KB ID 0000940
- Juniper Encrypted Password Crack 1 7
- How To Decrypt Encrypted Password
- Encrypted Password Cracker
- Juniper Encrypted Password Crack 1.1
- Juniper Encrypted Password Crack 1 6
- How To Crack Encrypted Password
Problem
Decrypt Type 7 Cisco Passwords
The Internet is full of sites that have something like the tool below, tap your ‘encrypted’ password in and it will reveal the Cisco password.
Theses hashes are visible in configuration and starts with '$1$'. On the other hand the TACACS+ / Radius Server key and VPN Pre-shared key are stored in reversible encyption hashes and these hashes starts with $9$ (Sample config att). The reversible encryption hashes are easily decrypted to origional keys using online available tools. Long Description 1: Free Junipter Router Password Recovery Tool. Long Description 2: Juniper Password Decryptor is a free desktop tool to instantly decode and recover Juniper $9$ Passwords. Juniper Router allows you to configure 2 types of passwords,. Juniper $1$ Password: Here MD5 hash of the password is stored. So the Juniper Netscreen/SSG ScreenOS password hash is a bit of a hidden mystery. I had in my hand the config of a Netscreen device and I wanted to perform a reverse of the password hashes to see if they were weak. In this case here’s the line from the config.
As you can see I’ve specifically written ‘obfuscated’ above, because the password isn’t actually encrypted at all. All that happens is the Vigenere algorithm is used to obfuscate the password. While tools like the one above are all well and good, your Cisco router will do exactly the same for you, to demonstrate, paste the following into the tool above.
107D1C09560521580F16693F14082026351C1512
Hopefully you will get the password Sup3rS3cr#tP@ssword.
Your router can also convert that to clear text for you;
So whats the point of these type 7 passwords? Well the only real benefit of them is if someone is looking over your shoulder while you are looking at the config, they can’t see actual passwords in the config.
The passwords in my config are in clear text? That’s because there are three levels of password storage 0 (not encrypted), 7 (weakly encrypted), and (5 strongly encrypted). If you want to convert your config to display them as 7 you need to enter the service password-encryption command;
If Type 7 passwords are so weak, how do I use Type 5 passwords? When creating accounts use the secret command like so;
Displays in the config as;
username petelong secret 5 $1$VkQd$Vma3sR7B1LL.v5lgy1NYc/
Decrypting Type 5 Cisco Passwords
Decrypting a Type 5 Cisco password is an entirely different ball game, they are considered ‘secure’ because they are ‘salted’ (have some random text added to the password to create an MD5 hash) however that random salt is shown in the config.
Well armed with the salt and the hash, we can use exactly the same method that Cisco use to create the encrypted password, by brute force attacking the password, this might sound like a difficult piece of hacking ninja skill, but we simply use openssl on a Linux box (here I’m using CentOS 6.5), all you need is a wordlist.txt file (search the Internet).
Feed openssl the salt, and a piece of the hash (see the example above), and it will run through, (grep) the wordlist until it finds a match, where it spits out the decrypted password an the original hash like so;
The decrypted password is SECRETPASSWORD
Note: The limitation here is the password has to be in the wordlist.txt file,but if you are adept at searching the Internet there are some impressive wordlist files out there, just make sure you use one that has full line breaks. Also remember, the longer the wordlist, the longer it takes.
Related Articles, References, Credits, or External Links
NA
So the Juniper Netscreen/SSG ScreenOS password hash is a bit of a hidden mystery. I had in my hand the config of a Netscreen device and I wanted to perform a reverse of the password hashes to see if they were weak.
In this case here’s the line from the config:
set admin user 'admin' password 'nAePB0rfAm+Nc4YO3s0JwPHtRXIHdn' privilege 'all' |
John The ripper has supported Netscreen passwords since back in 2008 when Samuel Moñux released this patch. Unfortunately John was too slow for my needs as I was up against a deadline, thus I looked at the faster approach of using the GPU to perform the cracking. Hashcat is the best tool for the job but unfortunately Hashcat didn’t support this hashing algorithm. 🙁
After a looking through jar source code I found this python script which can generate a Netscreen hash, getting warmer. Here’s a shortened version of the code to show just the function we’re interested in:
def makepass(user, password): middle ='Administration Tools' s ='%s:%s:%s' % (user, middle, password) print s m = hashlib.md5(s).digest() narray =[] for i inrange(8): n1 =ord(m[2*i]) n2 =ord(m[2*i+1]) narray.append((n1<<8 & 0xff00) | (n2 & 0xff)) res =' for i in narray: p1 = i >>12 & 0xf p2 = i >>6 & 0x3f p3 = i & 0x3f res += b64[p1] + b64[p2] + b64[p3] for c, n inzip('nrcstn',[0,6,12,17,23,29]): res = res[:n] + c + res[n:] return res |
After looking through the code it is clear that there is a fixed salt of Administration Tools and a salt of the username(lines 2 and 3).
The code then takes each 2 chars and adds the binaries together(lines 8-11)
From this it creates 3 characters from the 16bits(lines 14-18)
And finally is scatters the letters n,r,c,s,t & n onto the hash in specific places (lines 20 and 21)
It’s worth noting that the letters nrcstn is actually NeTSCReeN in reverse without the e’s 🙂
Using this code it was possible to write some new code to reverse backwards through the steps in order to go from a Netscreen hash back to the raw MD5 hash. Here’s the function for this:
def reversetomd5(knownhash): # strip out nrcstn fixed characters clean=' for i in[1,2,3,4,5,7,8,9,10,11,13,14,15,16,18,19,20,21,22,24,25,26,27,28]: clean+=knownhash[i] # create blocks block=[] for i inxrange(2,24,3): p1 = b64.index(clean[i-2]) p2 = b64.index(clean[i-1]) p3 = b64.index(clean[i]) block.append(p1 <<12 | p2 <<6 | p3) # split block into half and find out character for each decimal md5hash=' for i in block: n1 = i >>8 n2 = i & 0xff md5hash+=chr(n1)+chr(n2) returnbinascii.hexlify(md5hash) |
Juniper Encrypted Password Crack 1 7
Using this function you are able to give it a Netscreen hash and you’ll get back the raw MD5.
How To Decrypt Encrypted Password
Knownhash of:nAePB0rfAm+Nc4YO3s0JwPHtRXIHdn has MD5Hash of: 078f1d1f09bede18edf49c0f745781dd |
Encrypted Password Cracker
Now using the power of GPU cracking and my favourite tool Hashcat it is possible to crack the hash. We need to put the hash in a format that hashcat can understand so we create a file called netscreen.txt and put the hash in the following format(note the training colon after the fixed salt):
[hash]:[user]:Administration Tools: 078f1d1f09bede18edf49c0f745781dd:admin:Administration Tools: |
We then use hashcat’s mode 20 which is md5($salt.$pass) to crack the hash:
Juniper Encrypted Password Crack 1.1
C:cudaHashcat64.exe -m 20 netscreen.txt rockyou.txt cudaHashcat v1.01 starting... Hashes: 1 total, 1 unique salts, 1 unique digests Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes Watchdog: Temperature abort trigger set to 90c Watchdog: Temperature retain trigger set to 80c Device #1: GeForce GTX 660M, 2048MB, 950Mhz, 2MCU Device #1: Kernel ./kernels/4318/m0020_a0.sm_30.64.ptx Device #1: Kernel ./kernels/4318/bzero.64.ptx Generated dictionary stats for rockyou.txt: 139921541 bytes, 14344395 words, 14343300 keyspace 078f1d1f09bede18edf49c0f745781dd:admin:Administration Tools::MySecretPassword Session.Name...: cudaHashcat Status.........: Cracked Input.Mode.....: File (rockyou.txt) Hash.Target....: 078f1d1f09bede18edf49c0f745781dd:admin:Administration Tools: Hash.Type......: md5($salt.$pass) Time.Started...: Fri Jan 10 15:03:24 2014 (5 secs) Speed.GPU.#1...: 4886.1 kH/s Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.......: 11109723/14343300 (77.46%) Rejected.......: 1371/11109723 (0.01%) HWMon.GPU.#1...: 0% Util, 41c Temp, N/A Fan Started: Fri Jan 10 15:03:24 2014 Stopped: Fri Jan 10 15:03:32 2014 |
Bingo it’s cracked the hash with the password MySecretPassword
Juniper Encrypted Password Crack 1 6
As this algorithm uses more than just a fixed salt to create the hash I’ll speak to Atom (the creator of hashcat) to see if he want’s to implement it into a future release, but until then this code should help you in cracking netscreen passwords.
How To Crack Encrypted Password
Update: Atom has added this hash type to oclHashcat as of version 1.20 https://hashcat.net/hashcat/ (Feature request here: https://hashcat.net/trac/ticket/235)