Cisco Password Cracking Script @ Matarese.com

Click here to find books related to 'cisco routers'.

#! /bin/sh ## Decrypts cisco "encrypted" passwords. Feed this confg files as stdin. ## Anything that looks like a "type 7 encrypted" string gets decrypted. ## This should really be a C program, but is presented as a script just to ## piss off a certain group of people. One beer, please... while read xx ; do case "$xx" in *d\ 7\ [01]??* ) ;; *) continue ;; esac DEC=`echo "$xx" | sed -e 's/.* //' -e 's/$^..$.*/\1/'` DP1=`expr $DEC + 1` HEX=`echo "$xx" | sed -e 's/.* //' -e 's/^..$..*$/\1/'` echo 'dsfd;kfoA,.iyewrkldJKDHSUB' | cut -c "${DP1}-30" > /tmp/cis$$.pad echo '#' > /tmp/cis$$.in for xx in 1-2 3-4 5-6 7-8 9-10 11-12 13-14 15-16 17-18 19-20 21-22 ; do echo "${HEX}" | cut -c $xx | sed -e '/^$/q' -e 's/^/0x/' >> /tmp/cis$$.in done echo -n "${DEC}${HEX}: " data -g < /tmp/cis$$.in | xor /tmp/cis$$.pad echo '' done rm -f /tmp/cis$$.pad /tmp/cis$$.in exit 0 # Discussion: # When "service password-encryption" is configured into a cisco router and # the configuration subsequently viewed, the passwords are no longer printed # as plaintext but as strings of randomish-looking garbage. Analysis of # several samples reveals the scrambling algorithm to be trivially weak. # Dr. Delete derived and published an analysis and decryption program some # time ago, but since that didn't seem to be generally available at the time # I went looking for it, here is an independent explanation. This was worked # out on PAPER over a plate of nachos in a hotel bar in downtown LA, but # still illustrates where a general-purpose "xor" handler can be useful for # quickly cracking lame "proprietary" algorithms of this genre. # Passwords can be up to eleven mixed-case characters. In the "encrypted" # representation, the first two bytes of the long string are a random decimal # offset between 0 and 15 into a magic block of characters, and the remaining # bytes are ascii-hex representations of the password bytes xored against # the character-block bytes from the given offset on down. The character # block is "dsfd;kfoA,.iyewrkldJKDHSUB", which is enough for a maximum-length # password at the maximum offset. # Another character block consisting of "sgvca69834ncxv9873254k;fg87" is # located after the first one in the IOS image, which may be relevant to # something else and is simply mentioned here for posterity. It is also # interesting to note that the strings "%02d" and "%02x" occur immediately # afterward, which in light of the above is another clue. # _H* 960315

This page was created Wed Aug 11 23:18:00 EDT 1999
Using Linux version 2.0.32 on an i586

Main Page @ Matarese.com The Myth of the 2600Hz Detector @ Matarese.com Acquiring Account Information @ Matarese.com

Act2! by Symantec @ Matarese.com All hacks / Annoyance @ Matarese.com

Alt 2600 Group FAQ @ Matarese.com Hacking Angelfire @ Matarese.com

Anonymous E-Mail @ Matarese.com Anonymous FTP: Frequently Asked Questions (FAQ) @ Matarese.com

Maintaining Access - Implementing Backdoors @ Matarese.com How to Receive Banned Newsgroups FAQ @ Matarese.com

Hacking BBS's @ Matarese.com phreaking tutorial @ Matarese.com

The Bluebox @ Matarese.com List of Common Bugs @ Matarese.com

Things that go Bump on the Internet @ Matarese.com Hacking Calling Cards @ Matarese.com

Expanding the capacity of Caller ID Boxes @ Matarese.com What is Caller-ID? @ Matarese.com

Hacking Call Back Verify @ Matarese.com CULT OF THE DEAD COW @ Matarese.com

Cellular Roaming: The New Deals @ Matarese.com CELLULAR TELEPHONE PHREAKING PHILE SERIES @ Matarese.com