Helpful ReplyHot!Pre-shared Key

Author
FGFan
New Member
  • Total Posts : 19
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/03/03 23:36:19
  • Status: offline
2016/05/25 02:16:10 (permalink)
0

Pre-shared Key

Hi all, 
I configured remote VPN using IP-SEC and I forgot pre-share key I configured before, so I couldn't connect from Foticlient. I show config and got pre-shared key, it was encrypted. There are some application can decrypt that string but I don't know Which default encryption method FortiGate use to make pre-shared key(MD5, 3DES...?). Anyone can tell me? Thanks a lot!
#1
ede_pfau
Expert Member
  • Total Posts : 5961
  • Scores: 468
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Pre-shared Key 2016/05/25 04:41:44 (permalink)
0
This topic will not die...no, there is no (known) way to decrypt 'ENC' entries in the config.
You will have to insert a new password on both sides.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#2
gammuts
New Member
  • Total Posts : 5
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/12/21 06:38:18
  • Status: offline
Re: Pre-shared Key 2018/12/21 07:19:06 (permalink) ☄ Helpfulby borderland 2019/05/10 09:31:06
0
ENC password can be decrypted. Just found out a way to do so. In fact, I found two methods for FortiOS 5.6.7. Your mileage may very for other versions though.
 
Method 1:
1) Log in into the web-interface as a (super?) admin.
2) Change your url/path to /api/v2/cmdb/vpn.ipsec/phase1-interface (edited after post about ticking bomb)
3) Firefox understands the JSON reply. I hope your browser does too. Search for psksecret on the page.
4) Notice that the psksecret is "ENC XXXX"
5) With the proper option, one can ask the FortiGate to give you the decrypted password. My original post contained the actual option, but perhaps that is not wise/secure at this moment. I changed this post after reading about "ticking bomb".
 
Method 2:
I also changed this part. It gave a full solution for decrypting passwords. It had something to do with WiFi PSK's. It is a fairly straight forward solution that anyone could or should have found who understands that "ENC XXXX" must mean that reversible encryption is used. As a matter of fact, cookbook https://cookbook.fortinet.com/encryption-hash-used-by-fortios-for-local-pwdpsk/ will tell you just the same. It will also tell  you that AES encryption is used, but https://docs.fortinet.com/uploaded/files/3624/fortigate-hardening-your-fortigate-56.pdf disagrees with that when not running in FIPS mode and says it is only DES: "Pre- shared keys in IPSec phase- 1 configurations are stored in plain text. In the configuration file these pre- shared keys are encoded. The encoding consists of encrypting the password with a fixed key using DES (AES in FIPS mode) and then Base64 encoding the result."


post edited by gammuts - 2018/12/21 14:29:37
#3
emnoc
Expert Member
  • Total Posts : 5159
  • Scores: 333
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Pre-shared Key 2018/12/21 09:47:23 (permalink)
0
I don't think that would  work on the forticlient  encrypted password but OP please try and let us know.  This might raise a lot of eyes on how secure our configs are and specially with GOV that  wants or expect full encryption from  config interceptions
 
Ken Felix
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#4
ede_pfau
Expert Member
  • Total Posts : 5961
  • Scores: 468
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Pre-shared Key 2018/12/21 10:11:28 (permalink)
0
uh-oh! tested and it worked...this is a ticking bomb.
Hopefully someone from FTNT reads this...

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#5
gammuts
New Member
  • Total Posts : 5
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/12/21 06:38:18
  • Status: offline
Re: Pre-shared Key 2018/12/21 13:54:10 (permalink)
0
Well, someone from FTNT authorized my post. Furthermore, we already know that the psksecret has to be stored with reversible encryption (not hashing). If you do not believe me, check cookbook https://cookbook.fortinet.com/encryption-hash-used-by-fortios-for-local-pwdpsk/. The PSK for VPNs has to be known as plain text. Since any two FortiGates only share FortiOS, the master key(s) must be built into FortiOS. (Remember that a config from one FortiGate will work on another FortiGate perfectly. And the configuration file does not seem to start with a/an (encoded) master key.)
 
I just found two ways to work around the problem of having to find the one master key. The WiFi solution one was found by just thinking outside the box. Anyone could (or should) have found that one. It amazes me that no-one else has posted it publicly (or my Google Foo is embarrassing).
 
In what way would it be a ticking bomb? One does not post configuration files publicly. I wouldn't post even hashes of my passwords. Furthermore, configuration files can be encrypted. Either by FortiOS, or by yourself once you downloaded one.
 
But if you think it is a ticking bomb, I could of course change/edit my posts and hide crucial details. But can you elaborate a bit on why it is a ticking bomb? (Or should we start a separate topic?)
 
#6
ede_pfau
Expert Member
  • Total Posts : 5961
  • Scores: 468
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Pre-shared Key 2018/12/22 13:55:31 (permalink)
0
Sorry if you got me wrong, no need to re-edit your post at all. Bringing a fact out into the open is a one-way street, so to say. It's an illusion (in my mind) that you could withhold information, especially after publishing it once. On the contrary, to enhance the situation this kind of information should be made known as much as possible.
 
What I meant with 'ticking bomb' is that up to the practical proof I didn't expect that a config file would reveal passwords in such an easy way. And thus handled them more or less as non-critical.
 
For practical and legally acceptable purposes, knowing these methods is good news. But it does pose a security risk as the awareness is not yet established. One day when everybody knows that one should treat a config file as delicately as a sheet with cleartext passwords, the risk will be minimal. So IMHO publishing it here in the forums is the best way to quickly disperse the information. Thank you for making us aware of this risk.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#7
gammuts
New Member
  • Total Posts : 5
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/12/21 06:38:18
  • Status: offline
Re: Pre-shared Key 2019/01/02 06:44:14 (permalink)
5 (1)
I did get you wrong then. No problem. Let me reshow it then:
 
Method 1:
1) Log in into the web-interface as a (super?) admin.
2) Change your url/path to https://your-fortigate-ip...?plain-text-password=1
3) Firefox understands the JSON reply. I hope your browser does too. Search for the term "psksecret" on the page. Passwords/secrets should be listed as plain text passwords now.
4) FWIW: When testing without "?plain-text-password=1", you will get 'psksecret: "ENC XXXX"'
 
Method 2:
You can always view the Pre-Shared Key of a WiFi SSID via the GUI. But since FortiGate/FortiOS uses the same algorithm for storing these passwords as for (say) phase1 PSK's, you can simply:
  • Create a dummy SSID via the GUI.
  • Change the password from CLI.
    • config wireless-controller vap
        edit "dummy-decrypt"
          set passphrase ENC some-base64-string-from-phase1-PSK
        end
  • Go back to the GUI.
  • Edit the dummy SSID.
  • Push the eye logo to reveal the SSID/PSK/whatever password.
 
The (AES) key must be somewhere hardcoded in FortiOS (since a FortiVM can decode passwords as well). Has anyone ever attempted to recover the one key? There is little to gain because we already found a fairly easy and non time consuming method, but a oneliner with openssl would be cooler :-).
#8
Mr.J
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Status: offline
Re: Pre-shared Key 2019/03/19 23:52:02 (permalink)
0
Dear all,
 
just to have it checked. I have tested this with some other "encrypted" password (e.g. admin, localuser, OSPF, snmpuser, certificate) on the FortiGate. This seems only be possible with pre-shared keys and SSID passphrases.
 
As described under the following link, posted by gammuts, the other passwords are hashed and encoded.
https://cookbook.fortinet.com/encryption-hash-used-by-fortios-for-local-pwdpsk/
 
Best regards
 
Jo
 
post edited by Mr.J - 2019/03/20 00:26:43
#9
gammuts
New Member
  • Total Posts : 5
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/12/21 06:38:18
  • Status: offline
Re: Pre-shared Key 2019/03/20 03:43:21 (permalink)
0
Mr.J
just to have it checked. I have tested this with some other "encrypted" password (e.g. admin, localuser, OSPF, snmpuser, certificate) on the FortiGate. This seems only be possible with pre-shared keys and SSID passphrases.

 
Can you elaborate a bit on this? We agree on admin, localuser: those are encrypted hashes and therefore not very valuable imho. But I am able to decrypt snmpuser as configured in "config system snmp user" and I am able to decrypt private keys as configured in "config certificate local".
 
Let us for instance decrypt this configuration part:
config certificate local
    edit "Fortinet_CA_Untrusted"
        set password ENC 1Fuy5e9Sn/7ZwlDObvvfCBOHCTxArb8vN9eyECepCD7c0K/x9CFqcyEQViix+3e85UWkB78sz6riIQjnRNkg5PI5XJJDfod0RUe95qE9O0I4MkSVPZ+0I3rse6Jf1LpUdjOMiacmzwKrMeuiPQkLZwg6Oo3AMMv9tWGohWK8jZTEcuuc5HT63L6BVYlU2LFRsYBf/w==
        set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates."
        set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIph4PVL2RhxgCAggA
(...)
        set certificate "-----BEGIN CERTIFICATE-----
MIID8DCCAtigAwIBAgIIL/bv+KE0v8swDQYJKoZIhvcNAQELBQAwga4xCzAJBgNV
(...)
        set scep-url ''
        set range global
        set source factory
        set source-ip 0.0.0.0
        set ike-localid-type asn1dn
    next
end
 
I can get the password if I enter this:
config wireless vap
  edit wirelessdummy
    set passphrase ENC 1Fuy5e9Sn/7ZwlDObvvfCBOHCTxArb8vN9eyECepCD7c0K/x9CFqcyEQViix+3e85UWkB78sz6riIQjnRNkg5PI5XJJDfod0RUe95qE9O0I4MkSVPZ+0I3rse6Jf1LpUdjOMiacmzwKrMeuiPQkLZwg6Oo3AMMv9tWGohWK8jZTEcuuc5HT63L6BVYlU2LFRsYBf/w==
    set ssid dummy
    set vdom root
  next
end
 
FWIW: The password I get via the GUI, is '62b47da31ba2a980e751e96164bc5a97ae53e3dda0e76324a66ab47e342c18'.
FWIW2: To confirm that this private key password is right, I copied the encrypted private key to a file, and decrypted it with openssl, for example:
 
openssl rsa -in Fortinet_CA_Untrusted.key.pem -noout -text -passin pass:62b47da31ba2a980e751e96164bc5a97ae53e3dda0e76324a66ab47e342c18
#10
Mr.J
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Status: offline
Re: Pre-shared Key 2019/03/20 04:43:25 (permalink)
0
Oh my god you are right.
I had previously tried a lot with the API and there the plaintext passwords are not displayed.
I have now tried a lot of passwords and they can be decrypt via the VAP-method.
Also the passwords from local users.
 
As it looks like, you can decrypt all passwords that have a base64 string of 200 characters.
As it looks like, the API call only works with wireless and ipsec.

I find it extremely remarkable that almost all passwords can be decrypted.
 
Best regards
#11
emnoc
Expert Member
  • Total Posts : 5159
  • Scores: 333
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Pre-shared Key 2019/03/21 12:10:12 (permalink)
0
Gammuts is  the man of the hour, good job and a good find

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#12
Jump to:
© 2019 APG vNext Commercial Version 5.5