Watchguard Firewall appliances offer the ability to manage policies per user. Several mechanisms can be used to authenticate users (Active Directory, LDAP, Radius, ..) including a local database called “Firebox database” (Firebox-DB). Based on the XML configuration file of the appliance (which includes the Firebox-DB accounts), I recently needed to evaluate the passwords strength defined by a customer. Unfortunately, the firebox passwords appeared to be encrypted or hashed and I couldn’t find any information about the algorithm used.
Sample hash
Hereunder is an excerpt of the XML configuration file, showing the definition of the user “john“. The password was set to “readwrite“, a deliberately simple choice for testing purposes.
<account>
<id>john</id>
<password>628427e87df42adc7e75d2dd5c14b170</password>
<description/>
<idle-timeout>1800</idle-timeout>
<session-timeout>28800</session-timeout>
[...SNIP...]
</account>
The password protection algorithm
In order to find the protection algorithm, I finally extracted the wgagent binary file from the WatchGuard filesystem, then started to reverse engineer it. The hashing function was quickly located and was actually quite easy:
loc_8059031: mov eax, [ebp+var_C] mov [esp+8], eax mov eax, [ebp+arg_0] mov [esp+4], eax lea eax, [ebp+var_10E] mov [esp], eax call mysub_8058F91_to_utf16 shl [ebp+var_C], 1 mov eax, [ebp+var_C] mov [ebp+eax*2+var_10E], 0 mov edx, [ebp+var_C] lea eax, [ebp+var_10E] mov ecx, [ebp+arg_4] mov [esp+8], ecx mov [esp+4], edx mov [esp], eax call _MD4 add esp, 134h pop ebx pop ebp retn
The function simply converts the password to UTF-16 (in this case means: insert a null byte after each character of the password), and then sends it to the MD4() digest function.
Quick & dirty reproduction
(Monkey see monkey do…)
$ echo -n 'readwrite' | \
perl -e '$str=<STDIN>; for($i=0;$i<length($str);$i++) { \
print substr($str,$i,1) . "\x00"; \
}' | openssl dgst -md4
(stdin)= 628427e87df42adc7e75d2dd5c14b170
Now using oclHashcat
So far so good, we know the algorithm. The remaining question is, how to ask oclHashcat to manage the null byte insertions ?
After some discussion on #hashcat IRC channel, trying to explain that I needed to add a null byte after each character of the candidate password and to use MD4 algorithm, sir Hashcat him-self opened my mind:
<atom> aka unicode ? <st3n> yes :) <atom> which -m <st3n> MD4 <atom> then use -m 1000 <atom> NTLM <atom> its unicode version of md4 <st3n> OMG <atom> you're joking <st3n> LOL. So sorry :) I didn't realize that :) <atom> hehe <atom> np, have fun <st3n> cool, it works very well :) <atom> :)
Thank you atom :-) worked like a charm !
$ ./oclHashcat-plus64.bin -m 1000 -n 160 -u 1024 628427e87df42adc7e75d2dd5c14b170 ../wordlist/rockyou.txt oclHashcat-plus v0.14 by atom starting... Hashes: 1 total, 1 unique salts, 1 unique digests Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes Rules: 1 Workload: 1024 loops, 160 accel Watchdog: Temperature abort trigger set to 90c Watchdog: Temperature retain trigger set to 80c Device #1: Tahiti, 2048MB, 800Mhz, 28MCU Device #2: Tahiti, 2048MB, 800Mhz, 28MCU Device #1: Kernel ./kernels/4098/m1000_a0.Tahiti_1084.4_1084.4 (VM).kernel (675476 bytes) Device #2: Kernel ./kernels/4098/m1000_a0.Tahiti_1084.4_1084.4 (VM).kernel (675476 bytes) Generated dictionary stats for ../wordlist/rockyou.txt: 139921497 bytes, 14344391 words, 14100049 keyspace 628427e87df42adc7e75d2dd5c14b170:readwrite Session.Name...: oclHashcat-plus Status.........: Cracked Input.Mode.....: File (../wordlist/rockyou.txt) Hash.Target....: 628427e87df42adc7e75d2dd5c14b170 Hash.Type......: NTLM Time.Started...: Thu Sep 19 16:08:39 2013 (2 secs) Speed.GPU.#1...: 25647.5k/s Speed.GPU.#2...: 0/s Speed.GPU.#*...: 25647.5k/s Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.......: 4587521/14100049 (32.54%) Rejected.......: 1/4587521 (0.00%) HWMon.GPU.#1...: 0% Util, 48c Temp, 20% Fan HWMon.GPU.#2...: 0% Util, 45c Temp, 20% Fan
Conclusion
As a conclusion, WatchGuard firewall appliances use the (good old) NTLM algorithm to protect the Firebox-DB passwords :-) This was verified against versions 11.6.3 and 11.7.4.
Please note: The Firebox database does not contain the management credentials (admin/status accounts). A copy of these passwords can however be found inside the file /etc/wg/configd-hash.xml (gzip compressed) but you don’t have access to that file. Thank you Corey for this valuable comment.
Enjoy,
Note: There is a rating embedded within this post, please visit this post to rate it.© 2013, foip. All rights reserved.