#! /bin/sh ## Decrypts cisco "encrypted" passwords. Feed this confg files as stdin. ## Anything that looks like a "type 7 encrypted" string gets decrypted. ## This should really be a C program, but is presented as a script just to ## piss off a certain group of people. One beer, please... while read xx ; do case "$xx" in *d\ 7\ [01]??* ) ;; *) continue ;; esac DEC=`echo "$xx" | sed -e 's/.* //' -e 's/\(^..\).*/\1/'` DP1=`expr $DEC + 1` HEX=`echo "$xx" | sed -e 's/.* //' -e 's/^..\(..*\)/\1/'` echo 'dsfd;kfoA,.iyewrkldJKDHSUB' | cut -c "${DP1}-30" > /tmp/cis$$.pad echo '#' > /tmp/cis$$.in for xx in 1-2 3-4 5-6 7-8 9-10 11-12 13-14 15-16 17-18 19-20 21-22 ; do echo "${HEX}" | cut -c $xx | sed -e '/^$/q' -e 's/^/0x/' >> /tmp/cis$$.in done echo -n "${DEC}${HEX}: " data -g < /tmp/cis$$.in | xor /tmp/cis$$.pad echo '' done rm -f /tmp/cis$$.pad /tmp/cis$$.in exit 0 # Discussion: # When "service password-encryption" is configured into a cisco router and # the configuration subsequently viewed, the passwords are no longer printed # as plaintext but as strings of randomish-looking garbage. Analysis of # several samples reveals the scrambling algorithm to be trivially weak. # Dr. Delete derived and published an analysis and decryption program some # time ago, but since that didn't seem to be generally available at the time # I went looking for it, here is an independent explanation. This was worked # out on PAPER over a plate of nachos in a hotel bar in downtown LA, but # still illustrates where a general-purpose "xor" handler can be useful for # quickly cracking lame "proprietary" algorithms of this genre. # Passwords can be up to eleven mixed-case characters. In the "encrypted" # representation, the first two bytes of the long string are a random decimal # offset between 0 and 15 into a magic block of characters, and the remaining # bytes are ascii-hex representations of the password bytes xored against # the character-block bytes from the given offset on down. The character # block is "dsfd;kfoA,.iyewrkldJKDHSUB", which is enough for a maximum-length # password at the maximum offset. # Another character block consisting of "sgvca69834ncxv9873254k;fg87" is # located after the first one in the IOS image, which may be relevant to # something else and is simply mentioned here for posterity. It is also # interesting to note that the strings "%02d" and "%02x" occur immediately # afterward, which in light of the above is another clue. # _H* 960315
This page was created Wed Aug 11 23:18:00 EDT 1999
Using Linux
version 2.0.32
on an i586
Main Page @ Matarese.com
The Myth of the 2600Hz Detector @ Matarese.com
Acquiring Account Information @ Matarese.com
Act2! by Symantec @ Matarese.com
All hacks / Annoyance @ Matarese.com
Alt 2600 Group FAQ @ Matarese.com
Hacking Angelfire @ Matarese.com
Anonymous E-Mail @ Matarese.com
Anonymous FTP: Frequently Asked Questions (FAQ) @ Matarese.com
Maintaining Access - Implementing Backdoors @ Matarese.com
How to Receive Banned Newsgroups FAQ @ Matarese.com
Hacking BBS's @ Matarese.com
phreaking tutorial @ Matarese.com
The Bluebox @ Matarese.com
List of Common Bugs @ Matarese.com
Things that go Bump on the Internet @ Matarese.com
Hacking Calling Cards @ Matarese.com
Expanding the capacity of Caller ID Boxes @ Matarese.com
What is Caller-ID? @ Matarese.com
Hacking Call Back Verify @ Matarese.com
CULT OF THE DEAD COW @ Matarese.com
Cellular Roaming: The New Deals @ Matarese.com
CELLULAR TELEPHONE PHREAKING PHILE SERIES @ Matarese.com
Cracking Unix passwords @ Matarese.com
Hacking Webpages @ Matarese.com
The Matarese Circle @ Matarese.com
Cops and Robbers | UNIX Security @ Matarese.com
Credit Carding Part I @ Matarese.com
Exploits FAQ @ Matarese.com
Making Free Calls @ Matarese.com
FTP Bouncing @ Matarese.com
Hackers Encyclopedia @ Matarese.com
Hacking from Windows9x FTP @ Matarese.com
Hacking Tripod @ Matarese.com
Hacking Web Pages @ Matarese.com
How to crack a UNIX password file. @ Matarese.com
Hacking Servers : A Begginners Guide @ Matarese.com
Hacking Tutorial @ Matarese.com
Hacking UNIX @ Matarese.com
How to Hack the WWWboard Message Board 2.0 @ Matarese.com
Hackers Handbook @ Matarese.com
Guide to Harmless-Hacking @ Matarese.com
All about security holes @ Matarese.com
Hacking Hotmail @ Matarese.com
]How to Hack from from Harlequin and Archangel @ Matarese.com
Improve security by breaking into your site @ Matarese.com
Ch1can0 BEOWULF @ Matarese.com
Internet Security @ Matarese.com
IRC Hacking FAQ by Lord Somer @ Matarese.com
Lan Technology Scorecard @ Matarese.com
Harmless Hacking - Linux @ Matarese.com
INDEX @ Matarese.com
Mail Spoofing Explained @ Matarese.com
Microsoft IIS Vulnerability @ Matarese.com
Microsoft(Yuk) Index Server exposes IDs and Passwords @ Matarese.com
Intresting Microsoft Access 7.0 Trick @ Matarese.com
MS Money 2.0 Back Door @ Matarese.com
Mind Your Own Business (MYOB) @ Matarese.com
This Hack is for the OptiChat Original Chat Room @ Matarese.com
Internet Outdials @ Matarese.com
Introduction to the Internet Protocols @ Matarese.com
Analysis of QueSO Performance @ Matarese.com
Finger - ATTACKING FROM THE OUTSIDE @ Matarese.com
L0pht Security Advisory - Sendmail 8.7.5 @ Matarese.com
Sniffer FAQ V 1.7 @ Matarese.com
SSPING/JOLT patches @ Matarese.com
WORKING OUT-TELNETS @ Matarese.com
How do I post to a moderated newsgroup? @ Matarese.com
What You Should Know About Computer Viruses @ Matarese.com
How can I protect myself from viruses and such? @ Matarese.com
What is a trojan/worm/virus/logic bomb? @ Matarese.com
VMS Info (Password Cracking) @ Matarese.com
HACKING THE WAL-MART ARMORGUARD COMPUTER PROTECTION SYSTEM @ Matarese.com
Using web proxies to disguise your IP address @ Matarese.com
Dig up hidden CD Keys @ Matarese.com
X-Windows Security @ Matarese.com
Copyright (C) 1999 - Matarese.com