Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 2 [3] 4 5

Author Topic: Extracting PPPoE credentials from Juniper SRX300  (Read 16063 times)

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Extracting PPPoE credentials from Juniper SRX300
« Reply #30 on: June 11, 2017, 08:51:41 PM »

. . . why not just use two usb ethernet adapters and bridge. Sniff the bridge.

Ah, that's an interesting idea. Thank you for mentioning it.
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Extracting PPPoE credentials from Juniper SRX300
« Reply #31 on: June 11, 2017, 09:03:15 PM »

I just need to mirror 2 ports, 1 going to the Openreach ONT (both ingress & outgress) and 1 going to the SRX300 (again both ingress & outgress) and the results going to the mirroring port which is the port connected to my PC.

Let's say that you connect the HG8240 to port 1, the SRX300 to port 5 and your PC, running WIreshark, to port 3. At first glance --

Port 3 would be defined as the mirroring port.
Port 1 would be defined as a mirrored port, both ingress and egress.
Port 5 would be defined as a mirrored port, both ingress and egress.

But . . . isn't that over doing it?  :-\  Surely ingress on port 1 will be egress on port 5 and ingress on port 5 will be egress on port 1 (as you will not have any other devices connected to the SG105E). So just define port 3 as the mirroring port and port 5 as the mirrored port (both ways; ingress and egress). That will simplify the configuration.
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

psychopomp1

  • Reg Member
  • ***
  • Posts: 311
Re: Extracting PPPoE credentials from Juniper SRX300
« Reply #32 on: June 11, 2017, 09:15:26 PM »

You're right, I was over complicating matters ::) Simpler to define 1 mirrored port (both ways) and 1 mirroring port (going to pc)
Logged

niemand

  • Kitizen
  • ****
  • Posts: 1836
Re: Extracting PPPoE credentials from Juniper SRX300
« Reply #33 on: June 11, 2017, 10:28:06 PM »

Of the two techniques, I suspect that dechap may prove to be the easier as both the size of the password (i.e. its "width") and the character set that is used are unknowns.

I'm reasonably sure you suspect wrong. If doing basic brute force Hashcat can be told which alphabet, permutations and lengths to try, though it doesn't matter as it very rapidly gets unfeasible once the password goes beyond a handful of characters if it's using a larger character set. Even 8 characters is extremely tricky with a larger set.

A dictionary attack with manipulations might be the best option.

In fact I think getting to this is a job for Computerphile. :)

[youtube]https://www.youtube.com/watch?v=7U-RbOKanYs[/youtube]
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Extracting PPPoE credentials from Juniper SRX300
« Reply #34 on: June 11, 2017, 11:15:59 PM »

If doing basic brute force Hashcat can be told which alphabet, permutations and lengths to try, though it doesn't matter as it very rapidly gets unfeasible once the password goes beyond a handful of characters if it's using a larger character set. Even 8 characters is extremely tricky with a larger set.

We both agree that the character-set size and the password width (size) are unknowns. So I am rather puzzled as how the advanced features of Hashcat could be used.

So far, I have not found any reports of successful usage of Foeh Mannay's dechap utility. However that does not mean that the utility will not work.
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

niemand

  • Kitizen
  • ****
  • Posts: 1836
Re: Extracting PPPoE credentials from Juniper SRX300
« Reply #35 on: June 12, 2017, 09:41:12 PM »

In security terms password width isn't the length of the password, it's the character set size used by a single password.

A simple script to run Hashcat with the largest reasonable width working up from a single character to whatever length is computationally feasible would work. Assume a set comprising upper and lower case, numbers and basic symbols to encompass the usual suspects.

The best bet by a mile though is, assuming the password isn't random, and if it is it's likely too long to brute force, a dictionary and manipulations attack. Unless the password is short and/or narrow brute force isn't going to work.

Password length is length, width the character set used, which alongside length provides resilience against brute force, password depth provides resilience against dictionary attacks by avoiding common combinations of characters.

Hope this helps explain.  :)
Logged

Dray

  • Kitizen
  • ****
  • Posts: 2361
Re: Extracting PPPoE credentials from Juniper SRX300
« Reply #36 on: June 12, 2017, 09:48:28 PM »

You are aware that brute force has been shown to work?
Logged

bishbashbosh

  • Member
  • **
  • Posts: 62
Re: Extracting PPPoE credentials from Juniper SRX300
« Reply #37 on: June 12, 2017, 10:06:33 PM »

From my recent personal experience I can tell you that as good as dechap is it is only CPU bound and not multithreaded. Even running 8 instances of a 4GHz i7 at 100% would equate to more than 40 days with 8 position upper/lower/number without the overhead of disk i/o

Also dechap requires the password file or in the case of multi cores several password files which is the hundreds of TBs.

The only option if you can capture the packet flow is hashcat using GPU and the method described by chrislad in the Vodafone HHG2500 thread
http://forum.kitz.co.uk/index.php/topic,18911.301.html
http://forum.kitz.co.uk/index.php/topic,18911.msg348418.html#msg348418

If you don't know the length I'd start with 6 and increment up from there.

Dechap is really good as a code example and helped me an awful lot on my journey, it's just not viable on anything more than 6 positions if you have no idea how the password is constructed.

[Moderator edited to change the above link to point directly to the post so referenced.]
« Last Edit: June 12, 2017, 10:57:37 PM by burakkucat »
Logged

psychopomp1

  • Reg Member
  • ***
  • Posts: 311
Re: Extracting PPPoE credentials from Juniper SRX300
« Reply #38 on: June 12, 2017, 11:54:30 PM »

Thanks for that bish, should receive the TP link kit tomorrow so hopefully can start working on this very soon.

Earlier today asked Fluidone again for login credentials but was given the middle finger so you guys are my last hope  :fingers:
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Extracting PPPoE credentials from Juniper SRX300
« Reply #39 on: June 13, 2017, 12:48:29 AM »

. . . should receive the TP link kit tomorrow so hopefully can start working on this very soon.

I've just had a sudden thought.

What will "Senior Management" [1] say when she sees that you have added even more equipment into the Ethernet link?  :angel:

[1] A.k.a. "Her Indoors", a.k.a. "She Who Must be Obeyed".
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

psychopomp1

  • Reg Member
  • ***
  • Posts: 311
Re: Extracting PPPoE credentials from Juniper SRX300
« Reply #40 on: June 13, 2017, 10:25:12 AM »

What will "Senior Management" [1] say when she sees that you have added even more equipment into the Ethernet link?  :angel:

Don't want to think about that! <shudders>  :o :o
Logged

psychopomp1

  • Reg Member
  • ***
  • Posts: 311
Re: Extracting PPPoE credentials from Juniper SRX300
« Reply #41 on: June 13, 2017, 07:46:48 PM »

Ok managed to hook up the tp link switch and was able to capture data going to & from the Juniper. However I couldn't see any info remotely resembling login credentials.
« Last Edit: June 13, 2017, 11:11:22 PM by psychopomp1 »
Logged

4uture

  • Member
  • **
  • Posts: 11
Re: Extracting PPPoE credentials from Juniper SRX300
« Reply #42 on: June 13, 2017, 07:52:51 PM »

I had a look at your capture file, and there's no chap challenge-response in there. The point is, you need to trigger a re-authentication. Did you do that? I think in your case you can only do so by rebooting the Juniper.
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Extracting PPPoE credentials from Juniper SRX300
« Reply #43 on: June 13, 2017, 08:05:51 PM »

Earlier this afternoon, I had a sudden thought of the Watchfront FireBrick FB105 that I have stored in The Grotto.

After a quick device reset, to ensure that it has a default, sane, state, it was connected between my LAN and one directly computer. Checking the "Setup Menu" showed that I had remembered correctly, there is a "Port Monitoring" setup page. I feel that another experiment will be required.
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

psychopomp1

  • Reg Member
  • ***
  • Posts: 311
Re: Extracting PPPoE credentials from Juniper SRX300
« Reply #44 on: June 13, 2017, 08:17:00 PM »

Thanks 4uture. Yes when hooking up the Tp Link switch i rebooted the Juniper however i started the capture 5-10 mins after the Juniper was restarted so perhaps the login info/chap challenge is only transmitted right at the beginning, ie maybe its not being transmitted continuously.

Once I can prise the other half away from the MAG box (otherwise she'll go bananas if her streams are disrupted  :lol:), I'll have another go at capturing the data - this time right from the moment the Juniper starts transmitting.

Thanks again  :)
« Last Edit: June 13, 2017, 08:19:28 PM by psychopomp1 »
Logged
Pages: 1 2 [3] 4 5
 

anything