RE: Cracking a Netscreen password

From: Chris Ess (azarin@tokimi.net)
Date: Sat Sep 13 2003 - 00:56:37 EDT


> After removing the always-CAPS letters, you get:
>
> [A-Za-z0-9/+]{2,2} -> the whole expression repeated a total of 8 times.
> = [A-Za-z0-9/+]{16,16}
> = 8 bits * 16
> = 128 bit hash
> = MD5 ?

I am no expert. That aside:

The string appears to be base64 encoded. However, from the Digest::MD5
man page: "A base64 digest will be 22 characters long."

Even if you include the always-caps letters, you have 24 characters.

I've been meaning to go through the examples given by everyone else but
haven't had the time to date. Maybe tomorrow...

Since this is more-than-likely a hashed password, Netscreen can add on any
sort of random permutations they feel like because all they need to do is
ensure that the end result of their function matches what they have stored
in memory for the password. (For a matching example, unix MD5 passwords
are not just hashed with MD5 but also use additional transforms.)

Since the always-capital letters change themselves when the username or
password are changed, I think that these should not be excluded during an
analysis of the algorithm since they could be indicative of something
else.

I suppose that I should take a look at the MD5 algorithm to see how it
generates the hash because that could be useful.

Sincerely,

Chris Ess
System Administrator / CDTT (Certified Duct Tape Technician)

---------------------------------------------------------------------------
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment
technology powered by the award-winning FoundScan engine. Try it free for 21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:39 EDT