Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 2 Feb 2010 22:31:49 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: Cracking CISCO ASA 5510

On Tue, Feb 02, 2010 at 03:11:09PM -0300, Nahuel Grisol?a wrote:
> alex:h3mJrcH0901pqX/m
> cisco:3USUcOPFUiMCO4Jk
> cisco1:3USUcOPFUiMCO4Jk
> admcom:lZt7HSIXw3.QP7.R
> 
> alex:ripper
> cisco and cisco1 : cisco (no salt!)

I've figured this out.  There is a salt - it is the first four
characters of the username.  This salt gets appended to the password.
The code currently in john-1.7.4.2-jumbo-2 cracks your hashes above as:

h3mJrcH0901pqX/m:ripperalex
3USUcOPFUiMCO4Jk:ciscocisc
lZt7HSIXw3.QP7.R:CscFw-ITC!admc

Similarly, I was able to crack some hashes found on the web:

hN7LzeyYjw12FSIU:ciscojohn
7DrfeZ7cyOj/PslD:ciscojack

It was said that the usernames were "john" and "jack", and the password
was simply "cisco".

Thus, for cracking individual passwords you may use a wordlist rule like:

[List.Rules:NewPIX]
Az"cisc"

or an external filter() like:

[List.External:NewPIX]
void filter()
{
	int i;

	i = 0;
	while (word[i])
		i++;
	word[i++] = 'c';
	word[i++] = 'i';
	word[i++] = 's';
	word[i++] = 'c';
	word[i] = 0;
}

The filter() is compatible with any cracking mode, for example:

$ ./john -i -e=newpix pw
Loaded 3 password hashes with no different salts (PIX MD5 [pix-md5 MMX])
ciscocisc        (cisco)

Obviously, it will only succeed in cracking the correct-username hash.

Alexander

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ