[5473] in bugtraq
Re: [seg-l] Passwords en Cisco (fwd)
daemon@ATHENA.MIT.EDU (Gustavo A. Lozano)
Fri Oct 31 16:45:59 1997
Date: Fri, 31 Oct 1997 15:55:30 -0500
Reply-To: "Gustavo A. Lozano" <glozano@COLINTER.NET>
From: "Gustavo A. Lozano" <glozano@COLINTER.NET>
To: BUGTRAQ@NETSPACE.ORG
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--------------96EA5FBD7A6DF08BC1E0A593
Content-Type: TEXT/PLAIN; CHARSET=us-ascii
Content-ID: <Pine.LNX.3.96.971031155519.6897F@Donatello.colinter.net>
Gustavo A. Lozano.
Internet de Colombia S.A.
glozano@colinter.net
fingerprint = 74 37 A4 1F FA D3 B1 CC C2 E2 07 80 1E 0F 4A B6
---------- Forwarded message ----------
Date: Fri, 30 May 1997 23:40:12 +0100
From: AcidGum <ACIDGUM@hotmail.com>
Reply-To: seg-l@secnet.com
To: seg-l@secnet.com
Subject: Re: [seg-l] Passwords en Cisco
edo@infocable.cl wrote:
#! /bin/sh
## Decrypts cisco "encrypted" passwords. Feed this confg files as
stdin.
## Anything that looks like a "type 7 encrypted" string gets decrypted.
## This should really be a C program, but is presented as a script just
to
## piss off a certain group of people. One beer, please...
while read xx ; do
case "$xx" in
*d\ 7\ [01]??* ) ;;
*) continue ;;
esac
DEC=`echo "$xx" | sed -e 's/.* //' -e 's/\(^..\).*/\1/'`
DP1=`expr $DEC + 1`
HEX=`echo "$xx" | sed -e 's/.* //' -e 's/^..\(..*\)/\1/'`
echo 'dsfd;kfoA,.iyewrkldJKDHSUB' | cut -c "${DP1}-30" >
/tmp/cis$$.pad
echo '#' > /tmp/cis$$.in
for xx in 1-2 3-4 5-6 7-8 9-10 11-12 13-14 15-16 17-18 19-20 21-22 ;
do
echo "${HEX}" | cut -c $xx | sed -e '/^$/q' -e 's/^/0x/' >>
/tmp/cis$$.in
done
echo -n "${DEC}${HEX}: "
data -g < /tmp/cis$$.in | xor /tmp/cis$$.pad
echo ''
done
rm -f /tmp/cis$$.pad /tmp/cis$$.in
exit 0
# Discussion:
# When "service password-encryption" is configured into a cisco router
and
# the configuration subsequently viewed, the passwords are no longer
printed
# as plaintext but as strings of randomish-looking garbage. Analysis of
# several samples reveals the scrambling algorithm to be trivially weak.
# Dr. Delete derived and published an analysis and decryption program
some
# time ago, but since that didn't seem to be generally available at the
time
# I went looking for it, here is an independent explanation. This was
worked
# out on PAPER over a plate of nachos in a hotel bar in downtown LA, but
# still illustrates where a general-purpose "xor" handler can be useful
for
# quickly cracking lame "proprietary" algorithms of this genre.
# Passwords can be up to eleven mixed-case characters. In the
"encrypted"
# representation, the first two bytes of the long string are a random
decimal
# offset between 0 and 15 into a magic block of characters, and the
remaining
# bytes are ascii-hex representations of the password bytes xored
against
# the character-block bytes from the given offset on down. The
character
# block is "dsfd;kfoA,.iyewrkldJKDHSUB", which is enough for a
maximum-length
# password at the maximum offset.
# Another character block consisting of "sgvca69834ncxv9873254k;fg87" is
# located after the first one in the IOS image, which may be relevant to
# something else and is simply mentioned here for posterity. It is also
# interesting to note that the strings "%02d" and "%02x" occur
immediately
# afterward, which in light of the above is another clue.
> >
> > > Edo.
> >
> >
> > quieres que las password en un router cisco no se vean
> desencriptadas?
> >
> > si es eso lo que quieres usa el comando:
> >
> > service password-encription
>
> No era precisamente eso , sino mas bien el metodo de encriptacion que
> usan , de hecho me encontre que no es similar [ en unix x ej algo
> normal
> seria zdDlhM3s9LPzK , pero en cisco el formato es 04025D0319731D ] y
> quisiera saber cual en si es la diferencia , y si por ejemplo el
> crack
> es capaz de detectar este algoritmo. A todo esto ese formato me sale
> al crear acceso a usuarios ppp/slip .
>
> > Hernan
>
> Saludos
> Edo.
* Espero esto sea lo ke buscas.
Saludos AcidGum
http://spin.com.mx/~rarriola/
--------------96EA5FBD7A6DF08BC1E0A593--
