RE: Cracking a Netscreen password

From: John Petropoulos (jpetropoulos@jetnet.ca)
Date: Thu Sep 11 2003 - 10:54:55 EDT

Very interesting...
Anyone notice that the second, fifth, nineth, twelfth, sixteenth,
eighteenth, twentyth, twenty-third letter and twentyseventh are always
capital... Here are some L\P's.

admin\password
set admin name "admin"
set admin password nMjFM0rdC9iOc+xIFsGEm3LtAeGZhn
John\password
set admin name "john"
set admin password nHEtLFr5EnYBcD6IMsHJT3JtlXNb1n
Jack\password
set admin name "jack"
set admin password nED6IvrHKazIc9ZApsEJkrPtjXP9yn
Frank\password
set admin name "frank"
set admin password nE8aAXr/DA+IcULCJszP9mFtT1AK9n
Aaa\aaa
et admin name "aaa"
set admin password nJDNEkrVIc7HcdTCPs3J4wCt04L7en
Bbb\bbb
et admin name "bbb"
set admin password nNZxAgrwFrYBcXGC7s2DC+Jt60Bydn
Ccc\ccc
set admin name "ccc"
set admin password nFv0OCrMGaUCcdoFIsEAUOKt/LLO2n
Ddd\ddd
set admin name "ddd"
set admin password nCuvPBrvCcTEctoHKs4OHTOttvBqxn

===================================================
012345678901234567890123456789

nMjFM0rdC9iOc+xIFsGEm3LtAeGZhn
nHEtLFr5EnYBcD6IMsHJT3JtlXNb1n
nED6IvrHKazIc9ZApsEJkrPtjXP9yn
nE8aAXr/DA+IcULCJszP9mFtT1AK9n
nJDNEkrVIc7HcdTCPs3J4wCt04L7en
nNZxAgrwFrYBcXGC7s2DC+Jt60Bydn
nFv0OCrMGaUCcdoFIsEAUOKt/LLO2n
nCuvPBrvCcTEctoHKs4OHTOttvBqxn
.^..^...^..^...^...^..^...^...
n.....r.....c....s.....t.....n

===================================================

-----Original Message-----
From: Ranjeet Shetye [mailto:ranjeet.shetye2@zultys.com]
Sent: September 10, 2003 5:31 PM
To: Mark Evans
Cc: 'Ing. Christian Moldes (AdvanceTeam S.R.L.)'; pen-test SecurityFocus.com
Subject: RE: Cracking a Netscreen password

On Tue, 2003-09-09 at 18:06, Mark Evans wrote:
> > From: Ing. Christian Moldes (AdvanceTeam S.R.L.)
> > Subject: RE: Cracking a Netscreen password
> >
> >
> >
> > Look at this
> >
> > nKVUM2rwMUzPcrkG5sWIHdCtqkAibn n.....r.....c....s.....t.....n
> >
> > It's NetScreen without some letters (from right to left)
>
> coincidence?
>
> set admin name qqqqqqqq
>
> get conf:
>
> set admin password nB4pNNriDXXFc5eEms5BCVEtjzIp6n

trivia, but i still felt like posting it:

Removing the reversed-'netscreen'-without-the-'e's i.e. the
"n.....r.....c....s.....t.....n", we end up with a 25 octet string, which
means 128 bits, which **strongly** suggests an MD5 hash.

Of course, I am not a netscreen user, so for all i know, their user manual
already tells you that they use MD5 hash :) but I doubt that, seeing their
juvenile "ubertrick" to mask the length of the hash. 

-- 
Ranjeet Shetye
Senior Software Engineer
Zultys Technologies
Ranjeet dot Shetye2 at Zultys dot com
http://www.zultys.com/
 
The views, opinions, and judgements expressed in this message are solely
those of the author. The message contents have not been reviewed or approved
by Zultys.
---------------------------------------------------------------------------
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL 
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment 
technology powered by the award-winning FoundScan engine. Try it free for
21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
----------------------------------------------------------------------------
---------------------------------------------------------------------------
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL 
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment 
technology powered by the award-winning FoundScan engine. Try it free for  21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
----------------------------------------------------------------------------

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:39 EDT