously been associated with British company Gamma Group, a company that legally sells surveillance and espionage software to government agencies.

Once infected, FinSpy can perform a large number of secret tasks on victims computer, including secretly monitoring computers by turning ON webcams, recording everything the user types with a keylogger, intercepting Skype calls, copying files, and much more.

“The [new variant of FINSPY]…leverages heavily obfuscated code that employs a built-in virtual machine – among other anti-analysis techniques – to make reversing more difficult,” researchers at FireEye said.

“As likely another unique anti-analysis technique, it parses its own full path and searches for the string representation of its own MD5 hash. Many resources, such as analysis tools and sandboxes, rename files/samples to their MD5 hash in order to ensure unique filenames.”

Three Publicly Disclosed Vulnerabilities

The remaining three publicly known vulnerabilities affecting the Windows 10 platform include:

  • Device Guard Security Feature Bypass Vulnerability (CVE-2017-8746): This flaw could allow an attacker to inject malicious code into a Windows PowerShell session by bypassing the Device Guard Code Integrity policy.
  • Microsoft Edge Security Feature Bypass Vulnerability (CVE-2017-8723): This flaw resides in Edge where the Content Security Policy (CSP) fails to properly validate certain specially crafted documents, allowing attackers to trick users into visiting a website hosting malware.
  • Broadcom BCM43xx Remote Code Execution Vulnerability (CVE-2017-9417): this flaw exists in the Broadcom chipset in HoloLens, which could be exploited by attackers to send a specially crafted WiFi packet, enabling them to install programs, view, change, or delete data, even create new accounts with full admin rights.

BlueBorne Attack: Another Reason to Install Patches Immediately

Also, the recently disclosed Bluetooth vulnerabilities known as “BlueBorne” (that affected more than 5 Million Bluetooth-enabled devices, including Windows, was silently patched by Microsoft in July, but details of this flaw have only been released now.

BlueBorne is a series of flaws in the implementation of Bluetooth that could allow attackers to take over Bluetooth-enabled devices, spread malware completely, or even establish a “man-in-the-middle” connection to gain access to devices’ critical data and networks without requiring any victim interaction.

So, users have another important reason to apply September security patches as soon as possible in order to keep hackers and cyber criminals away from taking control over their computers.

Other flaws patched this month include five information disclosure and one denial of service flaws in Windows Hyper-V, two cross-site scripting (XSS) flaws in SharePoint, as well as four memory corruption and two remote code execution vulnerabilities in MS Office.

For installing security updates, simply head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.

Source:
Mohit Kumar - Hacking News
Entrepreneur, Hacker, Speaker, Founder and CEO — The Hacker News and The Hackers Conference.

Microsoft (SFB/O365) Dropping Support for PBX Connections leaving Legacy Platforms behind

Wednesday, July 26th, 2017

Microsoft recently announced that it will no longer provide session border controller (SBC) support for PBX systems accessing Office 365.

Essentially, the news means that starting July 2018, users of Exchange Online Unified Messaging (UM) will have to use an alternative method of connecting voicemail with Outlook. Microsoft won’t support PBX connections using SBCs for that purpose.

In its announcement, Microsoft suggested that only “a small number of customers are affected by this change” and that it was making it to “provide a higher quality of service for voicemail.” Microsoft also offered four alternative options, though they likely won’t be cheap or simple for affected organizations, said Paul Cunningham, a Microsoft Most Valuable Professional, commenting in a Practical 365 blog post. The move could simplify things for Microsoft, though, he suggested.

“I see this simply as part of Microsoft’s grand strategy to jettison legacy platforms and solutions that are complex and not highly profitable, and focus on services like Cloud PBX that they can deliver more efficiently,” Cunningham added.

Microsoft is discontinuing its SBC support on the Office 365 side so that it won’t have to rely on “a third-party system” that’s difficult to manage, suggested Jeff Guillet, a Microsoft certified solutions master and Microsoft MVP. He explained the technical aspects of Microsoft’s move in this blog post, adding that giving companies just one year to move is “asking a lot,” since the switchover likely will affect large companies.

Some Help for Orgs
Meanwhile, AVST, a Microsoft Gold partner on Skype for Business and Exchange, and a voicemail pioneer, is indicating that it has the means to support organizations faced with Microsoft’s one-year deadline.

The company’s CX-E Unified Communications platform offers a quick solution that can integrate with leading PBX systems, such as systems from Avaya, Cisco, Microsoft and others. The platform permits organizations to continue to use Outlook forms to link voicemail with e-mail. Because of the potential pain involved in such moves, it’s currently offering discounts via its Value-Added Reseller partners.

How AVST can address the issue was explained by Tom Minifie, AVST’s chief technology officer, as well as Denny Michael, senior vice president of sales and marketing at AVST, in a phone interview last week.

AVST has been addressing the unified communications space for decades.

“The company goes back over 30 years and we were one of the folks that brought voicemail to the marketplace,” Michael said. “We’ve been around for a long time, and we primarily service the enterprise space. We’re very strong in healthcare, state and local government, regulated industries, higher education and other horizontal industries as well.”

Minifie explained that organizations with third-party (or non-Microsoft) PBX systems using Office 365, or thinking about moving to Office 365, will be affected by Microsoft’s change. Most options, of the four listed by Microsoft, will require moving to Skype for Business and scrapping PBX systems. It’ll be “disruptive,” he said.

“Clearly, from Microsoft’s position, they want that alternative to be ‘Get rid of your PBX and use Skype for Business,'” Minifie said. “So, for customers that have already been planning for that, that’s a good option for them. They move to Skype for Business and continue to use the Exchange [Online] UM component. But for customers that aren’t interested in doing that or aren’t ready to do that, then this is pretty disruptive because it’s not something that they’ve planned for already.”

AVST, with its CX-E Unified Communications platform, specializes in the fourth option presented by Microsoft.

“And what that is, it’s really saying is that instead of directly connecting the Exchange [Online] UM environment to the PBX, I’m going to have a different unified messaging solution that performs that same functionality, and that’s how we approach it,” Minifie said. “Because of our history, we evolved the integrations into the various phone systems, so whatever phone system or PBX the customer is using, we’ll be able to integrate into that, but then we also integrate into the Exchange environment so that we can provide unified messaging through Exchange.”

End users also get the same familiar Outlook look and feel with AVST’s platform.

“In our eyes, we’re providing the best of both worlds,” Minifie said. “We’re solving the problem, which is you can no longer connect Exchange [Online] UM into your PBX. So we take care of that PBX connection. But you get to continue to use the familiar Outlook interface that the end users are used to.”

Minifie affirmed that Microsoft was essentially eliminating the SBC on its end. The change was aimed at improving the quality of service of voicemail, according to Microsoft.

The Time Factor
AVST and its partners validate phone systems and architectures. They perform application discovery to address any functionalities that organization may want. The time it takes to deploy will depend on the solution chosen.

“As far as the amount of time, that kind of depends on the solution,” Minifie said. “Ours is quick because you really aren’t changing anything. Your phone system doesn’t change. Your Exchange doesn’t change. We just get put in the middle of it. And so that can be deployed very quickly.”

Other approaches can get delayed.

“With the other solutions, you’re getting into having to order telecom things,” Minifie said. “You need SIP trunking and have to order from the carrier, and there are whatever delays for that to get delivered.”

AVST’s solution can be installed on premises or it’s provided as a hosted software-as-a-service solution via subscription. More information about AVST’s replacement offerings for Exchange Online UM can be found at this page.

By Kurt Mackie

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.

Source: Microsoft Dropping Support for PBX Connections Using SBCs — Redmond Channel Partner

Bots Searching for Keys & Config Files [Sans StormCast]

Wednesday, July 19th, 2017

If you don’t know our “404” project[1], I would definitively recommend having a look at it! The idea is to track HTTP 404 errors returned by your web servers. I like to compare the value of 404 errors found in web sites log files to “dropped” events in firewall logs. They can have a huge value to detect ongoing attacks or attackers performing some reconnaissance. Reviewing 404 errors is one task from my daily hunting-todo-list but it may quickly become unmanageable if you have a lot of websites or popular ones. The idea is to focus on “rare” events that could usually pass below the radar. Here is a Splunk query that I’m using in a daily report:

index=web sourcetype=access_combined status=404
| rex field=uri "(?<new_uri>^\/{1}[a-zA-Z0-9_\-\~]+\.\w+$)"
| cluster showcount=true t=0.6 field=new_uri
| table _time, cluster_count, cluster_label, new_uri | sort cluster_count

What does it do?

  • It searches for 404 errors in all the indexed Apache logs (access_combined)
  • It extracts interesting URI’s. I’m only interested in files from the root directory eg. “GET /<name><dot><extension>”
  • It creates “clusters” of common events to help in detecting rare ones.

Here is an example of output (top-20):

"_time","cluster_count","cluster_label","new_uri"
"2017-07-18T13:42:15.000+0200",1,9,"/xml.log"
"2017-07-18T13:18:51.000+0200",1,11,"/rules.abe"
"2017-07-18T11:51:57.000+0200",1,17,"/tmp2017.do"
"2017-07-18T11:51:56.000+0200",1,18,"/tmp2017.action"
"2017-07-18T09:16:52.000+0200",1,23,"/db_z.php"
"2017-07-18T07:28:29.000+0200",1,25,"/readme.txt"
"2017-07-18T03:44:07.000+0200",1,27,"/sloth_webmaster.php"
"2017-07-18T02:52:33.000+0200",1,28,"/sitemap.xml"
"2017-07-18T00:10:57.000+0200",1,29,"/license.php"
"2017-07-18T00:00:32.000+0200",1,30,"/How_I_Met_Your_Pointer.pdf"
"2017-07-17T22:57:41.000+0200",1,31,"/browserconfig.xml"
"2017-07-17T20:02:01.000+0200",1,76,"/rootshellbe.zip"
"2017-07-17T20:01:00.000+0200",1,82,"/htdocs.zip"
"2017-07-17T20:00:54.000+0200",1,83,"/a.zip"
"2017-07-17T20:00:51.000+0200",1,84,"/wwwroot1.zip"
"2017-07-17T20:00:50.000+0200",1,85,"/wwwroot1.rar"
"2017-07-17T19:59:34.000+0200",1,98,"/rootshell.zip"
"2017-07-17T19:59:27.000+0200",1,103,"/blogrootshellbe.rar"
"2017-07-17T19:59:18.000+0200",1,104,"/rootshellbe.rar"

Many tested files are basically backup files like I already mentioned in a previous diary[2], nothing changed. But yesterday, I found a bot searching for even more interesting files: configuration files from popular tools and website private keys. Indeed, file transfer tools are used by many webmasters to deploy files on web servers and they could theoretically leave juicy data amongst the HTML files. Here is a short list of what I detected:

/filezilla.xml
/ws_ftp.ini
/winscp.ini
/backup.sql
/<sitename>.key
/key.pem
/myserver.key
/privatekey.key
/server.key
/journal.mdb
/ftp.txt
/rules.abe

Each file was searched with a different combination of lower/upper case characters. Note the presence of ‘rules.abe’ that is used by webmasters to specify specific rules for some web applications[3]. This file could contain references to hidden applications (This is interesting to know for an attacker).

So, keep an eye on your 404 errors and happy hunting!

[1] https://isc.sans.edu/404project/
[2] https://isc.sans.edu/forums/diary/Backup+Files+Are+Good+but+Can+Be+Evil/21935
[3] https://noscript.net/abe/web-authors.html

Xavier Mertens (@xme)
ISC Handler – Freelance Security Consultant
PGP Key

Remotely Exploitable Flaw Puts Millions of Internet-Connected Devices at Risk

Wednesday, July 19th, 2017
internet-of-the-things-hacking

Security researchers have discovered a critical remotely exploitable vulnerability in an open-source software development library used by major manufacturers of the Internet-of-Thing devices that eventually left millions of devices vulnerable to hacking.

The vulnerability (CVE-2017-9765), discovered by researchers at the IoT-focused security firm Senrio, resides in the software development library called gSOAP toolkit (Simple Object Access Protocol) — an advanced C/C++ auto-coding tool for developing XML Web services and XML application.

Dubbed “Devil’s Ivy,” the stack buffer overflow vulnerability allows a remote attacker to crash the SOAP WebServices daemon and could be exploited to execute arbitrary code on the vulnerable devices.

The Devil’s Ivy vulnerability was discovered by researchers while analysing an Internet-connected security camera manufactured by Axis Communications.

“When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed,” researchers say.

“Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded.”

Axis confirmed the vulnerability that exists in almost all of its 250 camera models (you can find the complete list of affected camera models here) and has quickly released patched firmware updates on July 6th to address the vulnerability, prompting partners and customers to upgrade as soon as possible.

However, researchers believe that their exploit would work on internet-connected devices from other vendors as well, as the affected software is used by Canon, Siemens, Cisco, Hitachi, and many others.

Axis immediately informed Genivia, the company that maintains gSOAP, about the vulnerability and Genivia released a patch on June 21, 2017.

The company also reached out to electronics industry consortium ONVIF to ensure all of its members, including Canon, Cisco, and Siemens, those who make use of gSOAP become aware of the issue and can develop patches to fix the security hole.

Internet of Things (IoT) devices has always been the weakest link and, therefore, an easy entry for hackers to get into secured networks. So it is always advisable to keep your Internet-connected devices updated and away from the public Internet.

Source: Remotely Exploitable Flaw Puts Millions of Internet-Connected Devices at Risk

Critical RCE Vulnerability Found in Cisco WebEx Extensions, Again — Patch Now!

Wednesday, July 19th, 2017
Cisco-WebEx-Remote-Command-Execution

A highly critical vulnerability has been discovered in the Cisco Systems’ WebEx browser extension for Chrome and Firefox, for the second time in this year, which could allow attackers to remotely execute malicious code on a victim’s computer.

Cisco WebEx is a popular communication tool for online events, including meetings, webinars and video conferences that help users connect and collaborate with colleagues around the world.  The extension has roughly 20 million active users.Discovered by Tavis Ormandy of Google Project Zero and Cris Neckar of Divergent Security, the remote code execution flaw (CVE-2017-6753) is due to a designing defect in the WebEx browser extension. To exploit the vulnerability, all an attacker need to do is trick victims into visiting a web page containing specially crafted malicious code through the browser with affected extension installed.  Successful exploitation of this vulnerability could result in the attacker executing arbitrary code with the privileges of the affected browser and gaining control of the affected system.

“I see several problems with the way sanitization works, and have produced a remote code execution exploit to demonstrate them,” Ormandy said. “This extension has over 20M [million] active Chrome users alone, FireFox and other browsers are likely to be affected as well.”Cisco has already patched the vulnerability and released “Cisco WebEx Extension 1.0.12” update for Chrome and Firefox browsers that address this issue, though “there are no workarounds that address this vulnerability.”

“This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings when they are running on Microsoft Windows,” Cisco confirmed in an advisory released today.

Download Cisco WebEx Extension 1.0.12

In general, users are always recommended to run all software as a non-privileged user in an effort to diminish the effects of a successful attack.

 Fortunately, Apple’s Safari, Microsoft’s Internet Explorer and Microsoft’s Edge are not affected by this vulnerability.  Cisco WebEx Productivity Tools, Cisco WebEx browser extensions for Mac or Linux, and Cisco WebEx on Microsoft Edge or Internet Explorer are not affected by the vulnerability, the company confirmed.The remote code execution vulnerability in Cisco WebEx extension has been discovered second time in this year.

 

Source: Critical RCE Vulnerability Found in Cisco WebEx Extensions, Again — Patch Now!

Understanding Open Source Agility – Watching revenue upside in SD-WAN, UCaaS services.

Thursday, July 13th, 2017
“A penny saved is a penny earned” –Wise Anonymous person’s words that I heard from my mother growing up.
R O I should be an initial checkpoint and a major focus of any technological investment.  What is the solution solving?  I can’t stop adding items to the list.  I found the article below rather interesting – The service and cloud scene is poppin right now.
–Aaron
business meeting

Mellanox Adds Cumulus Linux Support for Ethernet Switches

Tuesday, March 8th, 2016

SUNNYVALE, Calif. & YOKNEAM, Israel–(BUSINESS WIRE)–Mellanox® Technologies, Ltd. (NASDAQ:MLNX), a leading supplier of high-performance, end-to-end interconnect solutions for data center servers and storage systems, today announced it has added Cumulus® Linux® support for the Spectrum line of 10/25, 40/50, and 100 Gb/s Ethernet switches.

The addition of Cumulus Linux provides customers a best in class Network Operating System (NOS) with the highest performance and most predictable Ethernet switch platform. The availability of third party NOS solutions is the cornerstone of the Open Ethernet initiative and provides customers with freedom of choice. “Mellanox is uniquely positioned to capitalize on a big opportunity as the industry continues to move towards open solutions” Tweet this“The addition of Cumulus Linux means we now give our customers the option to choose the leading Linux NOS on the market,” said Amit Katz, vice president Ethernet switch sales, Mellanox Technologies. “We are confident our Ethernet switch platforms will continue to deliver unmatched predictability, packet performance and the ability to achieve Web-Scale IT efficiencies.”In order to achieve more agile innovation and to avoid vendor lock-in, many of the largest and most advanced web scale businesses have rejected closed, proprietary, black box switches.

Taking a page from these hyperscale data centers, more modestly sized businesses are emulating these architectures and adopting open, disaggregated switches – which separate the choice of hardware and software components. These open networking platforms enable customers to choose best of breed components in order to optimize and automate their data centers to meet their business needs. The fully integrated and tested combination of Spectrum switches and Cumulus Linux is the ideal way to achieve this agility, with an open networking platform that frees enterprises to extend and improve the pace of innovation, efficiency, and automation of their data center infrastructure.Mellanox is helping to accelerate the adoption of open networking and the transformation of businesses to achieve web-scale IT efficiencies.

The partnership between Mellanox and Cumulus Networks is a realization of the Open-Ethernet initiative and furthers both companies’ long-standing commitment to open networking, as demonstrated by their contributions to the Open Compute Project (OCP), Switch Abstraction Interface (SAI), Linux Switchdev, and Open Network Install Environment (ONIE). In addition, Mellanox has made multiple contributions of 10/25, 40/50, & 100 Gb/s Ethernet switch and OCP adapters designs.“Mellanox is uniquely positioned to capitalize on a big opportunity as the industry continues to move towards open solutions,” said JR Rivers, CEO and co-founder, Cumulus Networks. “With Mellanox’s performance-focused value proposition, Open Ethernet initiative, and large base of clients, Cumulus can expand into new markets and help accelerate customers’ move to Web IT. Open is becoming the industry standard at every level in modern infrastructure builds. As ecosystems open up, customers win; all due to selecting the best technology under the best terms.”“At Cloudalize, we offer the GPU Desktop as a Service (GDaaS) Platform to a wide range of partners for the cloud solutions they deliver to their customers, so we demand performance, predictability, and industrial-grade control of our networking equipment,” said Benny Willen, CEO Cloudalize. “Cloudalize’s requirements for high performance networking, that could be provisioned as easily as servers, led us to look at an Open solution in the form of Cumulus Linux running on top of Mellanox’s Ethernet Switches.

With Cumulus Linux, we could leverage many of our server tools to automate our network orchestration and monitoring activities. With Mellanox Ethernet Switches, we get the predictable performance we need, without worrying about packet loss.”Come see how to transform your data center and achieve web-scale IT efficiency with the Cumulus Linux running on the Spectrum switch at the Mellanox booth #B4 at the OCP Summit taking place March 9-10 at the San Jose Convention Center.

Source: Mellanox Adds Cumulus Linux Support for Ethernet Switches | Business Wire

​Why has SQL Server come to Linux? Windows-only cloud makes no sense | ZDNet

Tuesday, March 8th, 2016

Some people are asking why. After all, with MySQL, MariaDB, postgreSQL, and Oracle Database 12c Linux, there’s no shortage of RDBMS servers on Linux.Part of the reason is simple enough. Scott Guthrie, head of Microsoft’s Cloud & Enterprise business, said “This will enable SQL Server to deliver a consistent data platform across Windows Server and Linux, as well as on-premises and cloud.The more complex answer is that Microsoft’s fortune is no longer based on Windows. True, SQL Server will be available on Red Hat Enterprise Linux (RHEL) and Canonical’s Ubuntu Linux as a standalone server applications, that’s not where it’s meant to run. As Ed Bott recently uncovered, Microsoft’s new cash cows are Azure and server applications. In particular, “Microsoft Azure is growing rapidly and is reported in the same group as traditional server products (SQL Server is up, Windows Server is down). Collectively, that pair is at the top of the list.”And what operating systems run on Azure? Mark Russinovich, CTO of Microsoft Azure, Microsoft’s cloud program, said last fall that open source and Linux make great financial and technical sense for Microsoft. “It’s obvious, if we don’t support Linux, we’ll be Windows only and that’s not practical.” Then, one in four Azure operating systems instances were Linux. And that number has only been increasing.ADVERTISINGFor Microsoft to continue to grow as a cloud and services company it must become a Linux company.And, in particular, Microsoft wants to be a Linux cloud power. Today, Azure is certainly the primary way Microsoft monetizes Linux, so it’s only logical that SQL Server would be added to Linux.Al Gillen, IDC’s group vice president, sees this. “By taking this key product to Linux, Microsoft is proving its commitment to being a cross platform solution provider. This gives customers choice and reduces the concerns for lock-in. We would expect this will also accelerate the overall adoption of SQL Server.”

Source: ​Why has SQL Server come to Linux? Windows-only cloud makes no sense | ZDNet

Goodbye Applets: Another Cruddy Piece of Web Tech Is Finally Going Away | WIRED

Tuesday, March 8th, 2016

Another piece of old, insecure web infrastructure is about to be killed off.

Oracle says that it’s discontinuing its Java browser plugin starting with the next big release of the programming language. No, Oracle isn’t killing the Java programming language itself, which is still widely used by many companies. Nor is it killing off JavaScript, which is a completely different language that Oracle doesn’t control. What Oracle is getting rid of is a plugin that allows you to run programs known as “Java applets” in your browser.You may not think you even have the Java plugin installed, but if you’ve ever installed Java, or if Java came pre-installed on your computer, then you probably do, even if you never use it. The good news is that Oracle won’t be automatically installing the Java plugin when you install Java anymore. The bad news is that it won’t be providing security updates anymore either, so you should go ahead and uninstall it now. In fact, there’s a good chance you can uninstall Java entirely.

Source: Goodbye Applets: Another Cruddy Piece of Web Tech Is Finally Going Away | WIRED

Password hash cracking on a Juniper ScreenOS device

Monday, January 4th, 2016

So the Juniper Netscreen/SSG ScreenOS password hash is a bit of a hidden mystery. I had in my hand the config of a Netscreen device and I wanted to perform a reverse of the password hashes to see if they were weak.

In this case here’s the line from the config:

1
set admin user “admin” password “nAePB0rfAm+Nc4YO3s0JwPHtRXIHdn” privilege “all”

John The ripper has supported Netscreen passwords since back in 2008 when Samuel Moñux released this patch. Unfortunately John was too slow for my needs as I was up against a deadline, thus I looked at the faster approach of using the GPU to perform the cracking. Hashcat is the best tool for the job but unfortunately Hashcat didn’t support this hashing algorithm. :-(

After a looking through jar source code I found this python script which can generate a Netscreen hash, getting warmer. Here’s a shortened version of the code to show just the function we’re interested in:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
def makepass(user, password):
middle = “Administration Tools”
s = “%s:%s:%s” % (user, middle, password)
print s
m = hashlib.md5(s).digest()
narray = []for i in range(8):
n1 = ord(m[2*i])
n2 = ord(m[2*i+1])
narray.append( (n1<<8 & 0xff00) | (n2 & 0xff) )

res = “”
for i in narray:
p1 = i >> 12 & 0xf
p2 = i >> 6  & 0x3f
p3 = i       & 0x3f
res += b64[p1] + b64[p2] + b64[p3]

for c, n in  zip(“nrcstn”, [0, 6, 12, 17, 23, 29]):
res = res[:n] + c + res[n:]
return res

After looking through the code it is clear that there is a fixed salt of Administration Tools and a salt of the username(lines 2 and 3).
The code then takes each 2 chars and adds the binaries together(lines 8-11)
From this it creates 3 characters from the 16bits(lines 14-18)
And finally is scatters the letters n,r,c,s,t & n onto the hash in specific places (lines 20 and 21)
It’s worth noting that the letters nrcstn is actually NeTSCReeN in reverse without the e’s :-)

Using this code it was possible to write some new code to reverse backwards through the steps in order to go from a Netscreen hash back to the raw MD5 hash. Here’s the function for this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
def reversetomd5(knownhash):
# strip out nrcstn fixed characters
clean=“”
for i in [1,2,3,4,5,7,8,9,10,11,13,14,15,16,18,19,20,21,22,24,25,26,27,28]:
clean+=knownhash[i]# create blocks
block=[]
for i in xrange(2,24,3):
p1 = b64.index(clean[i-2])
p2 = b64.index(clean[i-1])
p3 = b64.index(clean[i])
block.append(p1 << 12 | p2 << 6 | p3)

# split block into half and find out character for each decimal
md5hash=“”
for i in block:
n1 = i >> 8
n2 = i & 0xff
md5hash+=chr(n1)+chr(n2)
return binascii.hexlify(md5hash)

Using this function you are able to give it a Netscreen hash and you’ll get back the raw MD5.

1
Knownhash of:nAePB0rfAm+Nc4YO3s0JwPHtRXIHdn has MD5Hash of: 078f1d1f09bede18edf49c0f745781dd

Now using the power of GPU cracking and my favourite tool Hashcat it is possible to crack the hash. We need to put the hash in a format that hashcat can understand so we create a file called netscreen.txt and put the hash in the following format(note the training colon after the fixed salt):

1
2
[hash]:[user]:Administration Tools:
078f1d1f09bede18edf49c0f745781dd:admin:Administration Tools:

We then use hashcat’s mode 20 which is md5($salt.$pass) to crack the hash:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
C:\cudaHashcat64.exe -m 20 netscreen.txt rockyou.txt
cudaHashcat v1.01 starting…
Hashes: 1 total, 1 unique salts, 1 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: GeForce GTX 660M, 2048MB, 950Mhz, 2MCU
Device #1: Kernel ./kernels/4318/m0020_a0.sm_30.64.ptx
Device #1: Kernel ./kernels/4318/bzero.64.ptxGenerated dictionary stats for rockyou.txt: 139921541 bytes, 14344395 words, 14343300 keyspace

078f1d1f09bede18edf49c0f745781dd:admin:Administration Tools::MySecretPassword

Session.Name…: cudaHashcat
Status………: Cracked
Input.Mode…..: File (rockyou.txt)
Hash.Target….: 078f1d1f09bede18edf49c0f745781dd:admin:Administration Tools:
Hash.Type……: md5($salt.$pass)
Time.Started…: Fri Jan 10 15:03:24 2014 (5 secs)
Speed.GPU.#1…:  4886.1 kH/s
Recovered……: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress…….: 11109723/14343300 (77.46%)
Rejected…….: 1371/11109723 (0.01%)
HWMon.GPU.#1…:  0% Util, 41c Temp, N/A Fan

Started: Fri Jan 10 15:03:24 2014
Stopped: Fri Jan 10 15:03:32 2014

Bingo it’s cracked the hash with the password MySecretPassword

As this algorithm uses more than just a fixed salt to create the hash I’ll speak to Atom (the creator of hashcat) to see if he want’s to implement it into a future release, but until then this code should help you in cracking netscreen passwords.

Update: Atom has added this hash type to oclHashcat as of version 1.20 https://hashcat.net/hashcat/ (Feature request here: https://hashcat.net/trac/ticket/235)

 

This article’s Original Author:

https://www.phillips321.co.uk/2014/01/10/cracking-a-juniper-netscreen-screenos-password-hash/