1 CommentIn this article, I present my self-developed NSKek-tool with a user-friendly graphical user interface (GUI). This provides Netscaler administrators with an intuitive way to securely decrypt service passwords without having to dive deep into the technical matter. This tool combines classic cryptographic methods - HMAC, AES-CBC and the dynamic derivation of a Key Encryption Key (KEK).
In times when data security and ease of use must go hand in hand, the targeted decryption of sensitive information plays an important role. The NSKek-tool presented here offers an elegant solution: it not only enables the decryption of service passwords, but also provides a graphical interface that allows Netscaler administrators to easily select and process their key files.
What is behind Netscaler Credential Protection?
Netscaler Credential Protection has a two-pronged approach:
-
Recoverable service passwords: These are protected by reversible encryption (e.g. AES-256-CBC), whereby the KEK is dynamically derived from configuration files - using an HMAC that combines two different key ranges.
-
Non-recoverable administrator passwords: These are secured using strong, one-sided hash mechanisms (such as PBKDF2-HMAC-SHA256) so that recovery of the plain text password is not possible.
This mix of dynamic key management and differentiated password protection ensures that the actual access data remains protected even in the event of partial access to configurations. The central idea: even if the internal processes are known, the system remains secure thanks to the secret, dynamically generated KEK
A practical tool for service password decryption
Based on these ideas, I have developed a tool that can be used to decrypt sensitive service passwords.
Here the central aspect of the NSKek tool:
Key derivation using HMAC and file parsing
The NSKek-tool uses two key files from the Netscaler - referred to as F1 and F2 - from each of which a specific part is extracted. Based on the byte sections (for example from position 33 to 65 in F1 and 35 to 67 in F2), a key material is read in in each case. A dynamic key encryption key (KEK) is then calculated using HMAC-SHA256. With both key files F1 and F2, as well as the hash key, this tool also enables Administrators without in-depth specialist knowledge to securely access their Netscaler service passwords.
Structure and functionality of the tool
As an example, we are using a Radius load balancer and would like to know what the service password is. Why? This can be for various reasons, e.g. to check whether the password has the appropriate complexity and complies with the company's policies or simply because nobody knows the password and it may still be used in other systems. As already explained, three components are required for decryption: The F1 and F2 keys and the hash used by the Radius load balancer. We can find the keys on the Netscaler under "nsconfig\keys" or "nsconfig\keys\updated" and now we only need the hash value. For this, we search for the load balancer in ns.conf and find the following, for example:
This means that the hash value is: 00795842f27593df0e279e850cca4a4efc8a4353cc9188136ddd957227c90355 and the keys are F1_2023_10_16_05_41_44.key and F2_2023_10_16_05_41_44.key and may be necessary if there are several keys on the Netscaler. We feed the NSKek-tool with this information:
If the values are all correct, we receive the service password in plain text but might have some extra chars at the end (known bug).
Download from Github
Conclusion
My NSKek-tool for decrypting Netscaler service passwords is based on these best practices: It combines HMAC-based key derivation, AES decryption, and an intuitive GUI to provide Netscaler administrators with secure and easy-to-use access to sensitive data.
