Forensics - Crack my OSPF

--- ### Challenge Description You’ve been tasked with auditing the network at Big Corporation. We need you to obtain the OSPF authentication key being used by the router with the router ID of 172.31.2.56 The flag is simply the cleartext key --- ### Summary This challenge involves extracting the OSPF authentication key from a network capture file. By analyzing packets, an authentication hash is crafted from OSPF Hello packet data. That authentication hash is then cracked by `John The Ripper` --- ### OSPF Overview `Open Shortest Path First` is a routing protocol used for giving out IP routing information to routers within a single Autonomous System. It is a link-state protocol, which means the routers share topology information with their adjacent peers. To make sure unauthorized routers can't influence routing decisions, authentication using a key is often utilized. Our goal is to extract the authentication key from the included `pcap` file. --- ### Extract the Auth Hash At first glance, it seems we simply have to crack the displayed md5 hash. However, the authentication hash is not just a md5 hash of the authentication key. It includes other data from the OSPF payload, like the sequence number. This is to prevent replay attacks. ![[images/Pasted image 20230902173304.png]] We need to craft a password hash that includes the necessary OSPF data, for a password cracking tool like `John The Ripper` to work. Extract all the OSPF packets out of the packet capture by setting a display filter: `ospf.srcrouter==172.31.2.56` ![[images/Pasted image 20230902175527.png]] And export the specified packets in Wireshark to `ospf.pcapng`: ![[images/Pasted image 20230902175635.png]] --- ### Craft the Auth Hash The following Python script takes an OSPF Hello packet, extracts the required data, and prints out a password hash that `john` can use: ```python import pyshark """ I used the following filter in wireshark to find a packet that could be used to craft a password hash: ospf.srcrouter==172.31.2.56 && ospf.hello """ # Random OSPF Hello Packet filter = "frame.number==1968" # Load the pcap file cap = pyshark.FileCapture('ospf.pcap', display_filter=filter, include_raw=True, use_json=True) # Extract the proper ospf fields packet = (cap[0].ospf._all_fields) header = packet["ospf.header_raw"][0] data = packet["ospf.header"]["ospf.auth.crypt.data_raw"][0] hello = packet["ospf.hello_raw"][0] # Craft and print the hash hash = f"$netmd5${header}{hello}${data}" print(hash) ``` Output: ``` $netmd5$02010030ac1f023800000000000000020000011060c7a4a0fffffffc000302010000000c0000000000000000ac1f0365$533ff289f7155fec0022869293e26676 ``` --- ### Crack the Auth Hash Run the following commands to crack the hash using `john` ```bash echo '$netmd5$02010030ac1f023800000000000000020000011060c7a4a0fffffffc000302010000000c0000000000000000ac1f0365$533ff289f7155fec0022869293e26676' > hash.txt john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt ``` ![[images/Pasted image 20230902175911.png]] Flag: `missingyou`