Posts Tagged ‘juniper’

Password hash cracking on a Juniper ScreenOS device

Monday, January 4th, 2016

So the Juniper Netscreen/SSG ScreenOS password hash is a bit of a hidden mystery. I had in my hand the config of a Netscreen device and I wanted to perform a reverse of the password hashes to see if they were weak.

In this case here’s the line from the config:

1
set admin user “admin” password “nAePB0rfAm+Nc4YO3s0JwPHtRXIHdn” privilege “all”

John The ripper has supported Netscreen passwords since back in 2008 when Samuel Moñux released this patch. Unfortunately John was too slow for my needs as I was up against a deadline, thus I looked at the faster approach of using the GPU to perform the cracking. Hashcat is the best tool for the job but unfortunately Hashcat didn’t support this hashing algorithm. :-(

After a looking through jar source code I found this python script which can generate a Netscreen hash, getting warmer. Here’s a shortened version of the code to show just the function we’re interested in:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
def makepass(user, password):
middle = “Administration Tools”
s = “%s:%s:%s” % (user, middle, password)
print s
m = hashlib.md5(s).digest()
narray = []for i in range(8):
n1 = ord(m[2*i])
n2 = ord(m[2*i+1])
narray.append( (n1<<8 & 0xff00) | (n2 & 0xff) )

res = “”
for i in narray:
p1 = i >> 12 & 0xf
p2 = i >> 6  & 0x3f
p3 = i       & 0x3f
res += b64[p1] + b64[p2] + b64[p3]

for c, n in  zip(“nrcstn”, [0, 6, 12, 17, 23, 29]):
res = res[:n] + c + res[n:]
return res

After looking through the code it is clear that there is a fixed salt of Administration Tools and a salt of the username(lines 2 and 3).
The code then takes each 2 chars and adds the binaries together(lines 8-11)
From this it creates 3 characters from the 16bits(lines 14-18)
And finally is scatters the letters n,r,c,s,t & n onto the hash in specific places (lines 20 and 21)
It’s worth noting that the letters nrcstn is actually NeTSCReeN in reverse without the e’s :-)

Using this code it was possible to write some new code to reverse backwards through the steps in order to go from a Netscreen hash back to the raw MD5 hash. Here’s the function for this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
def reversetomd5(knownhash):
# strip out nrcstn fixed characters
clean=“”
for i in [1,2,3,4,5,7,8,9,10,11,13,14,15,16,18,19,20,21,22,24,25,26,27,28]:
clean+=knownhash[i]# create blocks
block=[]
for i in xrange(2,24,3):
p1 = b64.index(clean[i-2])
p2 = b64.index(clean[i-1])
p3 = b64.index(clean[i])
block.append(p1 << 12 | p2 << 6 | p3)

# split block into half and find out character for each decimal
md5hash=“”
for i in block:
n1 = i >> 8
n2 = i & 0xff
md5hash+=chr(n1)+chr(n2)
return binascii.hexlify(md5hash)

Using this function you are able to give it a Netscreen hash and you’ll get back the raw MD5.

1
Knownhash of:nAePB0rfAm+Nc4YO3s0JwPHtRXIHdn has MD5Hash of: 078f1d1f09bede18edf49c0f745781dd

Now using the power of GPU cracking and my favourite tool Hashcat it is possible to crack the hash. We need to put the hash in a format that hashcat can understand so we create a file called netscreen.txt and put the hash in the following format(note the training colon after the fixed salt):

1
2
[hash]:[user]:Administration Tools:
078f1d1f09bede18edf49c0f745781dd:admin:Administration Tools:

We then use hashcat’s mode 20 which is md5($salt.$pass) to crack the hash:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
C:\cudaHashcat64.exe -m 20 netscreen.txt rockyou.txt
cudaHashcat v1.01 starting…
Hashes: 1 total, 1 unique salts, 1 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: GeForce GTX 660M, 2048MB, 950Mhz, 2MCU
Device #1: Kernel ./kernels/4318/m0020_a0.sm_30.64.ptx
Device #1: Kernel ./kernels/4318/bzero.64.ptxGenerated dictionary stats for rockyou.txt: 139921541 bytes, 14344395 words, 14343300 keyspace

078f1d1f09bede18edf49c0f745781dd:admin:Administration Tools::MySecretPassword

Session.Name…: cudaHashcat
Status………: Cracked
Input.Mode…..: File (rockyou.txt)
Hash.Target….: 078f1d1f09bede18edf49c0f745781dd:admin:Administration Tools:
Hash.Type……: md5($salt.$pass)
Time.Started…: Fri Jan 10 15:03:24 2014 (5 secs)
Speed.GPU.#1…:  4886.1 kH/s
Recovered……: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress…….: 11109723/14343300 (77.46%)
Rejected…….: 1371/11109723 (0.01%)
HWMon.GPU.#1…:  0% Util, 41c Temp, N/A Fan

Started: Fri Jan 10 15:03:24 2014
Stopped: Fri Jan 10 15:03:32 2014

Bingo it’s cracked the hash with the password MySecretPassword

As this algorithm uses more than just a fixed salt to create the hash I’ll speak to Atom (the creator of hashcat) to see if he want’s to implement it into a future release, but until then this code should help you in cracking netscreen passwords.

Update: Atom has added this hash type to oclHashcat as of version 1.20 https://hashcat.net/hashcat/ (Feature request here: https://hashcat.net/trac/ticket/235)

 

This article’s Original Author:

https://www.phillips321.co.uk/2014/01/10/cracking-a-juniper-netscreen-screenos-password-hash/

JunOS Cup 2014 – Tournament Results – J-Net Community

Tuesday, July 15th, 2014
This is an article
502 Views
This is an article
322 Views
This is an article
410 Views
This is an article
623 Views
This is an article
778 Views
This is an article
898 Views
This is an article
618 Views

 

via Search – J-Net Community.

Junos Cup Tournament #4 Winners & Overall Standing… – J-Net Community

Wednesday, July 9th, 2014

Tournament #4 of the Junos Cup has ended and we are pleased to announce the winners and top standings. Congratulations to the Tournament 4 first place winners that responded with a correct answer to all eight topologies. With that said we are excited to announce that we have a three way tie for our 1st place Junos Cup champion so we’re not finished just yet! We will hold a “BIG FINAL” tiebreaker with the three participants on Tuesday, the 15th of July at 12 Noon Pacific Time so stay tuned right here where we will be featuring our three finalists over the next 3 days so that you can get to know them and perhaps their secrets to solving all of the challenges! The first person to solve the “BIG FINAL” challenge correctly wins the Junos Cup! Look for the winner announcement on our Twitter and Facebook pages and here in Community Talk.

Tournament #4 of the Junos Cup has ended and we are pleased to announce the winners and top standings. Congratulations to the Tournament 4 first place winners that responded with a correct answer to all eight topologies.

 

With that said we are excited to announce that we have a three way tie for our 1st place Junos Cup champion so we’re not finished just yet! We will hold a “BIG FINAL” tiebreaker with the three participants on Tuesday, the 15th of July at 12 Noon Pacific Time so stay tuned right here where we will be featuring our three finalists over the next 3 days so that you can get to know them and perhaps their secrets to solving all of the challenges!

 

The first person to solve the “BIG FINAL” challenge correctly wins the Junos Cup! Look for the winner announcement on our Twitter and Facebook pages and here in Community Talk.

 

Junos Cup 2014: Total Standings
Top Participants
Name Points Country Flags
 David Roy 51 32
 Ernst Oudhof 51 32
 Pedro Antunes 51 32
 Tobias Heister 50 31
 Krasimir Avramski 48 31
 Gustaw Jelen 47 31
 Harold Ritter 48 30
 Damian Thompson 45 29
 Moses Nagarajah 45 29
 Oleksandr Vystoropskyi 44 28
 Marcin Stawicki 41 25
 Michail Litvak 36 23
 Aaron Surina 35 23
 Evgeny Sudin 33 22
 Shahaludeen Koya 32 22
 Tomasz Fabisiak 31 22
David Lawrence Warren 32 21
 Darren O’Connor 28 20
 Swapnil R Khatavkar 29 19
 Artur Makutunowicz 28 19
 Joao Prino 28 18
 Chaoqun Xie 25 16
 Andrei Cebotareanu 24 16
 Chris Laffin 24 16

 

via Junos Cup Tournament #4 Winners & Overall Standing… – J-Net Community.

Junos Cup 2014 – Tournament 1 stats

Monday, June 23rd, 2014

juniper

The first tournament of the Junos Cup 2014 – powered by Junosphere – the world’s only commercial virtual lab networking environment – is over and, boy, what a week it was!  We are thrilled at how much interest the worldwide Junos community expressed in the first 8 challenges.  So how do the numbers stack up?

 

Overall interest:

– Total challenge tries: 1,001

– New challenge tries: every 8 minutes

 

Most popular challenges:

1. Honduras (SP) – 190 tries

2. Switzerland (ENT) – 155

3. USA (ENT) – 143

 

Response rate:

1. Greece (Sec) – 68% of tries

2. Bosnia Herzegovina (ENT) – 61%

3. Russia (SP) – 49%

 

Easiest challenges:

1. Greece (Sec) – 68% correct submissions vs. tries

2. Bosnia Herzegovina (ENT) – 51%

3. Switzerland (ENT) – 41%

 

Hardest challenges:

1. South Korea (SP) – 16% correct submissions vs. tries

2. Honduras (SP) – 19%

3. USA (ENT) – 26%

 

via Junos Cup 2014 – Tournament 1 stats – J-Net Community.

Junos Cup Tournament One: Who won each challenge? – J-Net Community

Monday, June 23rd, 2014

As you probably know, Tournament Two already started a few hours ago!

 

Yesterday we announced the big winners of Tournament One, who solved its eight challenges successfully.

 

In addition, there were many other outstanding Junos amateurs who, even without reaching the magic number eight, also succeeded at solving one or more challenges. This post is a recognition to you all: the challenges are difficult and every single solution counts, so congratulations!

via Junos Cup Tournament One: Who won each challenge? – J-Net Community.