÷ÓÅÍ ÐÒÉ×ÅÔ,
þÉÔÁÊÔÅ ÎÉÖÅ.
------
Ilya Shulman ish@east.ru +7-095-956-4951 ISH-RIPN
East Connection ISP, Moscow, Russia.
-----Original Message-----
From: Gustavo A. Lozano <glozano@COLINTER.NET>
To: BUGTRAQ@NETSPACE.ORG <BUGTRAQ@NETSPACE.ORG>
Date: 1 ÎÏÑÂÒÑ 1997 Ç. 1:02
Subject: Re: [seg-l] Passwords en Cisco (fwd)
>
>
>Gustavo A. Lozano.
>Internet de Colombia S.A.
>glozano@colinter.net
>
>fingerprint = 74 37 A4 1F FA D3 B1 CC C2 E2 07 80 1E 0F 4A B6
>
>
>---------- Forwarded message ----------
>Date: Fri, 30 May 1997 23:40:12 +0100
>From: AcidGum <ACIDGUM@hotmail.com>
>Reply-To: seg-l@secnet.com
>To: seg-l@secnet.com
>Subject: Re: [seg-l] Passwords en Cisco
>
>edo@infocable.cl wrote:
>
>#! /bin/sh
>## Decrypts cisco "encrypted" passwords. Feed this confg files as
>stdin.
>## Anything that looks like a "type 7 encrypted" string gets decrypted.
>## This should really be a C program, but is presented as a script just
>to
>## piss off a certain group of people. One beer, please...
>
>while read xx ; do
> case "$xx" in
> *d\ 7\ [01]??* ) ;;
> *) continue ;;
> esac
> DEC=`echo "$xx" | sed -e 's/.* //' -e 's/\(^..\).*/\1/'`
> DP1=`expr $DEC + 1`
> HEX=`echo "$xx" | sed -e 's/.* //' -e 's/^..\(..*\)/\1/'`
> echo 'dsfd;kfoA,.iyewrkldJKDHSUB' | cut -c "${DP1}-30" >
>/tmp/cis$$.pad
> echo '#' > /tmp/cis$$.in
> for xx in 1-2 3-4 5-6 7-8 9-10 11-12 13-14 15-16 17-18 19-20 21-22 ;
>do
> echo "${HEX}" | cut -c $xx | sed -e '/^$/q' -e 's/^/0x/' >>
>/tmp/cis$$.in
> done
> echo -n "${DEC}${HEX}: "
> data -g < /tmp/cis$$.in | xor /tmp/cis$$.pad
> echo ''
>done
>rm -f /tmp/cis$$.pad /tmp/cis$$.in
>exit 0
>
># Discussion:
>
># When "service password-encryption" is configured into a cisco router
>and
># the configuration subsequently viewed, the passwords are no longer
>printed
># as plaintext but as strings of randomish-looking garbage. Analysis of
>
># several samples reveals the scrambling algorithm to be trivially weak.
>
># Dr. Delete derived and published an analysis and decryption program
>some
># time ago, but since that didn't seem to be generally available at the
>time
># I went looking for it, here is an independent explanation. This was
>worked
># out on PAPER over a plate of nachos in a hotel bar in downtown LA, but
>
># still illustrates where a general-purpose "xor" handler can be useful
>for
># quickly cracking lame "proprietary" algorithms of this genre.
>
># Passwords can be up to eleven mixed-case characters. In the
>"encrypted"
># representation, the first two bytes of the long string are a random
>decimal
># offset between 0 and 15 into a magic block of characters, and the
>remaining
># bytes are ascii-hex representations of the password bytes xored
>against
># the character-block bytes from the given offset on down. The
>character
># block is "dsfd;kfoA,.iyewrkldJKDHSUB", which is enough for a
>maximum-length
># password at the maximum offset.
>
># Another character block consisting of "sgvca69834ncxv9873254k;fg87" is
>
># located after the first one in the IOS image, which may be relevant to
>
># something else and is simply mentioned here for posterity. It is also
>
># interesting to note that the strings "%02d" and "%02x" occur
>immediately
># afterward, which in light of the above is another clue.
>
>> >
>> > > Edo.
>> >
>> >
>> > quieres que las password en un router cisco no se vean
>> desencriptadas?
>> >
>> > si es eso lo que quieres usa el comando:
>> >
>> > service password-encription
>>
>> No era precisamente eso , sino mas bien el metodo de encriptacion que
>> usan , de hecho me encontre que no es similar [ en unix x ej algo
>> normal
>> seria zdDlhM3s9LPzK , pero en cisco el formato es 04025D0319731D ] y
>> quisiera saber cual en si es la diferencia , y si por ejemplo el
>> crack
>> es capaz de detectar este algoritmo. A todo esto ese formato me sale
>> al crear acceso a usuarios ppp/slip .
>>
>> > Hernan
>>
>> Saludos
>> Edo.
>
>* Espero esto sea lo ke buscas.
>
>
>Saludos AcidGum
>
>
=============================================================================
"inet-admins" Internet access mailing list. Maintained by East Connection ISP.
Mail "unsubscribe inet-admins" to Majordomo@info.east.ru if you want to quit.
