Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Update of ciscocrack.c

from [Jerome Poggi] Network Security [Permanent Link]
Subject: [Full-disclosure] Update of ciscocrack.c
Date: Thu, 29 Sep 2005 19:00:14 +0200 
Recently I try to use ciscocrack to reveal some password protected with
CISCO xor algorithm, and I see that some long long password can not be
uncipher correctly.
So I update the xlat xor table from the original C file, and now it's Ok
to uncipher good PSK in CISCO WIFI router  :-)

Remind tha it only work on :
  password 7,
  password-enable 7, 
  ascii 7,
  key 7

The original table was :
char xlat[] = {
        0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f,
        0x41, 0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72,
        0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44
};

can be found at PacketStorm
http://packetstorm.linuxsecurity.com/Exploit_Code_Archive/ciscocrack.c

Now the new was :
char xlat[] = {
        0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f,
        0x41, 0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72,
        0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44, 0x48, 0x53,
        0x55, 0x42, 0x73, 0x67, 0x76, 0x63, 0x61, 0x36,
        0x39, 0x38, 0x33, 0x34, 0x6e, 0x63, 0x78, 0x76,
        0x39, 0x38, 0x37, 0x33, 0x32, 0x35, 0x34, 0x6b,
        0x3b, 0x66, 0x67, 0x38, 0x37,
        0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f,
        0x41, 0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72,
        0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44, 0x48, 0x53,
        0x55, 0x42, 0x73, 0x67, 0x76, 0x63, 0x61, 0x36,
        0x39, 0x38, 0x33, 0x34, 0x6e, 0x63, 0x78, 0x76,
        0x39, 0x38, 0x37, 0x33, 0x32, 0x35, 0x34, 0x6b,
        0x3b, 0x66, 0x67, 0x38, 0x37
};

It was extract from an uncompressed binary image of IOS 12.2(8)

0df4a70:                     6473 6664 3b6b 666f          dsfd;kfo
0df4a80: 412c 2e69 7965 7772 6b6c 644a 4b44 4853  A,.iyewrkldJKDHS
0df4a90: 5542 7367 7663 6136 3938 3334 6e63 7876  UBsgvca69834ncxv
0df4aa0: 3938 3733 3235 346b 3b66 6738 3700 0000  9873254k;fg87...

You can find the modified ciscocrack.c file in attached piece.

I extend also some buffer ... ;-)

--
Jerome POGGI                               Jerome.Poggi@hsc-labs.com
Herve Schauer Consultants   -=-   Network security consultant, CISSP
http://www.hsc.fr/                             Tel : +33 141 409 700

Attachment: ciscocrack.c
Description: Text Data

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Update of ciscocrack.c, Jerome Poggi <=
Previous by Date:  [Full-disclosure] [USN-191-1] unzip vulnerability, Martin Pitt
Next by Date:  RE: [Full-disclosure] Suggestion for IDS, Mark Senior
Previous by Thread:  [Full-disclosure] [USN-191-1] unzip vulnerability, Martin Pitt
Next by Thread:  [Full-disclosure] Re: Bypassing Personal Firewall (Zone Alarm Pro) Using DDE-IPC, Paul Laudanski
Indexes:  [Date] [Thread] [Top] [All Lists]