Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 12 Mar 2013 16:13:33 +0100
From: Vlatko Kosturjak <kost@...ux.hr>
To: john-dev@...ts.openwall.com
Subject: Re: Cisco - Password type 4 - SHA256

On Fri, Mar 08, 2013 at 08:19:18AM +0100, Jan Starke wrote:
> Hi Vlatko,
> 
> Do you have the possibility of setting an own type-4 password? If so,
> you could also calculate the SHA256 hash of the password you used and
> compare this with Cisco's value. If both are equal, you can assume
> that Cisco uses a simple SHA256.
> 
> Would you be happy the share your results here?

Hello Jan and thanks for your interest. 

I have tried that already and it is not the same (raw sha256). I have also 
tried 100 iterations of raw sha256, base64 iterations (padded and not 
padded) and hex iterations without luck. Therefore, they are not using
something standard. Still, they state they are using sha256 and if that's
true - it's just question how. I see somebody on hashcat forum tried even 
1000 iterations without luck. 

But from my investigation, it seems that Cisco screwed it up, because 
it looks they are not salting the password at all because:
- hash is same for different users and same password
- hash is same on different devices and different users and same password

Therefore, it is vulnerable to time-memory tradeoff like:
- rainbow tables
- online cracking

That's interesting because they plan to move from type 5 to type 4 in 
future :)
-- 
Vlatko Kosturjak - KoSt

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ