From a8f4b935f99c88a4672dd4fc13c3cc17697edc9f Mon Sep 17 00:00:00 2001
From: darcosion <16328515+darcosion@users.noreply.github.com>
Date: Fri, 14 Jun 2024 11:31:10 +0200
Subject: [PATCH 1/2] add recipe 71, extract of fortinet encrypted password
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

extract of fortinet encrypted password on conf file with vuln CVE-2019–6693
---
 README.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/README.md b/README.md
index 0d0fd7a..010b3ae 100644
--- a/README.md
+++ b/README.md
@@ -1115,6 +1115,17 @@ Credit: [https://www.linkedin.com/in/isdebuggerpresent](https://www.linkedin.com
 
 ![Recipe 70](screenshots/recipe_70.png)  
 
+## Recipe 71 - Extracting password from Fortinet appliance (CVE-2019–6693)
+
+Long time ago, Fortinet used symetric encryption for protecting password on fortinet configuration export file. In 2019, a reverse engineer found the encryption method. It was AES-CBC with a static key which was `Mary had a littl`. This recipe can be used to extract password and data from this specific encryption :  
+
+Credit: Darcosion
+
+`[{"op":"AES Decrypt","args":[{"option":"UTF8","string":"Mary had a littl"},{"option":"Hex","string":"ba618e25000000000000000000000000"},"CBC","Hex","Raw",{"option":"Hex","string":""},{"option":"Hex","string":""}]},{"op":"Label","args":["000000000000000000000000"]},{"op":"Label","args":["take the 4 first octets, add the \\x00 and put in as IV"]},{"op":"From Base64","args":["A-Za-z0-9+/=",true,false],"disabled":true},{"op":"To Hex","args":["None",0],"disabled":true}]`  
+
+![recipe 71](https://github.com/mattnotmax/cyberchef-recipes/assets/16328515/62bff148-bcb7-48d9-9637-9459f014ddff)
+
+
 # Training
 
 I've developed a course 'CyberChef for Security Analysts' which contains 10 hours of instuctional videos plus labs through Applied Network Defense. To find out more visit [learncyberchef.com](http://learncyberchef.com)

From e28a3dfe8f02268f9cbced0b110eaa0d70550770 Mon Sep 17 00:00:00 2001
From: darcosion <16328515+darcosion@users.noreply.github.com>
Date: Fri, 14 Jun 2024 11:35:11 +0200
Subject: [PATCH 2/2] add references and indexing

---
 README.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/README.md b/README.md
index 010b3ae..1742c62 100644
--- a/README.md
+++ b/README.md
@@ -189,6 +189,8 @@ Some example CyberChef recipes:
 
 [Recipe 70: Extracting endpoints from Android network security config](#recipe-70---extracting-endpoints-from-android-network-security-config)
 
+[Recipe 71: Extracting password from Fortinet appliance (CVE-2019–6693)](#recipe-71---extracting-password-from-fortinet-appliance-(CVE-2019–6693))
+
 
 ## Recipe 1 - Extract base64, raw inflate and code beautify
 
@@ -1120,6 +1122,8 @@ Credit: [https://www.linkedin.com/in/isdebuggerpresent](https://www.linkedin.com
 Long time ago, Fortinet used symetric encryption for protecting password on fortinet configuration export file. In 2019, a reverse engineer found the encryption method. It was AES-CBC with a static key which was `Mary had a littl`. This recipe can be used to extract password and data from this specific encryption :  
 
 Credit: Darcosion
+Reference : https://www.pirates.re/fortigate-vm-for-vulnerability-discovery
+Rererence : https://medium.com/@bart.dopheide/decrypting-fortigate-passwords-cve-2019-6693-1239f6fd5a61
 
 `[{"op":"AES Decrypt","args":[{"option":"UTF8","string":"Mary had a littl"},{"option":"Hex","string":"ba618e25000000000000000000000000"},"CBC","Hex","Raw",{"option":"Hex","string":""},{"option":"Hex","string":""}]},{"op":"Label","args":["000000000000000000000000"]},{"op":"Label","args":["take the 4 first octets, add the \\x00 and put in as IV"]},{"op":"From Base64","args":["A-Za-z0-9+/=",true,false],"disabled":true},{"op":"To Hex","args":["None",0],"disabled":true}]`