Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FGFan
New Contributor

Pre-shared Key

Hi all, 

I configured remote VPN using IP-SEC and I forgot pre-share key I configured before, so I couldn't connect from Foticlient. I show config and got pre-shared key, it was encrypted. There are some application can decrypt that string but I don't know Which default encryption method FortiGate use to make pre-shared key(MD5, 3DES...?). Anyone can tell me? Thanks a lot!

2 Solutions
gammuts
New Contributor II

ENC password can be decrypted. Just found out a way to do so. In fact, I found two methods for FortiOS 5.6.7. Your mileage may very for other versions though.

 

Method 1:

1) Log in into the web-interface as a (super?) admin.

2) Change your url/path to /api/v2/cmdb/vpn.ipsec/phase1-interface (edited after post about ticking bomb)

3) Firefox understands the JSON reply. I hope your browser does too. Search for psksecret on the page.

4) Notice that the psksecret is "ENC XXXX"

5) With the proper option, one can ask the FortiGate to give you the decrypted password. My original post contained the actual option, but perhaps that is not wise/secure at this moment. I changed this post after reading about "ticking bomb".

 

Method 2:

I also changed this part. It gave a full solution for decrypting passwords. It had something to do with WiFi PSK's. It is a fairly straight forward solution that anyone could or should have found who understands that "ENC XXXX" must mean that reversible encryption is used. As a matter of fact, cookbook https://cookbook.fortinet.com/encryption-hash-used-by-fortios-for-local-pwdpsk/ will tell you just the same. It will also tell  you that AES encryption is used, but https://docs.fortinet.com/uploaded/files/3624/fortigate-hardening-your-fortigate-56.pdf disagrees with that when not running in FIPS mode and says it is only DES: "Pre- shared keys in IPSec phase- 1 configurations are stored in plain text. In the configuration file these pre- shared keys are encoded. The encoding consists of encrypting the password with a fixed key using DES (AES in FIPS mode) and then Base64 encoding the result."

View solution in original post

gammuts
New Contributor II

FWIW: I wrote an article describing the finding of the one key on https://medium.com/@bart.dopheide/decrypting-fortigate-passwords-cve-2019-6693-1239f6fd5a61. I found 1 way, yet tried many. (The story does not talk about all the failed paths.)

 

If you really want to know the one key, then that article contains all the pointers you will get from me (and they should suffice).

View solution in original post

15 REPLIES 15
ede_pfau
Esteemed Contributor III

This topic will not die...no, there is no (known) way to decrypt 'ENC' entries in the config.

You will have to insert a new password on both sides.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
gammuts
New Contributor II

ENC password can be decrypted. Just found out a way to do so. In fact, I found two methods for FortiOS 5.6.7. Your mileage may very for other versions though.

 

Method 1:

1) Log in into the web-interface as a (super?) admin.

2) Change your url/path to /api/v2/cmdb/vpn.ipsec/phase1-interface (edited after post about ticking bomb)

3) Firefox understands the JSON reply. I hope your browser does too. Search for psksecret on the page.

4) Notice that the psksecret is "ENC XXXX"

5) With the proper option, one can ask the FortiGate to give you the decrypted password. My original post contained the actual option, but perhaps that is not wise/secure at this moment. I changed this post after reading about "ticking bomb".

 

Method 2:

I also changed this part. It gave a full solution for decrypting passwords. It had something to do with WiFi PSK's. It is a fairly straight forward solution that anyone could or should have found who understands that "ENC XXXX" must mean that reversible encryption is used. As a matter of fact, cookbook https://cookbook.fortinet.com/encryption-hash-used-by-fortios-for-local-pwdpsk/ will tell you just the same. It will also tell  you that AES encryption is used, but https://docs.fortinet.com/uploaded/files/3624/fortigate-hardening-your-fortigate-56.pdf disagrees with that when not running in FIPS mode and says it is only DES: "Pre- shared keys in IPSec phase- 1 configurations are stored in plain text. In the configuration file these pre- shared keys are encoded. The encoding consists of encrypting the password with a fixed key using DES (AES in FIPS mode) and then Base64 encoding the result."

emnoc
Esteemed Contributor III

I don't think that would  work on the forticlient  encrypted password but OP please try and let us know.  This might raise a lot of eyes on how secure our configs are and specially with GOV that  wants or expect full encryption from  config interceptions

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ede_pfau
Esteemed Contributor III

uh-oh! tested and it worked...this is a ticking bomb.

Hopefully someone from FTNT reads this...


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
gammuts
New Contributor II

Well, someone from FTNT authorized my post. Furthermore, we already know that the psksecret has to be stored with reversible encryption (not hashing). If you do not believe me, check cookbook https://cookbook.fortinet.com/encryption-hash-used-by-fortios-for-local-pwdpsk/. The PSK for VPNs has to be known as plain text. Since any two FortiGates only share FortiOS, the master key(s) must be built into FortiOS. (Remember that a config from one FortiGate will work on another FortiGate perfectly. And the configuration file does not seem to start with a/an (encoded) master key.)

 

I just found two ways to work around the problem of having to find the one master key. The WiFi solution one was found by just thinking outside the box. Anyone could (or should) have found that one. It amazes me that no-one else has posted it publicly (or my Google Foo is embarrassing).

 

In what way would it be a ticking bomb? One does not post configuration files publicly. I wouldn't post even hashes of my passwords. Furthermore, configuration files can be encrypted. Either by FortiOS, or by yourself once you downloaded one.

 

But if you think it is a ticking bomb, I could of course change/edit my posts and hide crucial details. But can you elaborate a bit on why it is a ticking bomb? (Or should we start a separate topic?)

 

ede_pfau
Esteemed Contributor III

Sorry if you got me wrong, no need to re-edit your post at all. Bringing a fact out into the open is a one-way street, so to say. It's an illusion (in my mind) that you could withhold information, especially after publishing it once. On the contrary, to enhance the situation this kind of information should be made known as much as possible.

 

What I meant with 'ticking bomb' is that up to the practical proof I didn't expect that a config file would reveal passwords in such an easy way. And thus handled them more or less as non-critical.

 

For practical and legally acceptable purposes, knowing these methods is good news. But it does pose a security risk as the awareness is not yet established. One day when everybody knows that one should treat a config file as delicately as a sheet with cleartext passwords, the risk will be minimal. So IMHO publishing it here in the forums is the best way to quickly disperse the information. Thank you for making us aware of this risk.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
gammuts
New Contributor II

I did get you wrong then. No problem. Let me reshow it then:

 

Method 1:

1) Log in into the web-interface as a (super?) admin. 2) Change your url/path to https://your-fortigate-ip...?plain-text-password=1 3) Firefox understands the JSON reply. I hope your browser does too. Search for the term "psksecret" on the page. Passwords/secrets should be listed as plain text passwords now.

4) FWIW: When testing without "?plain-text-password=1", you will get 'psksecret: "ENC XXXX"'

 

Method 2:

You can always view the Pre-Shared Key of a WiFi SSID via the GUI. But since FortiGate/FortiOS uses the same algorithm for storing these passwords as for (say) phase1 PSK's, you can simply:

[ul]
  • Create a dummy SSID via the GUI.
  • Change the password from CLI.[ul]
  • config wireless-controller vap   edit "dummy-decrypt"     set passphrase ENC some-base64-string-from-phase1-PSK   end[/ul]
  • Go back to the GUI.
  • Edit the dummy SSID.
  • Push the eye logo to reveal the SSID/PSK/whatever password.[/ul]

     

    The (AES) key must be somewhere hardcoded in FortiOS (since a FortiVM can decode passwords as well). Has anyone ever attempted to recover the one key? There is little to gain because we already found a fairly easy and non time consuming method, but a oneliner with openssl would be cooler :-).

  • Mr_J
    New Contributor

    Dear all,

     

    just to have it checked. I have tested this with some other "encrypted" password (e.g. admin, localuser, OSPF, snmpuser, certificate) on the FortiGate. This seems only be possible with pre-shared keys and SSID passphrases.

     

    As described under the following link, posted by gammuts, the other passwords are hashed and encoded.

    https://cookbook.fortinet.com/encryption-hash-used-by-fortios-for-local-pwdpsk/

     

    Best regards

     

    Jo

     

    gammuts
    New Contributor II

    Mr.J wrote:

    just to have it checked. I have tested this with some other "encrypted" password (e.g. admin, localuser, OSPF, snmpuser, certificate) on the FortiGate. This seems only be possible with pre-shared keys and SSID passphrases.

     

    Can you elaborate a bit on this? We agree on admin, localuser: those are encrypted hashes and therefore not very valuable imho. But I am able to decrypt snmpuser as configured in "config system snmp user" and I am able to decrypt private keys as configured in "config certificate local".

     

    Let us for instance decrypt this configuration part:

    config certificate local
        edit "Fortinet_CA_Untrusted"
            set password ENC 1Fuy5e9Sn/7ZwlDObvvfCBOHCTxArb8vN9eyECepCD7c0K/x9CFqcyEQViix+3e85UWkB78sz6riIQjnRNkg5PI5XJJDfod0RUe95qE9O0I4MkSVPZ+0I3rse6Jf1LpUdjOMiacmzwKrMeuiPQkLZwg6Oo3AMMv9tWGohWK8jZTEcuuc5HT63L6BVYlU2LFRsYBf/w==
            set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates."
            set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
    MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIph4PVL2RhxgCAggA
    (...)
            set certificate "-----BEGIN CERTIFICATE-----
    MIID8DCCAtigAwIBAgIIL/bv+KE0v8swDQYJKoZIhvcNAQELBQAwga4xCzAJBgNV
    (...)
            set scep-url ''
            set range global
            set source factory
            set source-ip 0.0.0.0
            set ike-localid-type asn1dn
        next
    end

     

    I can get the password if I enter this:

    config wireless vap
      edit wirelessdummy
        set passphrase ENC 1Fuy5e9Sn/7ZwlDObvvfCBOHCTxArb8vN9eyECepCD7c0K/x9CFqcyEQViix+3e85UWkB78sz6riIQjnRNkg5PI5XJJDfod0RUe95qE9O0I4MkSVPZ+0I3rse6Jf1LpUdjOMiacmzwKrMeuiPQkLZwg6Oo3AMMv9tWGohWK8jZTEcuuc5HT63L6BVYlU2LFRsYBf/w==
        set ssid dummy
        set vdom root
      next
    end

     

    FWIW: The password I get via the GUI, is '62b47da31ba2a980e751e96164bc5a97ae53e3dda0e76324a66ab47e342c18'.

    FWIW2: To confirm that this private key password is right, I copied the encrypted private key to a file, and decrypted it with openssl, for example:

     

    openssl rsa -in Fortinet_CA_Untrusted.key.pem -noout -text -passin pass:62b47da31ba2a980e751e96164bc5a97ae53e3dda0e76324a66ab47e342c18
    Labels
    Top Kudoed Authors