[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050929170014.GX17057@efflam.hsc.fr>
Date: Thu Sep 29 18:40:09 2005
From: Jerome.Poggi at hsc-labs.com (Jerome Poggi)
Subject: Update of ciscocrack.c
Recently I try to use ciscocrack to reveal some password protected with
CISCO xor algorithm, and I see that some long long password can not be
uncipher correctly.
So I update the xlat xor table from the original C file, and now it's Ok
to uncipher good PSK in CISCO WIFI router :-)
Remind tha it only work on :
password 7,
password-enable 7,
ascii 7,
key 7
The original table was :
char xlat[] = {
0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f,
0x41, 0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72,
0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44
};
can be found at PacketStorm
http://packetstorm.linuxsecurity.com/Exploit_Code_Archive/ciscocrack.c
Now the new was :
char xlat[] = {
0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f,
0x41, 0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72,
0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44, 0x48, 0x53,
0x55, 0x42, 0x73, 0x67, 0x76, 0x63, 0x61, 0x36,
0x39, 0x38, 0x33, 0x34, 0x6e, 0x63, 0x78, 0x76,
0x39, 0x38, 0x37, 0x33, 0x32, 0x35, 0x34, 0x6b,
0x3b, 0x66, 0x67, 0x38, 0x37,
0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f,
0x41, 0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72,
0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44, 0x48, 0x53,
0x55, 0x42, 0x73, 0x67, 0x76, 0x63, 0x61, 0x36,
0x39, 0x38, 0x33, 0x34, 0x6e, 0x63, 0x78, 0x76,
0x39, 0x38, 0x37, 0x33, 0x32, 0x35, 0x34, 0x6b,
0x3b, 0x66, 0x67, 0x38, 0x37
};
It was extract from an uncompressed binary image of IOS 12.2(8)
0df4a70: 6473 6664 3b6b 666f dsfd;kfo
0df4a80: 412c 2e69 7965 7772 6b6c 644a 4b44 4853 A,.iyewrkldJKDHS
0df4a90: 5542 7367 7663 6136 3938 3334 6e63 7876 UBsgvca69834ncxv
0df4aa0: 3938 3733 3235 346b 3b66 6738 3700 0000 9873254k;fg87...
You can find the modified ciscocrack.c file in attached piece.
I extend also some buffer ... ;-)
--
Jerome POGGI Jerome.Poggi@...-labs.com
Herve Schauer Consultants -=- Network security consultant, CISSP
http://www.hsc.fr/ Tel : +33 141 409 700
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ciscocrack.c
Type: text/x-csrc
Size: 5197 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050929/53c256cb/ciscocrack.bin
Powered by blists - more mailing lists