• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4228
  • Last Modified:

Viewing Pre-Shared Keys on a Netscreen Firewall

Anybody know if this is possible?  As far as I know, it's not, but I thought I'd ask, just to be sure.  (I work for an organization that does not have the pre-shared keys  - got lost somehow)
0
networkengineer2004
Asked:
networkengineer2004
  • 2
1 Solution
 
Lieven EmbrechtsSenior IT ConsultantCommented:
what is stored in the config is an md5-hash, basically the result of a calculation.
the password routine wil do the same calculation and compare the resulting hashes.
so the actual password is not even stored.

it is possible to use a brute-force md5 hash cracking-tool (like MDcrack) but such a tool has to try every combination until it finds the same resulting hash. depending on the length of the password this will take a very long time.

so i think it is easier to overwrite the config file.  if you have physical access to the netscreen with a serial cable you an always login with username netscreen and password equal to the serial written on the box.

Just for fun: the netscreen md5-hash is not a standard md5 hash, it hash extra letters woven in it: if you read it from right to left you will read the letters from 'netscreen'.
so even if you decide to use a cracking tool you will have to change and recompile it to extract those extra 'netscreen' letters.

0
 
deimarkCommented:
Agree with above. Sadly no way to get the passowrd from the config

hth
0
 
networkengineer2004Author Commented:
To Lieven:

Note:  this is not about the password, it's about the pre-shared keys on VPN connections.  I can login to the box, but I don't know the pre-shared keys for most of the VPNs and Mgmt strongly wants to avoid the embarassment of going to the remote companies and asking for the VPN pre-shared keys.  So, that's the last and only desparate option.  Off the table for now.

So, I use a cracking tool.  Are you saying that after a while I get, say, for example, 123456netscreen as a pre-shared key once the tool is done?
0
 
Lieven EmbrechtsSenior IT ConsultantCommented:
more like 1n2e3t4s5c6r7e8e9n90, the effort will be huge, not only do you need to create a modified tool, in worst case it will have to calculate for weeks/months/years trying all combinations until it finds the correct hash.

if you use remote vpn software, you may have an .spd-file that you use to load the vpn settings on the vpn client.  you can open this .spd-file with a texteditor like notepad and search for the parameter UFQDN.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now