Full Disclosure mailing list archives
Ciscos VPN-Client-Passwords can be decrypted
From: Thierry Zoller <Thierry () sniff-em com>
Date: Sun, 16 Oct 2005 21:28:41 +0200
Dear List, [1] heise published a news article today. [2] EvilScientists reverse engineered the algorithm Cisco uses to _obscufate_ the passwords. [3] PoC Summary : Cisco uses 3des to encrypt the passwords, however it does so using a deterministic encryption sheme (no user input) and thus must be reproducible. The algorithm [2] found was as follows : * GetDate - convert to string * Generate an SHA Hash from that string h1 (20 Bytes) * h1 is modified into Hash h2 * h1 is modified into Hash h3 * h2 and the first 4 Bytes from h3 give the 3DES Key * The clear text password no encrypted in 3DES CBC Mode. The IV is the first 8 Bytes of h1. * If the size of the clear text password is not a multiple of the Block size, the differece to the next block is calculcated and padded with a Digit. -> length of password is known * A last hash is calculated from the encrypted Password h4 * The value of the Key enc_UserPassword is: h1|h4|verschlüsseltes Passwort Credits: [1] http://www.heise.de/newsticker/meldung/64954 [2] http://evilscientists.de/blog/?page_id=339 [3] http://www.evilscientists.de/blog/?dl=CiscoPasswordRevealer.rar I take no credit I am only translating and forwarding. -- Thierry Zoller http://thierry.sniff-em.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Ciscos VPN-Client-Passwords can be decrypted Thierry Zoller (Oct 16)
- Re: Ciscos VPN-Client-Passwords can be decrypted Clayton Kossmeyer (Oct 18)