RE: Cracking a Netscreen password

From: Steve Goldsby (ICS) (sgoldsby@networkarmor.com)
Date: Sat Sep 13 2003 - 11:50:39 EDT


You have to be able to restore that hashed password from a backup of the
config file, so it shouldn't be dynamic once loaded. E.g. no random
permutations.

-----Original Message-----
From: Chris Ess [mailto:azarin@tokimi.net]
Sent: Friday, September 12, 2003 11:57 PM
To: Ranjeet Shetye
Cc: pen-test@securityfocus.com
Subject: RE: Cracking a Netscreen password

> After removing the always-CAPS letters, you get:
>
> [A-Za-z0-9/+]{2,2} -> the whole expression repeated a total of 8
times.
> = [A-Za-z0-9/+]{16,16}
> = 8 bits * 16
> = 128 bit hash
> = MD5 ?

I am no expert. That aside:

The string appears to be base64 encoded. However, from the Digest::MD5
man page: "A base64 digest will be 22 characters long."

Even if you include the always-caps letters, you have 24 characters.

I've been meaning to go through the examples given by everyone else but
haven't had the time to date. Maybe tomorrow...

Since this is more-than-likely a hashed password, Netscreen can add on
any
sort of random permutations they feel like because all they need to do
is
ensure that the end result of their function matches what they have
stored
in memory for the password. (For a matching example, unix MD5 passwords
are not just hashed with MD5 but also use additional transforms.)

Since the always-capital letters change themselves when the username or
password are changed, I think that these should not be excluded during
an
analysis of the algorithm since they could be indicative of something
else.

I suppose that I should take a look at the MD5 algorithm to see how it
generates the hash because that could be useful.

Sincerely,

Chris Ess
System Administrator / CDTT (Certified Duct Tape Technician)

------------------------------------------------------------------------

---
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL 
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment 
technology powered by the award-winning FoundScan engine. Try it free
for  21 days at:
http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL 
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment 
technology powered by the award-winning FoundScan engine. Try it free for  21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
----------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:39 EDT