This story is over 5 years old.


Researcher Grabs VPN Password With Tool From NSA Dump

An exploit included in the 'Shadow Brokers' dump targets a Cisco VPN appliance.
A Cisco Pix applicance. Image: Hades2k/Flickr

Cisco has already warned customers about two exploits found in the NSA-linked data recently dumped by hackers calling themselves The Shadow Brokers. Now, researchers have uncovered another attack included in the cache, which they claim allows the extraction of VPN passwords from certain Cisco products—meaning hackers could snoop on encrypted traffic.

Security researcher Mustafa Al-Bassam first documented the hacking tool, which uses the codename BENIGNCERTAIN, in a blog post published Thursday. He coined the attack "PixPocket" after the hardware the tool targets: Cisco PIX, a popular, albeit now outdated, firewall and VPN appliance. Corporations or government departments might use these devices to allow only authorised users onto their network.


Based on his analysis of the code, Al-Bassam writes that the tool works by sending a packet to the target machine that makes it dump some of its memory. Included in that dump is the VPN's authentication password, which is used to log into the device.

"With access to the preshared key, they could decrypt any traffic"

Brian Waters, another security researcher, tested BENIGNCERTAIN on his own hardware and managed to obtain the VPN's password, also known as a preshared key.

On Friday, he tweeted a message of the output from his test, which revealed his test password of "password123" among a list of two other possibilities.

I can confirm that BENIGNCERTAIN works against real hardware @XORcat @GossiTheDog @musalbas @marcan42 @msuiche
— Brian H₂O's (@int10h) August 19, 2016

"I was able to pop out a VPN password from the 'outside' interface. Meaning the one that would be connected to the internet," Waters told Motherboard in a Twitter message.

"To me this is verified," Al-Bassam told Motherboard in an online chat.

"It's proof that in a VPN that uses authentication with preshared keys, the NSA could have remotely sent a packet to that VPN from an outside Internet IP (unlike the other exploits which require internal access), and grabbed the preshared key […] With access to the preshared key, they could decrypt any traffic," he added. Once they've accessed the network, an attacker might then be able to snoop on a target organisation's traffic and spy on its users.


According to Al-Bassam, the tool references PIX versions 5.2(9) up to 6.3(4). However, Brian Waters said he carried out his test on hardware running the 6.3(5) version, implying that the attack may work on other versions of PIX than those listed in the tool's code.

Both Al-Bassam and Maksym Zaitsev, another researcher who has been looking into BENIGNCERTAIN, believe that the attack is likely capable of extracting private encryption keys from VPNs as well, which is another, more robust way of authenticating access. Waters was unable to test that however.

#EquationGroup seems to be capable of extracting #Cryptography keys from #Cisco VPNs, up to 4096 bits RSA
— Maksym Zaitsev (@cryptolok) August 18, 2016

Cisco officially stopped selling PIX products back in 2009. it is unclear if anyone has used this attack in the wild, or who still uses PIX products today. Kevin Beaumont, another researcher who has been digging through The Shadow Brokers dump, claimed that one of the UK government's biggest IT contractors still uses a PIX VPN.

On Thursday, after Al-Bassam had published his analysis, but before Waters had verified the attack, Cisco spokesperson Yvonne Malmgren told Motherboard in an email that the company's security team "continues the process of investigating all aspects of the exploits that were released, including the one you mention. As noted, if something new is found that our customers need to be aware of and respond to, we will share it through our established disclosure processes."

Update: In response to the news, Cisco updated its Shadow Brokers blog post, and wrote, "Our investigation so far has not identified any new vulnerabilities in current products related to the exploit."

"Just as technology advances, so too do the nature and sophistication of attacks. Prolonging the use of older technology exponentially increases risk. That said, we are deeply concerned with anything that may impact the integrity of our products or our customers' networks, and Cisco remains steadfast in the position that we should be notified of all vulnerabilities if they are found. We look to defend our customers against attacks from any source, and our preventive technology and processes to investigate and fix vulnerabilities are industry-leading."