Bugtraq mailing list archives
Re: [seg-l] Passwords en Cisco (fwd)
From: glozano () COLINTER NET (Gustavo A. Lozano)
Date: Fri, 31 Oct 1997 15:55:30 -0500
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime () docserver cac washington edu for more info. --------------96EA5FBD7A6DF08BC1E0A593 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Content-ID: <Pine.LNX.3.96.971031155519.6897F () Donatello colinter net> Gustavo A. Lozano. Internet de Colombia S.A. glozano () colinter net fingerprint = 74 37 A4 1F FA D3 B1 CC C2 E2 07 80 1E 0F 4A B6 ---------- Forwarded message ---------- Date: Fri, 30 May 1997 23:40:12 +0100 From: AcidGum <ACIDGUM () hotmail com> Reply-To: seg-l () secnet com To: seg-l () secnet com Subject: Re: [seg-l] Passwords en Cisco edo () infocable cl wrote: #! /bin/sh ## Decrypts cisco "encrypted" passwords. Feed this confg files as stdin. ## Anything that looks like a "type 7 encrypted" string gets decrypted. ## This should really be a C program, but is presented as a script just to ## piss off a certain group of people. One beer, please... while read xx ; do case "$xx" in *d\ 7\ [01]??* ) ;; *) continue ;; esac DEC=`echo "$xx" | sed -e 's/.* //' -e 's/\(^..\).*/\1/'` DP1=`expr $DEC + 1` HEX=`echo "$xx" | sed -e 's/.* //' -e 's/^..\(..*\)/\1/'` echo 'dsfd;kfoA,.iyewrkldJKDHSUB' | cut -c "${DP1}-30" > /tmp/cis$$.pad echo '#' > /tmp/cis$$.in for xx in 1-2 3-4 5-6 7-8 9-10 11-12 13-14 15-16 17-18 19-20 21-22 ; do echo "${HEX}" | cut -c $xx | sed -e '/^$/q' -e 's/^/0x/' >> /tmp/cis$$.in done echo -n "${DEC}${HEX}: " data -g < /tmp/cis$$.in | xor /tmp/cis$$.pad echo '' done rm -f /tmp/cis$$.pad /tmp/cis$$.in exit 0 # Discussion: # When "service password-encryption" is configured into a cisco router and # the configuration subsequently viewed, the passwords are no longer printed # as plaintext but as strings of randomish-looking garbage. Analysis of # several samples reveals the scrambling algorithm to be trivially weak. # Dr. Delete derived and published an analysis and decryption program some # time ago, but since that didn't seem to be generally available at the time # I went looking for it, here is an independent explanation. This was worked # out on PAPER over a plate of nachos in a hotel bar in downtown LA, but # still illustrates where a general-purpose "xor" handler can be useful for # quickly cracking lame "proprietary" algorithms of this genre. # Passwords can be up to eleven mixed-case characters. In the "encrypted" # representation, the first two bytes of the long string are a random decimal # offset between 0 and 15 into a magic block of characters, and the remaining # bytes are ascii-hex representations of the password bytes xored against # the character-block bytes from the given offset on down. The character # block is "dsfd;kfoA,.iyewrkldJKDHSUB", which is enough for a maximum-length # password at the maximum offset. # Another character block consisting of "sgvca69834ncxv9873254k;fg87" is # located after the first one in the IOS image, which may be relevant to # something else and is simply mentioned here for posterity. It is also # interesting to note that the strings "%02d" and "%02x" occur immediately # afterward, which in light of the above is another clue.
Edo.quieres que las password en un router cisco no se veandesencriptadas?si es eso lo que quieres usa el comando: service password-encriptionNo era precisamente eso , sino mas bien el metodo de encriptacion que usan , de hecho me encontre que no es similar [ en unix x ej algo normal seria zdDlhM3s9LPzK , pero en cisco el formato es 04025D0319731D ] y quisiera saber cual en si es la diferencia , y si por ejemplo el crack es capaz de detectar este algoritmo. A todo esto ese formato me sale al crear acceso a usuarios ppp/slip .HernanSaludos Edo.
* Espero esto sea lo ke buscas. Saludos AcidGum http://spin.com.mx/~rarriola/ --------------96EA5FBD7A6DF08BC1E0A593--
Current thread:
- Re: [seg-l] Passwords en Cisco (fwd) Gustavo A. Lozano (Oct 31)