Kitz Forum
Broadband Related => Broadband Hardware => Topic started by: psychopomp1 on June 10, 2017, 02:51:03 PM
-
Probably a long shot but thought I'd ask anway. My FTTP authentication (PPPoE) credentials are stored in the ISP provided Juniper SRX300, i MUST use this to connect to the ONT. Unfortunately, being a managed install, my ISP (Fluidone) won't hand out the PPPoE details so its up to me to extract them and enter them into my Netgear R9000 which would hopefully allow me to connect the Netgear directly to the Openreach ONT, ie bypassing the Juniper behemoth. Would anyone have any idea on where to start? I believe it may be possible to brute force the PPPoE credentials using Hashcat but that's as far as I've got....
Cheers
-
That's interesting, for it was earlier today that I read a comprehensive post (http://forums.thinkbroadband.com/fibre/t/4552969-my-fluidone-fttpod-install-experience.html) in the TBB Forum from a member who has finally got an active FTTPoD service from Fluidone. A Juniper SRX300 was provided, which had to be connected between the Openreach ONT (a Huawei HG8240) and the EU's router. ;)
After reading the above mentioned post, I have "put by" some Juniper documentation for study and even downloaded the images that were provided to show the installation . . . To this techno-kitteh's eyes, the SRX300 is more visually appealing that the EU's router! :D
How to tackle the problem? As I understand it, with the required credentials stored in the SRX300, you will need to monitor (sniff) the Ethernet link between the HG8240 and the SRX300 to catch the CHAP challenge sent (to the SRX300) and its response. Usage of Wireshark will be appropriate. The only uncertainty is how to successfully tap the Ethernet link. :-\
-
Having now read through the Juniper documentation (the SRX300 How To Set Up Guide and the SRX300 Services Gateway Hardware Guide) I have to ask a few questions --
- Have you tried to gain access to the SRX300 via the serial console port?
- Have you tried loading the rescue configuration (a straightened out paper-clip in the hole to operate the "Reset Config" button)?
- How locked down, if at all, is the device?
-
That's interesting, for it was earlier today that I read a comprehensive post (http://forums.thinkbroadband.com/fibre/t/4552969-my-fluidone-fttpod-install-experience.html) in the TBB Forum from a member who has finally got an active FTTPoD service from Fluidone. A Juniper SRX300 was provided, which had to be connected between the Openreach ONT (a Huawei HG8240) and the EU's router. ;)
Yep, that's me on the TBB forum ;D
- Have you tried to gain access to the SRX300 via the serial console port?
- Have you tried loading the rescue configuration (a straightened out paper-clip in the hole to operate the "Reset Config" button)?
- How locked down, if at all, is the device?
I haven't tried any of the above...TBH the unit looks rather intimidating :-[ I'm worried that if I press the reset button (if it works that is!) it might reset/wipe everything and leave me without web access and the only way might be to send the unit back to Fluidone to re-configure...which I imagine they won't be too happy with. I think its totally locked down, even pressing the on/off switch does nothing, switching it on at the mains is the only way to power it up.
-
The only uncertainty is how to successfully tap the Ethernet link.
Could a network switch be placed in it and connect a computer with Wireshark on it to the read 'chap'
-
Yep, that's me on the TBB forum ;D
I guessed it had to be. :D There was far too much of a similarity to be just a coincidence . . .
Thank you for making those images available. I now know the the specification of the EZ Bend cable and can look up the ITC-T Recommendations for all the details (G.657 (http://www.itu.int/itu-t/recommendations/rec.aspx?rec=13078)), minimum bend radius, etc.
"OFS EZ BEND G.657.B3 OPTICAL CABLE #C- M04.8C-"
I haven't tried any of the above...TBH the unit looks rather intimidating :-[ I'm worried that if I press the reset button (if it works that is!) it might reset/wipe everything and leave me without web access and the only way might be to send the unit back to Fluidone to re-configure...which I imagine they won't be too happy with. I think its totally locked down, even pressing the on/off switch does nothing, switching it on at the mains is the only way to power it up.
Acknowledged and understood.
So we need to consider a means to tap the Ethernet link. The simplest method would be to insert a computer with two Gigabit NICs into the Ethernet link.
Huawei HG8240 <-------> Computer <-------> Juniper SRX300 <-------> Netgear R9000
Where the computer runs a Linux kernel based OS and has two Gbit NICs, Eth0 and Eth1. Software-wise (iptables) Eth0 just passes data to/from Eth1 and vice-versa. A logical bond is created from those two physical interfaces and it is the logical bond that is sniffed with Wireshark.
- The HG8240 is in a powered up state.
- The computer (the "man-in-the-middle") is booted up and Wireshark is started with the bond as the target.
- The SRX300 is powered on and allowed to "do its thing".
From the Wireshark capture I would expect you to see three lines of interest --
- A CHAP Challenge from Fluidone's server.
- A CHAP Response from the SRX300.
- A CHAP Success message from Fluidone's server.
In the SRX300's response, I would expect you to see the "login" part of the credentials in plain text. The "password" part of the credentials should discovered by submitting the relevant portions of the challenge and response to Hashcat.
Hmm . . . :hmm:
-
Or just use a cheap switch that allows port mirroring and capture that way.
Cheapo TP-Link Easy Smart switches can do this. I presume any managed switch will suffice.
-
Could a network switch be placed in it and connect a computer with Wireshark on it to the read 'chap'
The problem when using a network switch (or even an early generation of dumb network hub) is that the computer's own Ethernet NIC will also "vocalise" in response to the data flowing between the two devices.
Here is the "Enigma Curry" Ethernet Tap (http://www.enigmacurry.com/category/diy/) which is good for 10/100 Mbps but not for 1000 Mbps. ("Enigma Curry" is an anagram of "Ryan McGuire".)
-
Or just use a cheap switch that allows port mirroring and capture that way.
Cheapo TP-Link Easy Smart switches can do this. I presume any managed switch will suffice.
Interesting. Do you have links (URLs) for any suitable devices, please?
-
Hi burakkucat
If it helps you, I'm sure we have some old ho procurve 2524 or 2512 (2500 series L2 full management switches - the 24 or 12 signify the number of ports available)
You can set port mirroring on these, either from cli or web based - depending upon how you find it easier
A small point to note on these are storm protection is cli only option for turning on/off (incase you want to have multiple incoming connections or setting failover/bonding)
If you would like one sending to you, please pm me but I cannot guarantee to have time to factory default switch. However, it is easy to do with clear/reset buttons or there is a 232/db9 pin management port, and default from telnet on startup
Lastly, 2524 are only 10/100 unless you buy/have the plugin 1000 or fibre
Very last, these are covered on lifetime warranty and hp are one of the few companies who dispose/recovery of old equipment to make new components where possible
Many thanks
John
-
Thanks guys, perhaps I may be able to throw the SRX300 in the rubbish skip after all :lol:
So I take it the first step is to get a suitable 'sniffing' port switch which i need to hook up to my 1gbps ethernet port on my pc? I guess the switch will need to have 1 gig ports as my connection is greater than 100 meg?
Where the computer runs a Linux kernel based OS and has two Gbit NICs, Eth0 and Eth1. Software-wise (iptables) Eth0 just passes data to/from Eth1 and vice-versa. A logical bond is
Will i not be able to do this within Windows 7 (64 bit) environment as that is what my Thinkpad notebook uses?
-
You don't want to use a switch, you just need an old hub and wireshark :cool:
https://en.wikipedia.org/wiki/Ethernet_hub (https://en.wikipedia.org/wiki/Ethernet_hub)
-
You don't want to use a switch, you just need an old hub and wireshark :cool:
https://en.wikipedia.org/wiki/Ethernet_hub (https://en.wikipedia.org/wiki/Ethernet_hub)
Thanks, so i would need to buy something like this
https://www.amazon.co.uk/TP-LINK-TL-SG105-Steel-Gigabit-Switch/dp/B00A128S24 (https://www.amazon.co.uk/TP-LINK-TL-SG105-Steel-Gigabit-Switch/dp/B00A128S24)
hook everything up as burrakucat described, run wireshark on my pc and bobs my uncle?
-
Nope. A hub, like this:
http://www.ebay.co.uk/itm/Netgear-DS104-4-Port-Dual-Speed-Hub-Supplied-with-PSU-/322550041551?hash=item4b197b0bcf:g:CD8AAOSwz71ZPB0t (http://www.ebay.co.uk/itm/Netgear-DS104-4-Port-Dual-Speed-Hub-Supplied-with-PSU-/322550041551?hash=item4b197b0bcf:g:CD8AAOSwz71ZPB0t)
-
Didn't even realise you could still get those. Forgot about eBay!
Yep that's definitely the way to go.
-
The problem when using a network switch (or even an early generation of dumb network hub) is that the computer's own Ethernet NIC will also "vocalise" in response to the data flowing between the two devices.
Here is the "Enigma Curry" Ethernet Tap (http://www.enigmacurry.com/category/diy/) which is good for 10/100 Mbps but not for 1000 Mbps. ("Enigma Curry" is an anagram of "Ryan McGuire".)
Unless you're running a PPP server on the machine it won't.
-
Interesting. Do you have links (URLs) for any suitable devices, please?
http://www.tp-link.com/us/business-networking/switches/easy-smart-switches
Though as mentored above a hub is perfectly fine. The Ethernet card on the receiving machine won't respond to the traffic as:
1) It's not addressed to it,
2) Unless there's a PPP server running on it the machine won't respond to the broadcast carrying the PADI datagram.
-
Nope. A hub, like this:
http://www.ebay.co.uk/itm/Netgear-DS104-4-Port-Dual-Speed-Hub-Supplied-with-PSU-/322550041551?hash=item4b197b0bcf:g:CD8AAOSwz71ZPB0t (http://www.ebay.co.uk/itm/Netgear-DS104-4-Port-Dual-Speed-Hub-Supplied-with-PSU-/322550041551?hash=item4b197b0bcf:g:CD8AAOSwz71ZPB0t)
Thanks but I would prefer to 'buy it now' on ebay....otherwise knowing my luck I will get outbid at the last moment :no:
I guess this tplink smart switch would also do the job?
https://www.amazon.co.uk/TP-LINK-TL-SG105E-Gigabit-Smart-Switch/dp/B00N0OHEMA
-
If it helps you, I'm sure we have some old ho procurve 2524 or 2512 (2500 series L2 full management switches - the 24 or 12 signify the number of ports available)
<snip>
If you would like one sending to you, please pm me . . .
Thank you for that generous offer John. However I will not be performing the task, it will be psychopomp1. :)
-
I guess this tplink smart switch would also do the job?
https://www.amazon.co.uk/TP-LINK-TL-SG105E-Gigabit-Smart-Switch/dp/B00N0OHEMA
From my reading of everyone's advice, so far, the TP-LINK TL-SG105E would be an appropriate device.
b*cat performs one of his best Japanese bows towards d2d4j, u*zone and i*net in acknowledgement of their helpful contributions.
-
Or possibly one of these.
https://greatscottgadgets.com/throwingstar/
I bought one to use for exactly that reason before I worked out how to achieve using the ISPs own router. If you have limited access to the SX300 you might be able to do the same.
-
Looking toward the future and after a successful Wireshark capture of the relevant information, the next step would be to read the "login" half of the credentials (in my case, passed in plain-text) and then use either Hashcat (https://hashcat.net/hashcat/) or dechap (http://networkingbodges.blogspot.co.uk/2013/01/recovering-chap-passwords-from-sniffed.html) to recover the "password" half of the credentials.
Here are three lines from a Wireshark capture that I performed some months ago --
No. Time Source Protocol Length Info
10 1.055028 JuniperN_ea:28:52 PPP CHAP 66 Challenge (NAME='nge001.ips', VALUE=0x86351c587caed0e81ca62cbf0b4dafcd6cf83237c2)
12 1.057853 Dell_c1:20:9e PPP CHAP 69 Response (NAME='burakkucat@talktalk', VALUE=0xf025510d4a8c1c1bc69f4a907e0163bb)
13 1.307018 JuniperN_ea:28:52 PPP CHAP 66 Success (MESSAGE='')
Of the two techniques, I suspect that dechap may prove to be the easier as both the size of the password (i.e. its "width") and the character set that is used are unknowns.
[Duo2 ~]$ dechap
dechap: a dictionary attack for captured PPPoE, RADIUS, L2TP, OSPF and BGP traffic.
Version v0.4 alpha, October 2013
Usage:
dechap -c capfile -w wordfile
Where capfile is a tcpdump-style .cap file containing PPPoE, RADIUS
or L2TP CHAP authentications or MD5 authenticated OSPF / BGP packets and
wordfile is a plain text file containing password guesses. VLAN tags
and MPLS labels are automatically stripped.
[Duo2 ~]$
If required, I have some code that will generate all permutations of a "password" of a specified "width" (i.e. size) using the full 95 character-set from " " (space) to "~" (tilda). So a sequence of wordfiles, of widths 1, 2, . . . , n-1, n, could be pre-computed for eventual supply to the dechap utility.
How much disk space will such wordfiles occupy? Let's derive the formula required . . .
Let C be the character set size and W be the width of a password.
Then the number of passwords, P = CW [1]
Assuming that the wordfiles are generated on a Unix or Linux kernel-using system then there will be a new-line character at the end of each password.
Thus the size of the resultant file, T = P(W + 1) bytes. [2]
Substituting equation [1] for P into equation [2] . . .
T = CW(W + 1) bytes.
So using a character-set size of 95 . . .
a wordfile containing passwords of width one would occupy 951(1 + 1) = 190 bytes
a wordfile containing passwords of width five would occupy 955(5 + 1) ~= 4.64 x 1010 bytes
a wordfile containing passwords of width ten would occupy 9510(10 + 1) ~= 6.58 x 1020 bytes
-
Or possibly one of these.
https://greatscottgadgets.com/throwingstar/
I bought one to use for exactly that reason before I worked out how to achieve using the ISPs own router. If you have limited access to the SX300 you might be able to do the same.
Interesting in its simplicity. However one will need to monitor both directions, simultaneously, to capture the full CHAP dialogue. Or am I just a little bit confused? :-\
How about taking two Ethernet patch leads, cutting each one in half and then wiring the four halves to emulate the Throwing Star LAN Tap?
-
From my reading of everyone's advice, so far, the TP-LINK TL-SG105E would be an appropriate device.
b*cat performs one of his best Japanese bows towards d2d4j, u*zone and i*net in acknowledgement of their helpful contributions.
Ok have ordered the TP Link TL-SG105E from Amazon. Once it arrives, I will hook everything up as described earlier & run Wireshark in Windows 7.
-
Interesting in its simplicity. However one will need to monitor both directions, simultaneously, to capture the full CHAP dialogue. Or am I just a little bit confused? :-\
How about taking two Ethernet patch leads, cutting each one in half and then wiring the four halves to emulate the Throwing Star LAN Tap?
I have to admit I never assembled the device because I could use the router. I think I'll check out what is achievable.
From the description on the site you'd need to connect a cat 5 to each of the passive ports to capture in both directions. Exactly as you say B*cat.
-
From the description on the site you'd need to connect a cat 5 to each of the passive ports to capture in both directions. Exactly as you say B*cat.
So one would need a computer with two Ethernet ports, which would be bonded together, software wise. The bond interface would then be the subject of the Wireshark session.
-
So one would need a computer with two Ethernet ports, which would be bonded together, software wise. The bond interface would then be the subject of the Wireshark session.
That's how I read it too. I might have to assemble and find out now. Begs the question, why not just use two usb ethernet adapters and bridge. Sniff the bridge.
Academic now as psychopomp1 has a TP-Link device winging it's way.
-
Hi
Sorry I may not have remembered correctly, but if using a dumb hub, wire shark or sniffer may show all from all ports, including your pc, as it floods all ports
Only a port mirror with all protocols disabled on the mirror would only show the full capture from the correct port (or device attached to the port)
I could be wrong sorry and I have not looked at the tp link link sorry, so this maybe capable of full mirroring
Many thanks
John
-
Hi d2d4j,
A hub does forward all traffic to all ports as it does not "remember" which MAC is on which port. A switch with a port mirror facility "should" forward all send/receive packets seen on the monitored port to the designated mirror port. Looking at the TP-Link docs this switch should be just the ticket.
-
Looking at page 25 (mirroring instructions) for the TP Link SG105E here:
http://static.tp-link.com/Easy%20Smart%20Switch_User%20Guide.pdf
I just need to mirror 2 ports, 1 going to the Openreach ONT (both ingress & outgress) and 1 going to the SRX300 (again both ingress & outgress) and the results going to the mirroring port which is the port connected to my PC. Wireshark would then have the necessary data.
I guess no further config would be required on the TP Link? (other than making sure the firmware is up to date)
-
. . . why not just use two usb ethernet adapters and bridge. Sniff the bridge.
Ah, that's an interesting idea. Thank you for mentioning it.
-
I just need to mirror 2 ports, 1 going to the Openreach ONT (both ingress & outgress) and 1 going to the SRX300 (again both ingress & outgress) and the results going to the mirroring port which is the port connected to my PC.
Let's say that you connect the HG8240 to port 1, the SRX300 to port 5 and your PC, running WIreshark, to port 3. At first glance --
Port 3 would be defined as the mirroring port.
Port 1 would be defined as a mirrored port, both ingress and egress.
Port 5 would be defined as a mirrored port, both ingress and egress.
But . . . isn't that over doing it? :-\ Surely ingress on port 1 will be egress on port 5 and ingress on port 5 will be egress on port 1 (as you will not have any other devices connected to the SG105E). So just define port 3 as the mirroring port and port 5 as the mirrored port (both ways; ingress and egress). That will simplify the configuration.
-
You're right, I was over complicating matters ::) Simpler to define 1 mirrored port (both ways) and 1 mirroring port (going to pc)
-
Of the two techniques, I suspect that dechap may prove to be the easier as both the size of the password (i.e. its "width") and the character set that is used are unknowns.
I'm reasonably sure you suspect wrong. If doing basic brute force Hashcat can be told which alphabet, permutations and lengths to try, though it doesn't matter as it very rapidly gets unfeasible once the password goes beyond a handful of characters if it's using a larger character set. Even 8 characters is extremely tricky with a larger set.
A dictionary attack with manipulations might be the best option.
In fact I think getting to this is a job for Computerphile. :)
[youtube]https://www.youtube.com/watch?v=7U-RbOKanYs[/youtube]
-
If doing basic brute force Hashcat can be told which alphabet, permutations and lengths to try, though it doesn't matter as it very rapidly gets unfeasible once the password goes beyond a handful of characters if it's using a larger character set. Even 8 characters is extremely tricky with a larger set.
We both agree that the character-set size and the password width (size) are unknowns. So I am rather puzzled as how the advanced features of Hashcat could be used.
So far, I have not found any reports of successful usage of Foeh Mannay (https://www.blogger.com/profile/10422929908647460238)'s dechap (https://github.com/theclam/dechap) utility. However that does not mean that the utility will not work.
-
In security terms password width isn't the length of the password, it's the character set size used by a single password.
A simple script to run Hashcat with the largest reasonable width working up from a single character to whatever length is computationally feasible would work. Assume a set comprising upper and lower case, numbers and basic symbols to encompass the usual suspects.
The best bet by a mile though is, assuming the password isn't random, and if it is it's likely too long to brute force, a dictionary and manipulations attack. Unless the password is short and/or narrow brute force isn't going to work.
Password length is length, width the character set used, which alongside length provides resilience against brute force, password depth provides resilience against dictionary attacks by avoiding common combinations of characters.
Hope this helps explain. :)
-
You are aware that brute force has been shown to work?
-
From my recent personal experience I can tell you that as good as dechap is it is only CPU bound and not multithreaded. Even running 8 instances of a 4GHz i7 at 100% would equate to more than 40 days with 8 position upper/lower/number without the overhead of disk i/o
Also dechap requires the password file or in the case of multi cores several password files which is the hundreds of TBs.
The only option if you can capture the packet flow is hashcat using GPU and the method described by chrislad in the Vodafone HHG2500 thread
http://forum.kitz.co.uk/index.php/topic,18911.301.html
http://forum.kitz.co.uk/index.php/topic,18911.msg348418.html#msg348418
If you don't know the length I'd start with 6 and increment up from there.
Dechap is really good as a code example and helped me an awful lot on my journey, it's just not viable on anything more than 6 positions if you have no idea how the password is constructed.
[Moderator edited to change the above link to point directly to the post so referenced.]
-
Thanks for that bish, should receive the TP link kit tomorrow so hopefully can start working on this very soon.
Earlier today asked Fluidone again for login credentials but was given the middle finger so you guys are my last hope :fingers:
-
. . . should receive the TP link kit tomorrow so hopefully can start working on this very soon.
I've just had a sudden thought.
What will "Senior Management" [1] say when she sees that you have added even more equipment into the Ethernet link? :angel:
[1] A.k.a. "Her Indoors", a.k.a. "She Who Must be Obeyed".
-
What will "Senior Management" [1] say when she sees that you have added even more equipment into the Ethernet link? :angel:
Don't want to think about that! <shudders> :o :o
-
Ok managed to hook up the tp link switch and was able to capture data going to & from the Juniper. However I couldn't see any info remotely resembling login credentials.
-
I had a look at your capture file, and there's no chap challenge-response in there. The point is, you need to trigger a re-authentication. Did you do that? I think in your case you can only do so by rebooting the Juniper.
-
Earlier this afternoon, I had a sudden thought of the Watchfront FireBrick FB105 (http://www.firebrick.co.uk/products_105.php) that I have stored in The Grotto.
After a quick device reset, to ensure that it has a default, sane, state, it was connected between my LAN and one directly computer. Checking the "Setup Menu" showed that I had remembered correctly, there is a "Port Monitoring" setup page. I feel that another experiment will be required.
-
Thanks 4uture. Yes when hooking up the Tp Link switch i rebooted the Juniper however i started the capture 5-10 mins after the Juniper was restarted so perhaps the login info/chap challenge is only transmitted right at the beginning, ie maybe its not being transmitted continuously.
Once I can prise the other half away from the MAG box (otherwise she'll go bananas if her streams are disrupted :lol:), I'll have another go at capturing the data - this time right from the moment the Juniper starts transmitting.
Thanks again :)
-
Attached below is the ASCII text equivalent of your initial capture attempt.
Building on what 4uture has recommended, I will suggest that you power off either the HG8240 or the SRX300.
Begin a Wireshark capture and once it is active, power on whichever device is currently off. Very soon, after power on, you should see at least two, possibly three, lines which show as "PPP CHAP" in the "Protocol" column. They are the lines that you will require.
Back in Reply #21 (http://forum.kitz.co.uk/index.php/topic,19859.msg349168.html#msg349168) I showed a (spoof) example from one of my own capture attempts.
-
Ok looks like I've got my username at least which ends @BURST.NET as this is the same as what is shown on my Fluidone portal. But how do I get the password?
Edit: removed my captures from public view
-
For some reason I am unable to download your latest capture file. :(
I agree with your deduction, "blah-blah@BURST.net" appears to be your login username to the bRAS.
Will you please reload that capture file into Wireshark, filter the display for "chap" and then see how many Challenge-Response line pairs are present. Looking at the image you've displayed, there are three line pairs and only the third pairing has a following "Success" line.
If you look a little deeper into Wireshark, you will find that there is an option to print out the capture. From there, just instruct it to print to a file. The print to a file option also has its own options . . . you should be able to find what is required to print out in a similar format to that of my (spoof) example. All being well, you will have an ASCII text file containing a header and five lines of data. That ASCII text file can then be attached to a forum post.
-
Does this help? This is the only info which contains PPP CHAP
(https://s8.postimg.org/d9zlg4b2t/Capture2.jpg)
-
Yes, that's the good stuff. :)
You will need the data from lines 65 & 66 and, maybe, some help from 3b.
With that b*cat goes to his sleepy-spot. :sleep:
-
Hi Psycopomp,
I believe this is the command you will likely need. As discussed privately, I don't have a proper GPU so rely on CPU power only inside a VM with 8 cores. This limits me to 200MHs so your experience should be significantly quicker. You are very lucky in that the info you shared with me contains a challenge value from FluidOne PPP server of 16 bytes which fits nicely in the iSCSI/CHAP method.
You might need to use hashcat64.exe if using Windies.
So this is using the native CHAP method and using some test data I knocked up. The first hex value is the MD5 hash The second value is the challenge from the PPP server and the third value is the identifier.
hashcat -m 4800 -a 3 -w 3 --increment --hex-charset -1 ?d?u?l 474ffb3942b64d75345dc4baeee27c24:99999999999999999999999999999999:02 ?1?1?1?1?1?1?1?1
This should reveal a password of "AbCdEf"
This is all test data so replace the 99s with the challenge value and identifier from line 58 and the MD5 hash from line 59. Challenge ends in 5376 and hash ends in d90c.
-
Just an observation. hashcat with method 4800 (CHAP) is 200MHs and native MD5 is 300MHs despite using the same test data. I'd use native but I can't get the increment function to work with straight MD5.
It's probably me.
-
Thanks bish.
Followed your instructions exactly but got the following error:
(https://s21.postimg.org/dmjmd7vvr/Capture5.jpg)
I suspect its because i'm running the 32 bit version of hashcat on my desktop pc (its a Win 7 32 bit system). Will try it on my laptop which has a 64 bit Win 7.
-
Tried on my Win 7 (64 but) notebook but still having issues.
First of all when i try to run a benchmark
hashcat64.exe -b
I get the error
Hashtype: MD4
clSetKernelArg<>: CL_INVALID_MEM_OBJECT
If i still go ahead with the full command I get the error
Hash <code from line 58 & 59>: Line-length exception
No hashes loaded
I'm totally lost :(
My notebook Thinkpad X220 doesn't have a dedicated GPU, i think built-in GPU is only 128mb.
-
Hi, you should make sure you have hashcat working before trying to run a crack. It's likely to be down to openCL drivers.
https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#how_do_i_install_hashcat
-
Ok had to uninstall the Intel HD graphics driver on my pc before I was able to install the OpenCL software. The benchmark ran ok this time.
However still getting the 'no hashes loaded' error when i run the full command, i have PM'd you the exact command I'm typing. I suspect a syntax error somewhere.
Cheers
-
Hi, I can see from your screenshot that you are including 0x (which means hex) at the start of the hashes. This is not needed. An MD5 hash is always 32 (hex) characters long.
-
Thanks , will retry without 0x. Just to confirm I also need to add :02 at the end of the challenge line as shown in bish's example?
Cheers
-
The :02 is an identifier that you get from the packet capture. If bishbashbosh told you :02, then it's probably correct.
-
Cheers 4uture.
I think i'm getting somewhere at last!
(https://s11.postimg.org/oqwc7moqr/IMG_0318.jpg)
Now bish said my password will be in form of AbCdEf, does that mean its definitely 6 characters long & is shown above in Candidates.#1 field or do I have to wait until the pc finishes processing?
Cheers
-
Hi,
No, the information I supplied was for a test set of data that you could paste verbatim into a command line and confirm that it would all work for you before embarking on the potentially massive task of cracking the pass of an unknown length.
I fabricated that data just for the purpose of a test. Run that command and make sure that works first. should take no more than 10 mins really. From that you'll know what you are looking for.
Once that has happened and confirms everything is working run you set of data. I have absolutely no idea how long your pass would be but more than likely between 8 and 10 chars consisting of upper/lower/number. ISPs don't seem to use symbols, probably to make it easier for support staff.
PS, is that really 72 thousand hashes per second or am I reading that wrong? A strange way of saying 72 million if not.
-
Ok I think I'm understanding the process better. In the example command line you gave, at the end it said
?1?1?1?1?1?1?1?1
I take it this means that hashcat has been tasked to provide a 8 character password? Once complete will the password be displayed here:
Candidates.#1....: ABCD1234 -> EFGH5678
But why are there 2 passwords?
I should add, requesting a password length greater than 4 chars takes ages!!
-
Hi
The --increment option starts from 1 char and increments every time the the number of tries for that number of chars is exhausted. eg it starts with a 1 char password and tries every combination. Then moves to two char and tries every combination. And so forth.
Once you have confirmed the test data gives the password that we expect I would add a couple of ?1?1 to make the maximum password char length 10.
So to summarise, increment starts from 1 char and stops at the number of chars in the mask. The mask is the ?1?1?1.......
If you are really only getting 72 thousand hashes a second I would not actually bother on that hardware as at 260 million hashes a second the test data took 3 mins 4 secs. I've never tried the windies version so if it represents the speed differently then please do correct me.
-
Just a quick calculation. 8 chars at 260MHs is about 10 days. 8 chars at 72KHs is 35000 days.
Looking at the screenshot and working out that it's reporting 12 mins for completion of 6 chars and that is roughly 3.5 times longer that I was getting at 260M I'm guessing (hoping) that's actually meaning 72thousand thousand hashes. 72 MHs.
Odd way of reporting the speed.
-
Double checked again, speed is definitely 72000 KH/s in Windoze 7 which probably explains why i'm finding it extremely slow :'(
-
Hi,
Ignoring the 72000 KHs piece and working out the speed against mine and the amount of time it takes to crack I reckon it actually means 72MHs but you'll know that once you've seen how long it takes to crack the test data. If it's 12 mins or less then it's 72MHs. If its getting into hours then it's 72KHs.
-
YESSSSSSS!!!
Thanks to the huge help given by bishbashbosh the SRX300 has been hacked ;D ;D ;D ;D ;D
(lots of virtual hugs mate :hug:)
Fed the extracted username & pw into the PPPoE WAN box on my R9000 and bingo! the R9000 is able to obtain an internet connection direct to the Openreach ONT unit. But....
My IP address has changed (I am supposed to be on an ipv4 static) so I guess its only a matter of time before the ISP finds out that I'm no longer using the SRX300. If/when they get in touch I will grovel to them to let me use my own kit....
Once again thanks to bishbashbosh, burakkucat, ignitionet, uderzone, 4uture and others ;D
-
You're welcome Psycopomp.
It was the PPPoE password that was cracked using the hashcat method before anyone gets too excited. Nothing to see here, move along, move along.
Just a thought about your IP, where you given and supplied the IP address in any documentation? If so you just need to set the WAN to static IP and gateway and all that jazz to continue. If not you could probably extract from the capture file with a little work.
-
Just a thought about your IP, where you given and supplied the IP address in any documentation? If so you just need to set the WAN to static IP and gateway and all that jazz to continue. If not you could probably extract from the capture file with a little work.
Yes, i was given a static ip address, a gateway IP address (SRX300 ip address i think) and DNS server addresses which i put into my own router when it was connected to the SRX300. However putting the same details into the router when directly connected to the ONT does NOT give me a connection. I have to remove the supplied IP addresses and select 'obtain ip address automatically' in wan settings to get a connection. But at least the new IP address i'm getting appears to be static...
-
YESSSSSSS!!!
Thanks to the huge help given by bishbashbosh the SRX300 has been hacked ;D ;D ;D ;D ;D
(lots of virtual hugs mate :hug:)
That's what I was hoping to see. :thumbs: :dance: A "purrfect" result.
Once again thanks to bishbashbosh, burakkucat, ignitionet, uderzone, 4uture and others ;D
On behalf of all contributors: "You are welcome." :)
-
Spoof the MAC address of the supplied hardware on your own equipment if you can :fingers:
-
Spoof the MAC address of the supplied hardware on your own equipment if you can :fingers:
I've tried that as there is an option to put in a custom MAC address in the Netgear however i still get a different static IP address. If i then force the Netgear to use the original ip i was given for the service then i simply cannot connect...
These are the Netgear settings when i was using the SRX300: (real IPs changed)
(https://s29.postimg.org/tt2tru1p3/Capture1.jpg)
And the settings when the Netgear is connected directly to the Openreach kit: (again sensitive info has been removed/edited)
(https://s1.postimg.org/z3ykpfpwv/Capture2.jpg)
-
As a guess, the Juniper box might be doing some kind of NAT or routing, Are you able to get any info from the Juniper?
Looking at the capture you made are you able to find any offer of IPs from the PPP server? I think from memory it's PPP IPCP. Although static, it might be static but offered by the PPP server.
It's early and I'm off to the coal face again. Yes, on a Saturday. :no:
-
The Juniper is totally locked down, only way to get any info from it is through port mirroring.
Rather than stressing out over what may (or may not) happen, I will just continue using my connection in the new way and hope for the best :)