Juniper/NetBSD sha1crypt

[roycewilliams]

A potential new hash target.

Name: Juniper/NetBSD sha1crypt

Use: Currently used on Juniper routers and switches, and also available on NetBSD systems, and maybe other BSDs (but not modern FreeBSD or OpenBSD).

sha1crypt is not the default algorithm on Junipers, and must be enabled with this Junos OS command (and then committing the configuration):

set system login password format sha1

It is also apparently automatically enabled when using the Junos-FIPS variant of the OS (ref here).

While perhaps less common, sha1crypt is interesting for a few reasons:

• Strength. sha1crypt's rounds as implemented in Junos OS are based on an upper bound provided as a parameter at creation time and used as a "hint" (see the NetBSD pwhash(1) manpage) , resulting in a significantly slower hash than md5crypt. This will make it more attractive to security-minded defenders.

• Compliance pressure. The recent deprecation of md5crypt by @bsdphk will mean that organizations subject to external audit will be more likely to override the default and select this slower hash.

• Attack asymmetry. @jsteube has noted that the algorithm is using HMAC, but using it incorrectly, with the potential to speed up cracking by 50% compared to the defender. This asymmetry may be worth demonstrating.

• Feature parity. John the Ripper jumbo already supports it ;) (Hi, @magnumripper!)

I anticipate that the use of sha1crypt on Junipers will increase. Since the only other options supported by Junos OS appear to be were descrypt and md5crypt, it is currently was the strongest option on that platform until Junos OS 13.3, when modern FreeBSD hashes like sha256crypt and sha512crypt were added.

Source code: Access to original Junos OS source code is limited, but the NetBSD implementation appears to be very similar. From its commit message:

The algorithm used is essentially PBKDF1 from RFC 2898 but using hmac_sha1 rather than SHA1 directly

Other source commentary is in this mailing-list post from 2004 by @sgerraty, and the replies at the bottom of this thread summary.

Source from John the Ripper jumbo is in sha1crypt_common.h, sha1crypt_common_plug.c, and opencl_sha1crypt_fmt_plug.c.

Complexity requirements: These will vary by platform, since they are customizable. There are complexity configuration options on Juniper gear, but it is not yet clear what the defaults are, though this reference may be informative, and says:

The default configuration for Junos OS plain-text passwords is:

[edit system login]
passwords {
change-type set-transitions;
format md5;
minimum-changes 1;
minimum-length 6;
}
The default configuration for Junos-FIPS plain-text passwords is:

[edit system login]
passwords {
change-type set-transitions;
format sha1;
maximum-length 20;
minimum-changes 3;
minimum-length 10;
}

The plain string 'hashcat' does not meet the default FIPS requirements. The native Juniper examples below are complex enough to meet them. On the NetBSD side, we can presume that the NetBSD implementation is similar to other Unix-like hashes such as md5crypt on that platform, as 'hashcat' is happily accepted.

Examples:

The hashes are of the form:

 $sha1$[iterations]$[salt]$[digest]

The following two example hashes have been verified by a colleague as usable to directly log into a Juniper device:

$sha1$24659$i3Znp47D$r7VOjnryOmiGNWRpna0Lk3ooe/jX:Hashcat1234!
$sha1$19205$SeTzdv2R$8ZcgMk0PiGRrQdz5xGMncAfymq1C:Hashcat1234!

The following two hashes appear in a thread about the format that includes actual Juniper employees:

$sha1$19295$mROzSQ4a$SFnJ1fAbP4cHqw/16.xDV4s1LpMA:flipfl0p! - Juniper hash
$sha1$23933$/WgTkHoe$25rdwdZ95cfgY/Tl6li2/LRIbuVT:stuff - NetBSD command "pwhash -S 24680 stuff"

On a NetBSD 6.0 amd64 system, pwhash -S 20000 hashcat yields hashes like these (and note that the '20000' provides the upper bound for the number of rounds, which is then randomly selected to be close to, but not exceed, that parameter):

$sha1$19289$./l/p5Qi$zAMpiG6n/Mh1gVsqpqhShtIsJDrg:hashcat
$sha1$19099$xEejp9gg$B.nKyshdhZj.KoiY.jGRemr4P3gl:hashcat
$sha1$16576$M54DvXWL$7xweXepKNhx4Crw/zrRP5Q8uf4Ab:hashcat
$sha1$17279$hdDR44dw$ww46F6oJlRk8g5HBrK05ApaiUcmL:hashcat
$sha1$19480$ieopulPH$Q0UBS8vNRwIlqrEPXZG0.1v4q6dm:hashcat
$sha1$18448$Qnzf/O/0$mE6qrpyPuhsPiLckV8phQ2XnMfYF:hashcat
$sha1$18475$rhik9dwK$der0rnY.G6qGJoE.gZEhK.8P9AmG:hashcat
$sha1$18615$23H/FgCs$2KzVzfiVr//STwy1u0fj0mXf54We:hashcat
$sha1$17342$bbK0OgPg$LgcAmR4zah1UMmLpjXdI4zEtmgWD:hashcat
$sha1$15596$r7QAdYmN$r.R5LWZlEl.pp/61YxiFXa/yR.7H:hashcat
$sha1$17406$qQWlxmRf$mM1VKPRy03n3aFeM2gU8//Nd2Kdm:hashcat
$sha1$17874$ODsSiOIS$P4Tp6E1a0sDO.ea8pHmCn0FaJTVM:hashcat
$sha1$18311$Tojrdmli$Hw62CDZ41WNGjr0JM7/5mRSjE2sR:hashcat
$sha1$15859$actP17H3$1VYzKX2W11mc1vcejtKixG/4yfPQ:hashcat
$sha1$19566$kMIMYjzO$EKyQqto/bYP.QlLFB4z597/DndJd:hashcat
$sha1$15102$hT6ULMhj$ko7U7xtPvxvSOARkwgYw/f9f.Gdd:hashcat
$sha1$16632$54Rh6Ws6$KhGyntLh.y6k0XXMMAG36JFftXb/:hashcat

As a cross-check, JtR-jumbo successfully cracks all of the hashes listed above:

$ cat ~/sha1crypt.hashes 
$sha1$24659$i3Znp47D$r7VOjnryOmiGNWRpna0Lk3ooe/jX
$sha1$19205$SeTzdv2R$8ZcgMk0PiGRrQdz5xGMncAfymq1C
$sha1$19295$mROzSQ4a$SFnJ1fAbP4cHqw/16.xDV4s1LpMA
$sha1$23933$/WgTkHoe$25rdwdZ95cfgY/Tl6li2/LRIbuVT
$sha1$19289$./l/p5Qi$zAMpiG6n/Mh1gVsqpqhShtIsJDrg
$sha1$19099$xEejp9gg$B.nKyshdhZj.KoiY.jGRemr4P3gl
$sha1$16576$M54DvXWL$7xweXepKNhx4Crw/zrRP5Q8uf4Ab
$sha1$17279$hdDR44dw$ww46F6oJlRk8g5HBrK05ApaiUcmL
$sha1$19480$ieopulPH$Q0UBS8vNRwIlqrEPXZG0.1v4q6dm
$sha1$18448$Qnzf/O/0$mE6qrpyPuhsPiLckV8phQ2XnMfYF
$sha1$18475$rhik9dwK$der0rnY.G6qGJoE.gZEhK.8P9AmG
$sha1$18615$23H/FgCs$2KzVzfiVr//STwy1u0fj0mXf54We
$sha1$17342$bbK0OgPg$LgcAmR4zah1UMmLpjXdI4zEtmgWD
$sha1$15596$r7QAdYmN$r.R5LWZlEl.pp/61YxiFXa/yR.7H
$sha1$17406$qQWlxmRf$mM1VKPRy03n3aFeM2gU8//Nd2Kdm
$sha1$17874$ODsSiOIS$P4Tp6E1a0sDO.ea8pHmCn0FaJTVM
$sha1$18311$Tojrdmli$Hw62CDZ41WNGjr0JM7/5mRSjE2sR
$sha1$15859$actP17H3$1VYzKX2W11mc1vcejtKixG/4yfPQ
$sha1$19566$kMIMYjzO$EKyQqto/bYP.QlLFB4z597/DndJd
$sha1$15102$hT6ULMhj$ko7U7xtPvxvSOARkwgYw/f9f.Gdd
$sha1$16632$54Rh6Ws6$KhGyntLh.y6k0XXMMAG36JFftXb/

$ cat ./sha1crypt.dict
Hashcat1234!
flipfl0p!
hashcat
stuff

$ ./john --format=sha1crypt --wordlist=sha1crypt.dict ~/sha1crypt.hashes 
Using default input encoding: UTF-8
Loaded 21 password hashes with 21 different salts (sha1crypt, NetBSD's sha1crypt [PBKDF1-SHA1 128/128 AVX 4x])
Loaded hashes with cost 1 (iteration count) varying from 15102 to 24659
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Hashcat1234!     (?)
hashcat          (?)
hashcat          (?)
hashcat          (?)
Hashcat1234!     (?)
hashcat          (?)
flipfl0p!        (?)
hashcat          (?)
stuff            (?)
hashcat          (?)
hashcat          (?)
hashcat          (?)
hashcat          (?)
hashcat          (?)
hashcat          (?)
hashcat          (?)
hashcat          (?)
hashcat          (?)
hashcat          (?)
hashcat          (?)
hashcat          (?)
21g 0:00:00:06 DONE (2017-03-23 06:14) 3.420g/s 0.6514p/s 13.68c/s 13.68C/s Hashcat1234!..stuff
Use the "--show" option to display all of the cracked passwords reliably
Session completed

$ cat john.pot
$sha1$19205$SeTzdv2R$8ZcgMk0PiGRrQdz5xGMncAfymq1C:Hashcat1234!
$sha1$18448$Qnzf/O/0$mE6qrpyPuhsPiLckV8phQ2XnMfYF:hashcat
$sha1$19480$ieopulPH$Q0UBS8vNRwIlqrEPXZG0.1v4q6dm:hashcat
$sha1$18475$rhik9dwK$der0rnY.G6qGJoE.gZEhK.8P9AmG:hashcat
$sha1$24659$i3Znp47D$r7VOjnryOmiGNWRpna0Lk3ooe/jX:Hashcat1234!
$sha1$19289$./l/p5Qi$zAMpiG6n/Mh1gVsqpqhShtIsJDrg:hashcat
$sha1$19295$mROzSQ4a$SFnJ1fAbP4cHqw/16.xDV4s1LpMA:flipfl0p!
$sha1$19566$kMIMYjzO$EKyQqto/bYP.QlLFB4z597/DndJd:hashcat
$sha1$23933$/WgTkHoe$25rdwdZ95cfgY/Tl6li2/LRIbuVT:stuff
$sha1$17279$hdDR44dw$ww46F6oJlRk8g5HBrK05ApaiUcmL:hashcat
$sha1$18311$Tojrdmli$Hw62CDZ41WNGjr0JM7/5mRSjE2sR:hashcat
$sha1$19099$xEejp9gg$B.nKyshdhZj.KoiY.jGRemr4P3gl:hashcat
$sha1$18615$23H/FgCs$2KzVzfiVr//STwy1u0fj0mXf54We:hashcat
$sha1$17342$bbK0OgPg$LgcAmR4zah1UMmLpjXdI4zEtmgWD:hashcat
$sha1$16576$M54DvXWL$7xweXepKNhx4Crw/zrRP5Q8uf4Ab:hashcat
$sha1$17874$ODsSiOIS$P4Tp6E1a0sDO.ea8pHmCn0FaJTVM:hashcat
$sha1$15596$r7QAdYmN$r.R5LWZlEl.pp/61YxiFXa/yR.7H:hashcat
$sha1$15859$actP17H3$1VYzKX2W11mc1vcejtKixG/4yfPQ:hashcat
$sha1$16632$54Rh6Ws6$KhGyntLh.y6k0XXMMAG36JFftXb/:hashcat
$sha1$15102$hT6ULMhj$ko7U7xtPvxvSOARkwgYw/f9f.Gdd:hashcat
$sha1$17406$qQWlxmRf$mM1VKPRy03n3aFeM2gU8//Nd2Kdm:hashcat

P.S. @philsmd, I'm told that I first need to convince you to write a parser for this algorithm. :)

[philsmd]

Wow, I would call this a really great example of a feature request description. Well done.

So, I already did all the preparation... host code (including parser etc).
This hash type should be ready soon ("only" OpenCL kernel missing).
Thx

[roycewilliams]

Thanks! You and @jsteube were my primary target audience, so if it's a good writeup (and a successful one!), then mission accomplished. I also wanted to try to create a good example for others to use as a reference.

Minor edit: I added a few more 'hashcat' NetBSD examples, to demonstrate the spread of the iteration counts.

[jsteube]

I can only agree, very good description. If only all requests would look like that. Please test the implementation and close the issue if fixed.

[sgerraty]

While sha1crypt may not currently be common, I anticipate that its use will in crease. Since the only other options on JunOS appear to be descrypt and md5cry pt, it is currently the strongest option on that platform.

FWIW recent Junos supports more options including those found in recent FreeBSD.

[sgerraty]

On Thu, 23 Mar 2017 07:34:19 -0700, Royce Williams writes:

Minor edit: I added a few more 'hashcat' NetBSD examples, to demonstrate the s pread of the iteration counts.

Yes, the number of iterations was semi-randomized to make dictionary attacks more expensive, goal was approximate 1s runtime.

[roycewilliams]

Ah, indeed - I missed the mention of SHA-256 and SHA-512 from 3.13 onwards in the Juniper docs. Thanks, @sgerraty! (And good to hear from you. I'm a FreeBSD and Juniper fan - thanks for your work on both.)

[roycewilliams]

@philsmd, @jsteube - works like a charm - thanks! And quite impressive turnaround time!

For reference, this new mode (Juniper/NetBSD sha1crypt) is mode 15100, and was committed in d1b2fa0.

[roycewilliams]

As expected, a pretty slow hash:

$ ./hashcat -m 15100 -a 4 '$sha1$17279$hdDR44dw$ww46F6oJlRk8g5HBsK05ApaiUcmL' ?b?b?b?b?b?b?b

[snip]

* Device #1: GeForce GTX 970, 1009/4037 MB allocatable, 13MCU
* Device #2: GeForce GTX 750 Ti, 500/2000 MB allocatable, 5MCU

Session..........: hashcat
Status...........: Running
Hash.Type........: Juniper/NetBSD sha1crypt
Hash.Target......: $sha1$17279$hdDR44dw$ww46F6oJlRk8g5HBsK05ApaiUcmL
Time.Started.....: Thu Mar 23 16:29:06 2017 (1 min, 10 secs)
Time.Estimated...: Sun May 24 02:16:56 2020 (19992 years, 263 days)
Input.Mask.......: ?b?b?b?b?b?b?b [7]
Input.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:    84017 H/s (298.67ms)
Speed.Dev.#2.....:    30195 H/s (318.16ms)
Speed.Dev.#*.....:   114.2 kH/s
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 7077888/72057594037927936 (0.00%)
Rejected.........: 0/7077888 (0.00%)
Restore.Point....: 0/281474976710656 (0.00%)
Candidates.#1....: $HEX[706172696e616e] -> $HEX[70ffff0c000000]
Candidates.#2....: $HEX[7061726e657261] -> $HEX[70ffff11000000]
HWMon.Dev.#1.....: Temp: 73c Fan: 52% Util:100% Core:1265MHz Mem:3004MHz Lanes:8
HWMon.Dev.#2.....: Temp: 44c Fan: 32% Util:100% Core:1163MHz Mem:2700MHz Lanes:8