Juniper NetScreen

From royhills
Jump to: navigation, search

Platform Notes

Juniper NetScreen is a Firewall/VPN system that runs on proprietary hardware using a proprietary operating system called ScreenOS.

It supports both site-to-site and remote access VPNs.

It uses a Motorola CPU and a Gigascreen ASIC. In an NS-5XP (which is now an obsolete model) the CPU is labelled XPC850DEZT50BT/OK29A/KOREA/ZQQVL0040 and the ASIC is labeled 240E2A01TBB1/JAPAN 0225HAL/L65093.

Version History

Version Release Date Notes
4.0.0
4.0.1
4.0.2
4.0.3
5.0.0
5.1.0
5.2.0 May 2005
5.3.0 June 2006 DPD support added in 5.3.0r2
5.4.0 October 2006

Most NetScreen devices run either 5.x or 6.x version code.

Backoff Patterns

The NetScreen has the 12-packet backoff pattern:

0, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4

Here is an example using Main Mode with the default transform set against an NS5-GT running ScreenOS 5.4.0:

$ ike-scan --showbackoff -M 192.168.124.155
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.155 Main Mode Handshake returned
        HDR=(CKY-R=324e3633e6174897)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
        VID=166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000 (Netscreen-15)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
        VID=4865617274426561745f4e6f74696679386b0100 (Heartbeat Notify)

IKE Backoff Patterns:

IP Address      No.     Recv time               Delta Time
192.168.124.155 1       1170083575.291442       0.000000
192.168.124.155 2       1170083578.843019       3.551577
192.168.124.155 3       1170083582.842737       3.999718
192.168.124.155 4       1170083586.843883       4.001146
192.168.124.155 5       1170083590.843073       3.999190
192.168.124.155 6       1170083594.842743       3.999670
192.168.124.155 7       1170083598.843378       4.000635
192.168.124.155 8       1170083602.843049       3.999671
192.168.124.155 9       1170083606.843363       4.000314
192.168.124.155 10      1170083610.843924       4.000561
192.168.124.155 11      1170083614.843497       3.999573
192.168.124.155 12      1170083618.843629       4.000132
192.168.124.155 Implementation guess: Juniper-Netscreen

Vendor IDs

NetScreen's return some or all of the following Vendor IDs in both Main and Aggressive Mode:

  • Heatbeat Notify (4865617274426561745f4e6f74696679386b0100)
  • NetScreen Vendor ID (data varies - see below)
  • Dead Peer Detection (afcad71368a1f1c96b8696fc77570100) - ScreenOS 5.3.0r2 and later.
  • draft-ietf-ipsec-nat-t-ike-02 (90cb80913ebb696e086381b5ec427b1f) - If NAT Traversal is enabled.
  • draft-ietf-ipsec-nat-t-ike-00 (4485152d18b6bbcd0be8a8469579ddcc) - If NAT Traversal is enabled.

The NetScreen Vendor ID varies with different versions of ScreenOS and different hardware models. It consists of 20-bytes of data with no obvious structure (probably an SHA1 hash) followed by eight bytes, which appears to consist of two big endian 4-byte (32-bit) values. It is not known what the first of these values represents, but the second 4-byte value appears to indicate the ScreenOS version number for some ScreenOS versions, e.g. "403" for 4.0.3 and "500" for 5.0.0.

Below are some examples of NetScreen Vendor IDs together with the corresponding hardware platform and ScreenOS version.

Vendor ID Hardware ScreenOS
64405f46f03b7660a23be116a1975058e69e83870000000400000403 ns5xp 4.0.3r3.0
299ee8289f40a8973bc78687e2e7226b532c3b760000000900000500 ns5xp 5.0.0r1.0
299ee8289f40a8973bc78687e2e7226b532c3b760000000900000500 ns5xp 5.0.0r6.0
299ee8289f40a8973bc78687e2e7226b532c3b760000000900000500 ns5xp 5.0.0r9.0
4a4340b543e02b84c88a8b96a8af9ebe77d9accc0000000b00000500 ns5gt 5.0.0r7.1
2a2bcac19b8e91b426107807e02e7249569d6fd30000000b0000050a ns5gt 5.1.0r1.0
166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000 ns5gt 5.2.0r3b.0
166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000 ns5gt 5.3.0r4.0
166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000 ns5gt 5.4.0r1.0
71957fc3620a421970709668132e871a332378fc0000000b00000614 ns5gt 6.2.0r18.0

Authentication Methods

NetScreen supports Pre-Shared key (PSK) and RSA Certificate authentication for IKE Phase-1. It also supports XAUTH as an optional additional authentication step between Phase-1 and Phase-2.

ISAKMP SA Lifetime

NetScreen running ScreenOS 5.4.0 supports life types of both seconds and kilobytes. It supports values from 1 to 0xffffffff for either life type, but ignores zero and value lengths greater than four bytes.

It will re-write variable-length lifetime attributes where the life type is seconds and the value is less than 32,767. The example below shows this attribute re-writing.

$ ike-scan -M --lifetime=32766 --trans=5,2,1,2 192.168.124.155
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.155 Main Mode Handshake returned
        HDR=(CKY-R=83e7dc8ed57dd340)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=32766)
        VID=166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000 (Netscreen-15)
        VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
        VID=4485152d18b6bbcd0be8a8469579ddcc (draft-ietf-ipsec-nat-t-ike-00)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
        VID=4865617274426561745f4e6f74696679386b0100 (Heartbeat Notify)
$ ike-scan -M --lifetime=32767 --trans=5,2,1,2 192.168.124.155
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.155 Main Mode Handshake returned
        HDR=(CKY-R=3b81818b8a338825)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007fff)
        VID=166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000 (Netscreen-15)
        VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
        VID=4485152d18b6bbcd0be8a8469579ddcc (draft-ietf-ipsec-nat-t-ike-00)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
        VID=4865617274426561745f4e6f74696679386b0100 (Heartbeat Notify)

Transform Ordering and Re-Writing

NetScreen always returns the transform attributes in the order: Enc, Hash, Group, Auth [,keylength] [,lifetime in seconds] [,lifetime in kb] regardless of the order that the attributes are sent by the initiator. The examples below demonstrate this behaviour.

In the example below we send a single transform with the attributes Enc=3DES, Hash=SHA1, Auth=PSK, DH Group=2, and we observe the attribute ordering in the response to be Enc, Hash, DH Group, Auth.

$ ike-scan -M --trans="(1=5,2=2,3=1,4=2)" 192.168.124.155
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.155 Main Mode Handshake returned
        HDR=(CKY-R=3c966f12554558de)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK)
        VID=166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000 (Netscreen-15)
        VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
        VID=4485152d18b6bbcd0be8a8469579ddcc (draft-ietf-ipsec-nat-t-ike-00)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
        VID=4865617274426561745f4e6f74696679386b0100 (Heartbeat Notify)

In this example, we use the same attributes as in the example above but reverse their order so that it is now DH Group, Auth, Hash, Enc. We see that the attribute ordering in the response is the same as for the first example: Enc, Hash, DH Group, Auth.

$ ike-scan -M --trans="(4=2,3=1,2=2,1=5)" 192.168.124.155
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.155 Main Mode Handshake returned
        HDR=(CKY-R=8fbc70868b6ff405)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK)
        VID=166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000 (Netscreen-15)
        VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
        VID=4485152d18b6bbcd0be8a8469579ddcc (draft-ietf-ipsec-nat-t-ike-00)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
        VID=4865617274426561745f4e6f74696679386b0100 (Heartbeat Notify)

Here is an example including SA lifetime attributes. The initiator attributes are: LifeType=KB, LifeTime=123, LifeType=Seconds, LifeTime=456, DH Group=2, Auth=PSK, Hash=SHA1, Enc=3DES. The responder returns the attributes in order: Enc, Hash, DH Group, Auth, LifeType=Seconds, LifeTime, LifeType=KB, LifeTime.

$ ike-scan -M --trans="(11=2,12=123,11=1,12=456,4=2,3=1,2=2,1=5)" 192.168.124.155
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.155 Main Mode Handshake returned
        HDR=(CKY-R=94184ccac11162ee)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=456 LifeType=Kilobytes LifeDuration(4)=0x0000007b)
        VID=166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000 (Netscreen-15)
        VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
        VID=4485152d18b6bbcd0be8a8469579ddcc (draft-ietf-ipsec-nat-t-ike-00)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
        VID=4865617274426561745f4e6f74696679386b0100 (Heartbeat Notify)

This example uses the variable key length AES encryption algorithm, and adds the keylength attribute. Otherwise the attributes are the same as the previous example.

$ ike-scan -M --trans="(14=128,11=2,12=123,11=1,12=456,4=2,3=1,2=2,1=7)" 192.168.124.155
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.155 Main Mode Handshake returned
        HDR=(CKY-R=b973f6e997f0185e)
        SA=(Enc=AES Hash=SHA1 Group=2:modp1024 Auth=PSK KeyLength=128 LifeType=Seconds LifeDuration=456 LifeType=Kilobytes LifeDuration(4)=0x0000007b)
        VID=166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000 (Netscreen-15)
        VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
        VID=4485152d18b6bbcd0be8a8469579ddcc (draft-ietf-ipsec-nat-t-ike-00)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
        VID=4865617274426561745f4e6f74696679386b0100 (Heartbeat Notify)

Aggressive Mode

NetScreen supports IKE Aggressive Mode in addition to Main Mode. However you need to specify a valid ID to elicit a response; if you don't specify a valid ID, then the NetScreen won't respond. This introduces a username enumeration vulnerability, because it is possible to determine if a given username exists.

The netscreen accepts the default ID type of 3 (ID_USER_FQDN), so there is no need to explicitly specify this with --idtype.

Below is an example aggressive mode response from a NetScreen 5GT running ScreenOS 5.4.0, using the valid ID royhills@hotmail.com. We also capture the parameters required to crack the pre-shared key with --pskcrack and use psk-crack to obtain the key.

$ ike-scan -A -M --id=royhills@hotmail.com --pskcrack=netscreen.psk 192.168.124.155
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.155 Aggressive Mode Handshake returned
        HDR=(CKY-R=c09155529199f8a5)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
        VID=166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000 (Netscreen-15)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
        VID=4865617274426561745f4e6f74696679386b0100 (Heartbeat Notify)
        KeyExchange(128 bytes)
        Nonce(20 bytes)
        ID(Type=ID_IPV4_ADDR, Value=192.168.124.155)
        Hash(20 bytes)
$ psk-crack netscreen.psk
Starting psk-crack [ike-scan 1.9] (http://www.nta-monitor.com/tools/ike-scan/)
Running in dictionary cracking mode
key "abc123" matches SHA1 hash 70263a01cba79f34fa5c52589dc4a123cbfe24d4
Ending psk-crack: 10615 iterations in 0.166 seconds (63810.86 iterations/sec)

Response to Noncompliant and Malformed Packets

The NetScreen has three types of responses to noncompliant or malformed packets:

  • For some, it returns an Informational IKE exchange with a Notify payload;
  • For some, it does not respond at all; and
  • It totally ignores some, responding as it would without the offending bit.

The examples below are all from a Netscreen 5-GT running ScreenOS 5.4.0.

No Acceptable Transforms

$ ike-scan -M --trans=1,1,1,1 192.168.124.155
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.155 Notify message 14 (NO-PROPOSAL-CHOSEN)
        HDR=(CKY-R=2c8783fe8032dd4d)

Bad IKE version

$ ike-scan -M --headerver=0x30 192.168.124.155
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

$ ike-scan -M --headerver=0x15 192.168.124.155
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

No response.

Invalid DOI

$ ike-scan -M --doi=2 192.168.124.155
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.155 Notify message 2 (DOI-NOT-SUPPORTED)
        HDR=(CKY-R=a969e6169d9cb489)

Invalid Situation

$ ike-scan -M --situation=2 192.168.124.155
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.155 Main Mode Handshake returned
        HDR=(CKY-R=871bd8a5a746467a)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
        VID=166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000 (Netscreen-15)
        VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
        VID=4485152d18b6bbcd0be8a8469579ddcc (draft-ietf-ipsec-nat-t-ike-00)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
        VID=4865617274426561745f4e6f74696679386b0100 (Heartbeat Notify)

The invalid situation is ignored.

Invalid Initiator Cookie

$ ike-scan -M --cookie=0000000000000000 192.168.124.155
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

No response.

Invalid Flags

$ ike-scan -M --hdrflags=255 192.168.124.155
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.155 Main Mode Handshake returned
        HDR=(CKY-R=292cc88897b534ac)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
        VID=166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000 (Netscreen-15)
        VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
        VID=4485152d18b6bbcd0be8a8469579ddcc (draft-ietf-ipsec-nat-t-ike-00)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
        VID=4865617274426561745f4e6f74696679386b0100 (Heartbeat Notify)

The invalid header flags are ignored.

Invalid Protocol

$ ike-scan -M --protocol=2 192.168.124.155
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

No response.

Invalid SPI

$ ike-scan -M --spisize=32 192.168.124.155
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.155 Main Mode Handshake returned
        HDR=(CKY-R=33dfbc4d41df9ddb)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
        VID=166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000 (Netscreen-15)
        VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
        VID=4485152d18b6bbcd0be8a8469579ddcc (draft-ietf-ipsec-nat-t-ike-00)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
        VID=4865617274426561745f4e6f74696679386b0100 (Heartbeat Notify)

The SPI is ignored.

Non-Zero Reserved Fields

$ ike-scan -M --mbz=255 192.168.124.155
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.155 Main Mode Handshake returned
        HDR=(CKY-R=b0c2fc28608ab2fe)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
        VID=166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000 (Netscreen-15)
        VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
        VID=4485152d18b6bbcd0be8a8469579ddcc (draft-ietf-ipsec-nat-t-ike-00)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
        VID=4865617274426561745f4e6f74696679386b0100 (Heartbeat Notify)

The non-zero reserved fields are ignored.

NAT Traversal

NetScreen does not support NAT Traversal by default, but it can be enabled with the following command line configuration option:

set ike gateway "<gateway-name>" nat-traversal keepalive-frequency 0

or by checking the Enable NAT-Traversal box in the GUI under VPNs > AutoKey Advanced > Gateway > Edit > Advanced.

Below is an example of a NetScreen 5GT running ScreenOS 5.4.0. Notice the two additional Vendor IDs that are returned when NAT Traversal is enabled.

$ ike-scan -M --nat-t 192.168.124.155
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.155 Main Mode Handshake returned
        HDR=(CKY-R=35d449a0fa2e4aec)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
        VID=166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000 (Netscreen-15)
        VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
        VID=4485152d18b6bbcd0be8a8469579ddcc (draft-ietf-ipsec-nat-t-ike-00)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
        VID=4865617274426561745f4e6f74696679386b0100 (Heartbeat Notify)

IVEv2

Juniper NetScreen supports IKEv2 from ScreenOS 6.1.0.

Remote Access VPN Client

NetScreen-Remote VPN Client

Juniper NetScreen uses NetScreen-Remote, which is a badged version of the SafeNet SoftRemote product that is also used by many other vendors.

It supports both Pre-Shared Key (PSK) and RSA Signature authentication. In both cases, it can also perform XAUTH authentication after the initial Phase-1 authentication has completed.

The IKE Phase-1 proposal contains a single transform. The default transform attributes are:

No. Encryption Hash Authentication DH Group Lifetime (Seconds)
1 3DES SHA1 PSK or RSA 2 (MODP 1024) Unspecified

The transform will use either PSK or RSA authentication based on the authentication method that is selected in the Identity configuration.

The transform attributes can be changed by the user, and the following values are available:

Encryption DES, Triple-DES, AES-128, AES-192 or AES-256
Hash MD5 or SHA1
Authentication RSA Signature or Hybrid
DH Group 1, 2 or 5

Other Interesting Behaviour

Default Configuration

The NetScreen IKE Phase-1 transform attributes are set in the ike gateway configuration. In the GUI, this is under VPNs > AutoKey Advanced > Gateway. The transform set is defined by the security level setting. There are four defined security levels:

  • standard - The default security level setting
  • compatible
  • basic
  • custom - User-defined transform set.

Below is an example configuration file entry which defines the IKE gateway test_gw with security level standard:

set ike gateway "test_gw" address 0.0.0.0 id "royhills@hotmail.com" Main outgoing-interface "trust"
preshare "zORvTgiuNxaV6RsEHMCQnEZ0cKn5L8mNgQ==" sec-level standard

The example has been wrapped across two lines for readability, but in the configuration it would be on a single line.

The default standard security level supports the following transform attributes:

Encryption 3DES or AES/128
Hash SHA1
Authentication Pre-Shared Key
DH Group 2 (MODP 1024)