[solved] btest protocl hash

samm · August 5, 2016, 7:31pm

Hi.

I am trying to write a 3rd party client for the btest server to run btest to the mikrotik from the Linux box. So far i been able to write my own prototype (on perl now, want to rewrite on plain C at some moment). My protocol description could be found at https://github.com/samm-git/btest-opensource/blob/master/README.md . However, so far i am able to play only with disabled authentication on the server, because i cant guess how has is generated. E.g. with user name “test” and password “test” i see challenge from server ad32d6f94d28161625f2f390bb895637 and client should reply with 3c968565bc0314f281a6da1571cf7255. But i am not able to understand how this md5 is created. May be someone could take a look on btest or just guess how this hash was done?

samm · August 5, 2016, 9:26pm

I been able to find part of the auth protocol. To do this i created small server on perl. If server sends a challenge “00000000000000000000000000000000” and on the client password is empty, client (btest) will respond with 398d01fdf7934d1292c263d374778e1a line. This is md5(md5(00000000000000000000000000000000)). But if i am setting password to any value, e.g. ASCII ‘1’ , client sends different hash, a56b579c4f5194426ae217b3ee4ec1ba. I cant get how it was obtained, all my attempts to get it failing. Any ideas?

ZeroByte · August 5, 2016, 9:39pm

Figure this out, and you’ll have produced a way to capture Mikrotik credentials…

I.e. - they’re not going to tell you how it works because it would undermine the security of the platform.

samm · August 5, 2016, 9:58pm

No, its not correct statement. RouterOS using password-challenge auth, so it wont be possible to get password, it is never transmitted in the net as is.

jarda · August 7, 2016, 5:05pm

Windows btest application doesn’t run in wine?

samm · August 8, 2016, 6:22am

It runs, but on my servers i have SSH only connection and i would like to run test in the automatic mode from time to time. BTW, my “bserver” prototype already working for rx/tx, now limitations are:

one stream only (i know how to fix it but will take some time)
no authentication support (because hash format is not known for me)
tcp only (also planning to fix, already found how to do that)

Also btest.exe itself is much more limited compated to btest in RouterOS. E.g. it does not support multiply streams.

VanDoyn · August 16, 2016, 2:06pm

I tried your server, but client measures only the receive speed

Chupaka · August 17, 2016, 2:22pm

https://en.wikipedia.org/wiki/Security_through_obscurity

you were but one step from the solution

md5(‘1’ + md5(‘1’ + 00000000000000000000000000000000)) = a56b579c4f5194426ae217b3ee4ec1ba

samm · August 18, 2016, 3:32pm

Hi, yes, its now just dirty PoC. I have more recent code which supports send/receive, but it still have some issues. I will try some time to finish this work, also thinking about rewriting it on a plain C, because Perl is an ugly language for the multi-threading )

samm · August 18, 2016, 3:36pm

Chupaka:

ZeroByte:

Figure this out, and you’ll have produced a way to capture Mikrotik credentials…

https://en.wikipedia.org/wiki/Security_through_obscurity

samm:

I been able to find part of the auth protocol. To do this i created small server on perl. If server sends a challenge “00000000000000000000000000000000” and on the client password is empty, client (btest) will respond with 398d01fdf7934d1292c263d374778e1a line. This is md5(md5(00000000000000000000000000000000)). But if i am setting password to any value, e.g. ASCII ‘1’ , client sends different hash, a56b579c4f5194426ae217b3ee4ec1ba. I cant get how it was obtained, all my attempts to get it failing. Any ideas?

you were but one step from the solution

md5(‘1’ + md5(‘1’ + 00000000000000000000000000000000)) = a56b579c4f5194426ae217b3ee4ec1ba

Great, thank you so much! i was actually starting to give up ) Thanks a lot, i will update wiki page now and will try to find some time to write opensource server/client