Follow us on Twitter or via RSS feeds with tweets or complete announcement texts or excerpts
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 2 Feb 2010 04:47:37 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: Cracking CISCO ASA 5510

On Mon, Feb 01, 2010 at 11:54:16AM -0300, Nahuel Grisol?a wrote:
> Hello there, I want to crack the following:
> 
> username USER1 password 8X6XXXXXXXXXXHZB encrypted
> username USER2 password H1HXXXXXXXXX8rwR. encrypted
> 
> Does JtR support this?

I was too quick to state that this was not supported.  It is.  It turns
out that this is the same hashing method that Cisco PIX uses:

$ cat pw
cisco:2KFQnbNIdI.2KYOU

$ ./john pw
Loaded 1 password hash (PIX MD5 [pix-md5 MMX])
cisco            (cisco)

For the specific test above, I had to actually fix a minor bug in
pixMD5_fmt.c (in 1.7.4.2-jumbo-1).  Change the line:

		if(!atoi64[ARCH_INDEX(ciphertext[i])])

to:

		if(atoi64[ARCH_INDEX(ciphertext[i])] == 0x7F)

(the original line would not allow for the dot character in the hash
encoding string).

There are sample hashes and other relevant info here:

http://ccie.pl/viewtopic.php?t=10210
http://www.oxid.it/downloads/pix_passwd.txt
http://www.freerainbowtables.com/phpBB3/viewtopic.php?f=2&t=1441
http://www.openwall.com/lists/john-users/2008/04/15/1

Some of the comments claim that there's a salt involved and hint that
the username is being used as a salt.  This is not the case for the
PIX/ASA hashes supported by JtR.  Maybe those comments were wrong, or
maybe there's something yet unknown (to me) behind them.

Alexander

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ