Re: [seg-l] Passwords en Cisco (fwd)

[glozano () COLINTER NET (Gustavo A. Lozano)]

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime () docserver cac washington edu for more info.

--------------96EA5FBD7A6DF08BC1E0A593
Content-Type: TEXT/PLAIN; CHARSET=us-ascii
Content-ID: <Pine.LNX.3.96.971031155519.6897F () Donatello colinter net>



Gustavo A. Lozano.
Internet de Colombia S.A.
glozano () colinter net

fingerprint = 74 37 A4 1F FA D3 B1 CC  C2 E2 07 80 1E 0F 4A B6


---------- Forwarded message ----------
Date: Fri, 30 May 1997 23:40:12 +0100
From: AcidGum <ACIDGUM () hotmail com>
Reply-To: seg-l () secnet com
To: seg-l () secnet com
Subject: Re: [seg-l] Passwords en Cisco

edo () infocable cl wrote:

#! /bin/sh
## Decrypts cisco "encrypted" passwords.  Feed this confg files as
stdin.
## Anything that looks like a "type 7 encrypted" string gets decrypted.
## This should really be a C program, but is presented as a script just
to
## piss off a certain group of people.  One beer, please...

while read xx ; do
  case "$xx" in
    *d\ 7\ [01]??* ) ;;
    *) continue ;;
  esac
  DEC=`echo "$xx" | sed -e 's/.* //' -e 's/\(^..\).*/\1/'`
  DP1=`expr $DEC + 1`
  HEX=`echo "$xx" | sed -e 's/.* //' -e 's/^..\(..*\)/\1/'`
  echo 'dsfd;kfoA,.iyewrkldJKDHSUB' | cut -c "${DP1}-30" >
/tmp/cis$$.pad
  echo '#' > /tmp/cis$$.in
  for xx in 1-2 3-4 5-6 7-8 9-10 11-12 13-14 15-16 17-18 19-20 21-22 ;
do
    echo "${HEX}" | cut -c $xx | sed -e '/^$/q' -e 's/^/0x/' >>
/tmp/cis$$.in
  done
  echo -n "${DEC}${HEX}: "
  data -g < /tmp/cis$$.in | xor /tmp/cis$$.pad
  echo ''
done
rm -f /tmp/cis$$.pad /tmp/cis$$.in
exit 0

# Discussion:

# When "service password-encryption" is configured into a cisco router
and
# the configuration subsequently viewed, the passwords are no longer
printed
# as plaintext but as strings of randomish-looking garbage.  Analysis of

# several samples reveals the scrambling algorithm to be trivially weak.

# Dr. Delete derived and published an analysis and decryption program
some
# time ago, but since that didn't seem to be generally available at the
time
# I went looking for it, here is an independent explanation.  This was
worked
# out on PAPER over a plate of nachos in a hotel bar in downtown LA, but

# still illustrates where a general-purpose "xor" handler can be useful
for
# quickly cracking lame "proprietary" algorithms of this genre.

# Passwords can be up to eleven mixed-case characters.  In the
"encrypted"
# representation, the first two bytes of the long string are a random
decimal
# offset between 0 and 15 into a magic block of characters, and the
remaining
# bytes are ascii-hex representations of the password bytes xored
against
# the character-block bytes from the given offset on down.  The
character
# block is "dsfd;kfoA,.iyewrkldJKDHSUB", which is enough for a
maximum-length
# password at the maximum offset.

# Another character block consisting of "sgvca69834ncxv9873254k;fg87" is

# located after the first one in the IOS image, which may be relevant to

# something else and is simply mentioned here for posterity.  It is also

# interesting to note that the strings "%02d" and "%02x" occur
immediately
# afterward, which in light of the above is another clue.

> > > Edo.
> >
> >
> > quieres que las password en un router cisco no se vean
> desencriptadas?
> > si es eso lo que quieres usa el comando:
> >
> > service password-encription
>
> No era precisamente eso , sino mas bien el metodo de encriptacion que
> usan , de hecho me encontre que no es similar [ en unix x ej algo
> normal
> seria zdDlhM3s9LPzK , pero en cisco el formato es 04025D0319731D ] y
> quisiera saber cual en si es la diferencia , y si por ejemplo el
> crack
> es capaz de detectar este algoritmo. A todo esto ese formato me sale
> al crear acceso a usuarios ppp/slip .
>
> > Hernan
>
> Saludos
> Edo.

* Espero esto sea lo ke buscas.


Saludos AcidGum
http://spin.com.mx/~rarriola/

--------------96EA5FBD7A6DF08BC1E0A593--