A researcher used one of the tools found in the recently leaked NSA hacker tools and exploits archive file to crack the password of a Cisco VPN. He says that it could be used by the NSA to snoop on encrypted traffic.
The 234-megabyte archive file leaked by the Shadow Brokers on various file-sharing sites earlier this week has many sophisticated tools. One of these tools allowed a researcher to crack the password of certain Cisco products. He said that this could allow a hacker to snoop on the activity of any using that product, despite the traffic being encrypted.
The hacking tool, codenamed BENIGNCERTAIN, was first documented by researcher Mustafa Al-Bassam on Thursday, who called the attack ‘PixPocket’ on account of the tool attacking Cisco PIX, which is an out-dated firewall and VPN appliance from Cisco. This product was, and still is, used by major corporations and government departments to restrict access to their networks to authorized personnel only.
In his documentation, Bassam revealed that BENIGNCERTAIN works by sending the target machine a packet that makes it dump some of its memory. Included in this dump is the VPN password that is used to login to the device. The working of BENIGNCERTAIN was tested by another security researcher Brian Waters, who tested it on his own system.
He posted the result through his Twitter account, with the image showing that the tool gave him a list of three possible passwords. One of those was the test password he had set, thereby confirming that the tool did work. Waters told Motherboard that he had sent the packet to a device that was connected to the internet and was able to extract the password.
Al-Bassam told that this tool affected PIX versions 5.2(9) up to 6.3(4). However, Waters said that he used the tool on PIX version 6.3(5), meaning that PixPocket worked on versions that were not listed in the tool’s code as well. Al-Bassam said that this tool could easily allow the NSA to crack the VPN passwords of services that use a pre-shared key. The NSA could easily decrypt any traffic once they got access to the pre-shared key. That would enable them to monitor all that the user was doing under the protection of his or her VPN.
Cisco has told that it has not found any evidence that any vulnerability in its product exists. Although the company stopped selling PIX products in 2009, many corporations still use it today. Cisco has assured its users that it will continue its investigation in the Shadow Brokers archive file and notify its users about any exploit in their products should it find it.