RIPv2
#1
Has anyone used Hashcat against RIPv2? It is keyed MD5 and I've taken a very quick look at the RFC and didn't understand a word of it so before I start learning all about keyed MD5 I thought I'd check if someone has already worked out how to do it.

http://tools.ietf.org/html/draft-ietf-ripv2-md5-03
#2
any updates on this?
#3
Looks like it's same as OSPF (and BGP if memory serves me) and they are like this: salt is the whole binary packet (in OSPF case minimum 44 bytes and maximum a lot more) and password is either truncated or null-padded to exactly 16 characters. Then just md5(s.p). It will normally be at least two rounds of MD5 due to salt length.
#4
Thanks magnum!

In this case you can -not- use use hashcat to crack RIPv2. But it's easy to add.

@digininja: can you provide example hash and plain in their "natural" form? That is extracted with the tool which is usually used to extract it so that we can write a parser for that form.
#5
Hello atom,

I'm interested in BGP md5 as described in RFC2385.
This is based on TCP md5 option.
OSPF and RIP may be a little different because these protocols are not using TCP.

The BGP packet is modified and the md5 hash value is calculated:
- ip pseudo header
- tcp header
- tcp data (may be empty)
- password

I can do the modification of the BGP packet either manually or by a short script.

So calculating md5($salt.$pass) may provide the result.
salt consists of any hex value; pass probably of printable ASCII.

My question is: can I use hashcat as is to crack the BGP password or must hashcat be extended for this?

(10-22-2013, 09:48 AM)atom Wrote: Thanks magnum!

In this case you can -not- use use hashcat to crack RIPv2. But it's easy to add.

@digininja: can you provide example hash and plain in their "natural" form? That is extracted with the tool which is usually used to extract it so that we can write a parser for that form.