Monday, June 13, 2011

Juniper $9$ the equivalent of Cisco type 7

Some time ago during a configuration review of a Juniper JUNOS device I noticed some sort of hash format starting with $9$. Wondering what format was being used I searched on Google and found a website that was able to get the password instantly. This means that the password is stored in a reversable format and is not a real hash, but some sort of obfuscation. This is similar to the Cisco type 7 password obfuscation, which use the Vinegere algorithm. While you can find many tools to decrypt Cisco type 7 password there are no offline tools you could use for Juniper $9$. After some more searches I found a convenient Perl library named Crypt-Juniper, which allows you to decrypt $9$ passwords. While I am not an experienced Perl coder I wrote th following proof of concept within 5 minutes:

#!/usr/bin/perl

use lib '/some/path/Crypt-Juniper-0.02/lib/'
Use Crypt::Juniper;

my $hash = $ARGV[0];
my $secret = juniper_decrypt($hash);

print "secret: $secret \n";

Using the script is straight forward:

$ perl juniper-decrypt.pl \$9\$U-iqf36A1cSTzRSreXxDik.Tzn/CuBI
secret: ju&iper123

The current 2.0 beta version of Nipper does not warn you about the $9$ format at all. This issue was reported to Titania and the upcoming release of Nipper will report use of the $9$ format. Of course the remediation is easy, use MD5 based hashes ($1$ format) on Juniper JUNOS where possible.

2 comments:

  1. Yes, but the password is not stored in a reversable encryption format. You can use John the ripper with the jumbo patch to brute force. See the following blog for more details:
    http://www.question-defense.com/2011/08/30/crack-juniper-router-passwords-juniper-password-hash-details

    ReplyDelete