Cracking a netscreen (Juniper) password hash

[Alexander Sandström Krantz A <alexander.a.sandstrom.krantz () ericsson com>]

Hi list! 
I hope you don't get to bored, but I'm back with yet another password hash
which I would like to be able to crack. This time it's from a Juniper device
running Netscreen OS. As with the Extreme Networks hash post I wrote a while
ago, I could use THC Hydra or similar to crack the password remotely, but as
you know this method is slow.What  I would like to be able to do is run
John, or any similar application, to crack the hashes created by the Juniper
device using brute force or a wordlist.

I found a discussion on this mailinglist from 2003 about Netscreen hashes
(http://www.securityfocus.com/archive/101/336007), and one from January this
year (http://www.securityfocus.com/archive/101/487496). But it seems like
the issue was never solved. Therefore I thought that it might be a good idea
to pick up the topic again.

In earlier discussions it is suggested that the hash is an MD5-hash with a
few minor changes, such as the letters ntscrn (netscreen) added backwards on
certain positions in the hash. And that the letters in certain positions in
the hash are always upper-case. It has been suggested that removing
n...r...c...s...t...n (ntscrn backwards) from the hash would turn it into an
MD5-hash, but that seems to be wrong. Additional changes seems to have been
made to it (if it's even MD5).

The following link contains a number of
"username,password,hash"-combinations:
http://www.securityfocus.com/archive/101/421434
Example hash (username, password, hash): 

a,netscreen,nMf9FkrCIgHGccRAxsBAwxBtDtPHfn 

Does anyone have any information/ideas about these hashes and/or how they
can be cracked? There seemed to be a lot of people with good ideas last time
I needed help.

Cheers, 
Alexander

Attachment: smime.p7s
Description: