{"id":15395151,"url":"https://github.com/orhun/firebox-auth-cracker","last_synced_at":"2025-06-19T04:34:21.023Z","repository":{"id":103624106,"uuid":"606537543","full_name":"orhun/firebox-auth-cracker","owner":"orhun","description":"A CLI tool to brute force the authentication signature of WatchGuard's Firebox","archived":false,"fork":false,"pushed_at":"2023-02-25T19:43:03.000Z","size":24,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-27T23:44:23.724Z","etag":null,"topics":["authentication","bruteforce","bruteforce-tools","rust"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/orhun.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE-APACHE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2023-02-25T19:40:48.000Z","updated_at":"2024-06-18T18:38:35.000Z","dependencies_parsed_at":"2023-05-24T01:00:21.338Z","dependency_job_id":null,"html_url":"https://github.com/orhun/firebox-auth-cracker","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/orhun/firebox-auth-cracker","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orhun%2Ffirebox-auth-cracker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orhun%2Ffirebox-auth-cracker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orhun%2Ffirebox-auth-cracker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orhun%2Ffirebox-auth-cracker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/orhun","download_url":"https://codeload.github.com/orhun/firebox-auth-cracker/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orhun%2Ffirebox-auth-cracker/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":260688136,"owners_count":23046854,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","bruteforce","bruteforce-tools","rust"],"created_at":"2024-10-01T15:26:13.223Z","updated_at":"2025-06-19T04:34:16.005Z","avatar_url":"https://github.com/orhun.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"## `firebox-auth-cracker` 🔥\n\n##### A CLI tool to brute force the authentication signature of [WatchGuard](https://www.watchguard.com/)'s Firebox\n\n_Note: This is a quick and unfinished attempt for cracking the authentication signature of Firebox to bypass the firewall rules._\n\n\u003e Firebox is a powerful network security device that controls all traffic between the external network and the trusted network. If computers with mixed trust connect to your network, you can also configure an optional network interface that is separate from the trusted network.\n\u003e See https://www.watchguard.com/wgrd-products/firewall-appliances\n\n### Attack Vector\n\n[Authentication process](https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/hotspot_external_web_server_config_c.html) of Firebox is shown in the following chart:\n\n![diagram-hotspot-external-auth-interaction-flow](https://user-images.githubusercontent.com/24392180/221375134-4682ddcf-8ce4-4213-be6d-cfd6d9d34b6f.jpg)\n\n1. A hotspot user tries to browse to a web page.\n2. If this is a new hotspot user, the Firebox redirects the client browser to the Authentication URL on the external web server.\n   This URL includes a query string that contains the access request.\n3. The browser sends the access request to the external web server.\n4. The external web server sends the Authentication page to the browser.\n5. The hotspot user types the requested authentication information and submits the form to the external web server.\n6. The external web server processes the authentication information and sends an HTML page that contains the decision URL to the browser.\n7. The browser sends the access decision to the Firebox.\n   The access decision URL contains the access decision, a checksum, and a redirect URL.\n8. The Firebox reads the access decision, verifies the checksum, and sends the redirect URL to the client browser.\n   Based on the outcome of the external authentication process, the redirect URL can be:\n   - The original URL the user browsed to, if the external web server sent the original redirect URL.\n   - A different redirect URL, if the external web server sent a different redirect URL.\n   - The authentication failure URL, if authentication failed or access was denied.\n9. The external web server sends a logoff URL to the Firebox to end the user hotspot session.\n\nOn step 2, we receive the following URL for the authentication page redirect:\n\n```\nhttp://10.0.2.80:8080/auth.html?xtm=http://10.0.3.1:4106/wgcgi.cgi\u0026action=hotspot_auth\u0026ts=1344238620\u0026sn=70AB02716F745\u0026mac=9C:4E:36:30:2D:26\u0026redirect=http://www.google.com/\n```\n\nThis access request URL includes these parameters:\n\n- `xtm`: The URL on the Firebox where the external web server must send the access decision.\n- `action`: The action type. The value is always `hotspot_auth`.\n- `ts`: The time stamp for the request.\n- `sn`: The serial number of the Firebox.\n- `mac`: The MAC address of the client.\n- `redirect`: The original URL the hotspot user tried to browse to.\n\nThen later on step 7 (after the authentication is completed), we have receive the following result page URL:\n\n```\nhttp://10.0.3.1:4106/wgcgi.cgi?action=hotspot_auth\u0026ts=1344238620\u0026success=1\u0026sess_timeout=1200\u0026idle_timeout=600\u0026\u0026sig=a05d352951986e5fbf939920b260a6be3a9fffd3\u0026redirect=http://www.google.com/\n```\n\nThis URL includes the following parameters:\n\n- `action`: The action type. The value must be `hotspot_auth`.\n- `success`: The decision about hotspot access. Set the value to 1 to allow the user to get access the hotspot, or 0 to not allow access.\n- `sess_timeout`: The session timeout value for the user hotspot connection. Specify the amount of time in seconds that a user can be connected to the hotspot for each session. Set the value to 1 to use the Session Timeout setting configured on the Firebox. Set the value to 0 to disable the session timeout value. When you set the value to 0, the user connection to the hotspot does not timeout.\n- `idle_timeout`: The idle timeout value for the user hotspot connection. Specify the amount of time in seconds that a user session connection to the hotspot can be idle before the session is disconnected. Set the value to -1 to use the default Idle Timeout setting configured on the Firebox. Set the value to 0 to disable the idle timeout value. When you set the value to 0, the user connection to the hotspot does not expire when there is no traffic between the user client and the hotspot.\n- `sig`: A hex encoded string in lower case. It is a SHA1 checksum based on the values of `ts`, `sn`, `mac`, `success`, `sess_timeout`, `idle_timeout`, and the **shared secret**. The shared secret you use to calculate the hash checksum must match the shared secret configured in the hotspot settings on the Firebox.\n- `redirect`: The redirect URL you want the Firebox to send to the hotspot user after successful authentication. To redirect the browser to the original URL the user requested, use the value originally received in the access request URL. To redirect users to a different URL, specify that URL in this parameter.\n\n---\n\n**The idea is** we perform a brute force attack on the **signature** to find out the **shared secret** so that we can craft a custom signature and skip the authentication by directly sending a request to Firebox.\n\n```\nsignature = SHA1(ts + sn + mac + success + sess-timeout + idle_timeout + shared_secret)\n```\n\nBy this formula, we get:\n\n```\na05d352951986e5fbf939920b260a6be3a9fffd3 = SHA1(\"1344238620\" + \"70AB02716F745\" + \"9C:4E:36:30:2D:26\" + \"1200\" + \"600\" + shared_secret)\n```\n\n\u003e The shared secret is the key the Firebox and the authentication server use to secure the authentication information that passes between them. The shared secret is case-sensitive and must be the same on the Firebox and the authentication server.\n\n### Usage\n\n```\nUsage: firebox-auth-cracker [OPTIONS] --sig \u003cSIG\u003e --sn \u003cSN\u003e --ts \u003cTS\u003e --mac \u003cMAC\u003e\n```\n\n```\nOptions:\n  -s, --sig \u003cSIG\u003e           Authentication signature\n  -i, --input-file \u003cINPUT\u003e  Input file\n      --sn \u003cSN\u003e             Serial number of the Firebox\n  -t, --ts \u003cTS\u003e             Timestamp for the request\n  -m, --mac \u003cMAC\u003e           MAC address of the client\n  -h, --help                Print help\n  -V, --version             Print version\n```\n\n### Examples\n\n```sh\n$ echo \"test\" | firebox-auth-cracker --sn \"D0FE0CF6C42CB\" --sig \"d80cda05a95013000ecb0058fc46f9e89be8e641\" --ts \"1677336031\" --mac \"CA:FE:C0:FF:EE:00\"\n\nChecking d80cda05a95013000ecb0058fc46f9e89be8e641 (test)\nSecret found!!! -\u003e test\n```\n\n```sh\n$ while true; do ( cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 8 ; echo \"\" ); done | firebox-auth-cracker --sn \"D0FE0CF6C42CB\" --sig \"e3cb81859994095e79369bab7f72b4cb8260ed27\" --ts \"1677336031\" --mac \"CA:FE:C0:FF:EE:00\"\n```\n\n### Roadmap\n\n- [ ] Built-in key generator\n- [ ] Multithreading\n\n### License\n\nLicensed under either of [Apache License Version 2.0](http://www.apache.org/licenses/LICENSE-2.0) or [The MIT License](http://opensource.org/licenses/MIT) at your option.\n\n### Copyright\n\nCopyright © 2023, [Orhun Parmaksız](mailto:orhunparmaksiz@gmail.com)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Forhun%2Ffirebox-auth-cracker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Forhun%2Ffirebox-auth-cracker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Forhun%2Ffirebox-auth-cracker/lists"}