Date: Tue, 12 Mar 2013 16:13:33 +0100 From: Vlatko Kosturjak <kost@...ux.hr> To: john-dev@...ts.openwall.com Subject: Re: Cisco - Password type 4 - SHA256 On Fri, Mar 08, 2013 at 08:19:18AM +0100, Jan Starke wrote: > Hi Vlatko, > > Do you have the possibility of setting an own type-4 password? If so, > you could also calculate the SHA256 hash of the password you used and > compare this with Cisco's value. If both are equal, you can assume > that Cisco uses a simple SHA256. > > Would you be happy the share your results here? Hello Jan and thanks for your interest. I have tried that already and it is not the same (raw sha256). I have also tried 100 iterations of raw sha256, base64 iterations (padded and not padded) and hex iterations without luck. Therefore, they are not using something standard. Still, they state they are using sha256 and if that's true - it's just question how. I see somebody on hashcat forum tried even 1000 iterations without luck. But from my investigation, it seems that Cisco screwed it up, because it looks they are not salting the password at all because: - hash is same for different users and same password - hash is same on different devices and different users and same password Therefore, it is vulnerable to time-memory tradeoff like: - rainbow tables - online cracking That's interesting because they plan to move from type 5 to type 4 in future :) -- Vlatko Kosturjak - KoSt
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.