Skip to content
  • There are no suggestions because the search field is empty.

Internal: How to calculate RSA Security Analytics 10.3 service passwords using python

Issue

How to calculate RSA Security Analytics 10.3 service passwords using python.
Understand how Security Analytics 10.3 credentials (in particular passwords) are protected.

Resolution

Background Information

RSA Security Analytics 10.3.X
In SA 10.3.X, we changed the storage of NextGen service password to include a salt
The use of salted hashes is used to increase the amount of time (and disk space) and attacker would need to retrieve a password by obtaining an equivalent hash value aka. hash cracking (particularly using brute force methods such as pre-computed rainbow tables).

Note: NextGen services include (log) decoder, log collector, concentrator, broker and to a minor extent warehouse connector
The same credentials are used when using REST interface/NwConsole and during Explorer mode.

SA NextGen service credentials (e.g. 'admin' used in SA Administration \ Devices) are stored in the service configuration file as a salted SHA256 hash.
e.g. For a concentrator service - /etc/netwitness/ng/NwConcentrator.cfg

The first time a service starts (when .cfg does not exist), a salt is randomly generated for that service.
For a particular service on an appliance, the salt is shared by all service users.
If appliance has multiple services e.g. log decoder and concentrator services, the salt for each service is different.

Source: JIRA SACE-741

This solution complements existing internal solution to reset credentials on admin account - https://support.netwitness.local/wiki/index.php/Passwords#Appliances

Calculating Hashes for SA RSA Security Analytics (SA) 10.3.X
Note: The following needs python 2.6.6 (so following may not work on older boxes running CentOS5 which have python 2.4.3)

Example /etc/netwitness/ng/NwConcentrator.cfg excerpt for username: admin and password: netwitness (default service credentials)



SA CE have provided the following useful python snippet to calculate the hash/digest of a password and known salt:
>>> password = 'netwitness'
>>> salt="MRnkitjdt7RyslWxkMoaszMbnTy/AijdnmqI/LE3L2E="
>>> from hashlib import sha256
>>> sha256(sha256(password).hexdigest().upper() + salt.decode('base64')).hexdigest().upper()
'B72B872DEFB064D19A6EC03FD2E6E23295D36E2D8C5570BD045FB871A44AC4F1'

Calculating Hashes for NetWitness and version of SA prior to SA 10.3
Note: NetWitness 9.8.X, SA 10.0, 10.1 & 10.2 don't salt the password.

Unsalted SHA256 digest of the password:
>>> sha256('netwitness').hexdigest().upper()
'283CFB6AB0244B042C1077DD35ECB3FA5259E9E3465D98E70A5724FFA8C86E7A'



Notes

Alternative methods for resetting the password of a service account (e.g. admin) in SA 10.3.X and later:
1. Have another user with user.manage permission change the service account password password to a known value in SA UI
2. As salt is common, can copy the hash either by:
- copying the hash from an account with a known password in same service cfg file (e.g. NwConcentrator.cfg)
- have a user with user.manage permission create a new account in SA UI and copy the hash
3. If default credentials were changed AFTER going to SA 10.3.X then can grep older service cfg files for same salt. (e.g. NwConcentrator.cfg.11) for the first reference of the same salt. Can then use admin?s hash from that file. This will probably not work for systems upgraded from SA 10.2.X or earlier (most customers should hopefully change the password of the admin account on production systems).
4. If service settings are reasonably default, can remove all service cfg files for that service and restart service. The admin account will be created with default credentials.

Note: This is an internal solution as we don't necessarily want to publish how these credentials are stored or how service credentials can be reset.
This solution also references a number of internal resources.



Internal Comments

UserName:shurtj
8/7/2014 3:12:49 PM - Updated Article
Updated article and made changes to abide by Primus best practices.


Product Details

RSA Security Analytics
RSA Security Analytics 10.3
INTERNAL ONLY !!!!