Recently I needed to find out information about a Juniper router password which is stored as a hash in the router configuration. The tricky part is while the password hash is technically a MD5 hash it is modified to make it unique and make it harder to crack. Luckily there is a way to crack the hash using JTR (John The Ripper) though it will require that you also have the username associated to the password as the username is used as part of the salt for the hash. Below there is first information on how to crack Juniper hashes which are the same as Netscreen hashes followed by more information about the hash itself.
How To Crack Juniper Password Hashes:
To crack a Juniper device hash you will need the hash itself, the username associated to the hash, and access to John The Ripper. First add the hash or hashes to a text file on the server where JTR is located in the below format.
JTR Juniper Router Hash Text File Format:
Example JTR Juniper Router Hash Text File:
The above hash was created using the netscreen.py file that is packaged with JTR which I will explain how to use below. The username is admin and the password for the hash is QUESTIONDEFENSE. The above line should be added to a text file (in this example it was added to juniperhash.txt) which will then be passed to JTR to audit which is shown below. In this example we are going to use a tiny wordlist that we know includes the password for the above hash.
Example Using JTR To Crack Juniper Router Passwords:
- root@dev:/pentest/passwords/john# ./john --wordlist:jun.lst juniperhash.txt
- Loaded 1 password hash (Netscreen MD5 [NS MD5])
- QUESTIONDEFENSE (admin)
- guesses: 1 time: 0:00:00:00 100.00% (ETA: Tue Aug 30 17:32:59 2011) c/s: 600 trying: QUESTIONDEFENSE
As you can see the password was cracked and provided as QUESTIONDEFENSE which is the correct password associated to the hash. Obviously it won’t be this easy to crack Juniper router passwords however it is possible and with time you should be able to crack them without issue.
Create Juniper Hashes Using netscreen.py:
There is a python script that comes with JTR called netscreen.py. which was created by Samuel Monux (information obtained from JTR mailing list). The script will generate Netscreen and/or Juniper hashes when passed a username and password on the command line. Below is a quick example of what was done to create the example hash used above.
- root@dev:/pentest/passwords/john# python netscreen.py admin QUESTIONDEFENSE
Juniper Password Hash Details, NS MD5, md5ns:
The Juniper password hash is better known as the Netscreen password hash and information can also be located by searching for NS MD5 or md5ns. The following details about the hash were obtained from the JTR mailing list in a post by Samuel Monux who also created the netscreen.py script mentioned above. The hash is a raw MD5 hash with some modifications to make it unique. The hash is also salted with the username as well as a constant of (“:Administration Tools:”). The 128 bits of the MD5 hash in 16 bit chunks split into 4 bits, 6 bits, and 6 bits and then indexed in an array using every character in the following range, A-Za-z0-9+/ all of which is a bit over my head. :) Then the letters ntscrn backwards are inserted into positions through the hash to make it even more unique. They are always inserted at positions 0, 6, 12, 17, 23, and 29 in the hash output.
I am looking at ways to pass these hashes to an application that utilizes GPU’s and once successful I will update this article or write a new article and reference this one.