{"id":1142,"date":"2014-01-10T16:54:47","date_gmt":"2014-01-10T16:54:47","guid":{"rendered":"http:\/\/www.phillips321.co.uk\/?p=1142"},"modified":"2014-04-28T14:41:46","modified_gmt":"2014-04-28T13:41:46","slug":"cracking-a-juniper-netscreen-screenos-password-hash","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2014\/01\/10\/cracking-a-juniper-netscreen-screenos-password-hash\/","title":{"rendered":"Cracking a Juniper Netscreen ScreenOS Password Hash"},"content":{"rendered":"

So the Juniper Netscreen\/SSG ScreenOS password hash is a bit of a hidden mystery. I had in my hand the config of a Netscreen device and I wanted to perform a reverse of the password hashes to see if they were weak.<\/p>\n

In this case here’s the line from the config:<\/p>\n

1
<\/div><\/td>
set admin user "admin" password "nAePB0rfAm+Nc4YO3s0JwPHtRXIHdn" privilege "all"<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

John The ripper has supported Netscreen passwords since back in 2008 when Samuel Mo\u00f1ux released this patch<\/a>. Unfortunately John was too slow for my needs as I was up against a deadline, thus I looked at the faster approach of using the GPU to perform the cracking. Hashcat<\/a> is the best tool for the job but unfortunately Hashcat didn’t support this hashing algorithm. \ud83d\ude41<\/p>\n

After a looking through jar source code I found this python script<\/a> which can generate a Netscreen hash, getting warmer. Here’s a shortened version of the code to show just the function we’re interested in:<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<\/div><\/td>
def<\/span> makepass(<\/span>user<\/span>,<\/span> password)<\/span>:
\n    middle =<\/span> "Administration Tools"<\/span>
\n    s =<\/span> "%s:%s:%s"<\/span> % (<\/span>user<\/span>,<\/span> middle,<\/span> password)<\/span>
\n    print<\/span> s
\n    m =<\/span> hashlib.md5<\/span>(<\/span>s)<\/span>.digest<\/span>(<\/span>)<\/span>
\n    narray =<\/span> [<\/span>]<\/span>
\n     
\n    for<\/span> i in<\/span> range<\/span>(<\/span>8<\/span>)<\/span>:
\n        n1 =<\/span> ord<\/span>(<\/span>m[<\/span>2<\/span>*i]<\/span>)<\/span>
\n        n2 =<\/span> ord<\/span>(<\/span>m[<\/span>2<\/span>*i+1<\/span>]<\/span>)<\/span>
\n        narray.append<\/span>(<\/span> (<\/span>n1<<<\/span>8<\/span> & 0xff00<\/span>)<\/span> | (<\/span>n2 & 0xff<\/span>)<\/span> )<\/span>
\n   
\n    res =<\/span> ""<\/span>
\n    for<\/span> i in<\/span> narray:
\n        p1 =<\/span> i >><\/span> 12<\/span> & 0xf<\/span>
\n        p2 =<\/span> i >><\/span> 6<\/span>  & 0x3f<\/span>
\n        p3 =<\/span> i       & 0x3f<\/span>
\n        res +=<\/span> b64[<\/span>p1]<\/span> + b64[<\/span>p2]<\/span> + b64[<\/span>p3]<\/span>
\n   
\n    for<\/span> c,<\/span> n in<\/span>  zip<\/span>(<\/span>"nrcstn"<\/span>,<\/span> [<\/span>0<\/span>,<\/span> 6<\/span>,<\/span> 12<\/span>,<\/span> 17<\/span>,<\/span> 23<\/span>,<\/span> 29<\/span>]<\/span>)<\/span>:
\n        res =<\/span> res[<\/span>:n]<\/span> + c + res[<\/span>n:]<\/span>
\n    return<\/span> res<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

After looking through the code it is clear that there is a fixed salt of Administration Tools<\/em> and a salt of the username(lines 2 and 3).
\nThe code then takes each 2 chars and adds the binaries together(lines 8-11)
\nFrom this it creates 3 characters from the 16bits(lines 14-18)
\nAnd finally is scatters the letters n,r,c,s,t & n onto the hash in specific places (lines 20 and 21)
\nIt’s worth noting that the letters nrcstn is actually N<\/strong>eTSCR<\/strong>eeN<\/strong> in reverse without the e’s \ud83d\ude42<\/p>\n

Using this code it was possible to write some new code to reverse backwards through the steps in order to go from a Netscreen hash back to the raw MD5 hash. Here’s the function for this:<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<\/div><\/td>
def<\/span> reversetomd5(<\/span>knownhash)<\/span>:
\n    # strip out nrcstn fixed characters<\/span>
\n    clean=<\/span>""<\/span>
\n    for<\/span> i in<\/span> [<\/span>1<\/span>,<\/span>2<\/span>,<\/span>3<\/span>,<\/span>4<\/span>,<\/span>5<\/span>,<\/span>7<\/span>,<\/span>8<\/span>,<\/span>9<\/span>,<\/span>10<\/span>,<\/span>11<\/span>,<\/span>13<\/span>,<\/span>14<\/span>,<\/span>15<\/span>,<\/span>16<\/span>,<\/span>18<\/span>,<\/span>19<\/span>,<\/span>20<\/span>,<\/span>21<\/span>,<\/span>22<\/span>,<\/span>24<\/span>,<\/span>25<\/span>,<\/span>26<\/span>,<\/span>27<\/span>,<\/span>28<\/span>]<\/span>:
\n        clean+=<\/span>knownhash[<\/span>i]<\/span>
\n   
\n    # create blocks<\/span>
\n    block=<\/span>[<\/span>]<\/span>
\n    for<\/span> i in<\/span> xrange<\/span>(<\/span>2<\/span>,<\/span>24<\/span>,<\/span>3<\/span>)<\/span>:
\n        p1 =<\/span> b64.index<\/span>(<\/span>clean[<\/span>i-2<\/span>]<\/span>)<\/span>
\n        p2 =<\/span> b64.index<\/span>(<\/span>clean[<\/span>i-1<\/span>]<\/span>)<\/span>
\n        p3 =<\/span> b64.index<\/span>(<\/span>clean[<\/span>i]<\/span>)<\/span>
\n        block.append<\/span>(<\/span>p1 <<<\/span> 12<\/span> | p2 <<<\/span> 6<\/span> | p3)<\/span>
\n   
\n    # split block into half and find out character for each decimal<\/span>
\n    md5hash=<\/span>""<\/span>
\n    for<\/span> i in<\/span> block:
\n        n1 =<\/span> i >><\/span> 8<\/span>
\n        n2 =<\/span> i & 0xff<\/span>
\n        md5hash+=<\/span>chr<\/span>(<\/span>n1)<\/span>+chr<\/span>(<\/span>n2)<\/span>
\n    return<\/span> binascii<\/span>.hexlify<\/span>(<\/span>md5hash)<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Using this function you are able to give it a Netscreen hash and you’ll get back the raw MD5.<\/p>\n

1
<\/div><\/td>
Knownhash of:nAePB0rfAm+Nc4YO3s0JwPHtRXIHdn has MD5Hash of: 078f1d1f09bede18edf49c0f745781dd<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Now using the power of GPU cracking and my favourite tool Hashcat it is possible to crack the hash. We need to put the hash in a format that hashcat can understand so we create a file called netscreen.txt and put the hash in the following format(note the training colon after the fixed salt):<\/p>\n

1
2
<\/div><\/td>
[hash]:[user]:Administration Tools:
\n078f1d1f09bede18edf49c0f745781dd:admin:Administration Tools:<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

We then use hashcat’s mode 20 which is md5($salt.$pass) to crack the hash:<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<\/div><\/td>
C:\\cudaHashcat64.exe -m 20 netscreen.txt rockyou.txt
\ncudaHashcat v1.01 starting...
\nHashes: 1 total, 1 unique salts, 1 unique digests
\nBitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
\nWatchdog: Temperature abort trigger set to 90c
\nWatchdog: Temperature retain trigger set to 80c
\nDevice #1: GeForce GTX 660M, 2048MB, 950Mhz, 2MCU
\nDevice #1: Kernel .\/kernels\/4318\/m0020_a0.sm_30.64.ptx
\nDevice #1: Kernel .\/kernels\/4318\/bzero.64.ptx
\n
\nGenerated dictionary stats for rockyou.txt: 139921541 bytes, 14344395 words, 14343300 keyspace
\n
\n078f1d1f09bede18edf49c0f745781dd:admin:Administration Tools::MySecretPassword
\n
\nSession.Name...: cudaHashcat
\nStatus.........: Cracked
\nInput.Mode.....: File (rockyou.txt)
\nHash.Target....: 078f1d1f09bede18edf49c0f745781dd:admin:Administration Tools:
\nHash.Type......: md5($salt.$pass)
\nTime.Started...: Fri Jan 10 15:03:24 2014 (5 secs)
\nSpeed.GPU.#1...:  4886.1 kH\/s
\nRecovered......: 1\/1 (100.00%) Digests, 1\/1 (100.00%) Salts
\nProgress.......: 11109723\/14343300 (77.46%)
\nRejected.......: 1371\/11109723 (0.01%)
\nHWMon.GPU.#1...:  0% Util, 41c Temp, N\/A Fan
\n
\nStarted: Fri Jan 10 15:03:24 2014
\nStopped: Fri Jan 10 15:03:32 2014<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Bingo it’s cracked the hash with the password MySecretPassword<\/p>\n

As this algorithm uses more than just a fixed salt to create the hash I’ll speak to Atom (the creator of hashcat)<\/a> to see if he want’s to implement it into a future release, but until then this code should help you in cracking netscreen passwords.<\/p>\n

Update:<\/strong> Atom has added this hash type to oclHashcat as of version 1.20 https:\/\/hashcat.net\/hashcat\/<\/a> (Feature request here: https:\/\/hashcat.net\/trac\/ticket\/235<\/a>)<\/p>\n","protected":false},"excerpt":{"rendered":"

So the Juniper Netscreen\/SSG ScreenOS password hash is a bit of a hidden mystery. I had in my hand the config of a Netscreen device and I wanted to perform a reverse of the password hashes to see if they were weak. In this case here’s the line from the config: 1set admin user "admin" […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[186,159,408,161,406,205,405,111,407],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/1142"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=1142"}],"version-history":[{"count":11,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/1142\/revisions"}],"predecessor-version":[{"id":1190,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/1142\/revisions\/1190"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=1142"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=1142"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=1142"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}