lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <778522901.20051016212841@Sniff-em.com>
Date: Sun Oct 16 20:28:54 2005
From: Thierry at sniff-em.com (Thierry Zoller)
Subject: Ciscos VPN-Client-Passwords can be decrypted


Dear List,

[1] heise published a news article today.
[2] EvilScientists reverse engineered the algorithm Cisco uses to _obscufate_ the
    passwords.
[3] PoC

Summary :
Cisco uses 3des to encrypt the passwords, however it does so using
a deterministic encryption sheme (no user input) and thus must be
reproducible.

The algorithm [2] found was as follows :

* GetDate - convert to string
* Generate an SHA Hash from that string h1 (20 Bytes)
* h1 is modified into Hash h2
* h1 is modified into Hash h3
* h2 and the first 4 Bytes from h3 give the 3DES Key
* The clear text password no encrypted in 3DES CBC Mode. The IV is the first 8 Bytes of h1.
* If the size of the clear text password is not a multiple of the
  Block size, the differece to the next block is calculcated and padded
  with a Digit. -> length of password is known
* A last hash is calculated from the encrypted Password h4
* The value of the Key ?enc_UserPassword? is: h1|h4|verschl?sseltes Passwort

Credits:
[1] http://www.heise.de/newsticker/meldung/64954
[2] http://evilscientists.de/blog/?page_id=339
[3] http://www.evilscientists.de/blog/?dl=CiscoPasswordRevealer.rar
I take no credit I am only translating and forwarding.

-- 
Thierry Zoller
http://thierry.sniff-em.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ