Date: Sat, 7 Aug 2010 20:04:58 -0600 From: Robert Ramsey <ramseyrt@...il.com> To: john-users@...ts.openwall.com Subject: Re: Cracking CISCO ASA 5510 Hello, Thanks for the quick response. I used the patch and john is working now with my Pix passwords (I'll try some ASA passwords on Monday). I have another question. In my Pix, I have a login password, enable password, and user account password. I set each password to "cangetin". The original entries look like this: enable password TynyB./ftknE77QP encrypted passwd TynyB./ftknE77QP encrypted username rramsey password jgBZqYtsWfGcUKDi encrypted privilege 15 I modify them: enable:TynyB./ftknE77QP passwd:TynyB./ftknE77QP rramsey:jgBZqYtsWfGcUKDi Without any salt, the first two passwords are obviously the same. Looking at the associated threads for the example below, it looks like the first few characters of the username are used for salt. Since the login password and enable password doesn't have a user name, they don't have any salt (which is why they look the same). How does jtr know that there's no salt for the "enable" and "passwd" accounts? I added "cangetin" to the beginning of the password.lst so each password would break immediately. When I run john on my three passwords the "enable" and "passwd" accounts break immediately (as predicted) but the rramsey account doesn't. In fact, when I hit the space bar to get a status, I can see that john is trying other passwords. Why doesn't the rramsey account break right away? I tried two tests. First test had all three passwords in one file. Since john stated "no different salts" I figured I should put rramsey in a separate file. With rramsey in its own file, I still wasn't able to break it right away... [rramsey@...ora run]$ ./john pix.pw Loaded 3 password hashes with no different salts (PIX MD5 [pix-md5 SSE2]) cangetin (enable) cangetin (passwd) guesses: 2 time: 0:00:00:02 (3) c/s: 2093K trying: kh1m3 - 49345678 guesses: 2 time: 0:00:00:03 (3) c/s: 3335K trying: lstygg - lstyke guesses: 2 time: 0:00:00:04 (3) c/s: 4165K trying: ciameet - ciameed guesses: 2 time: 0:00:00:05 (3) c/s: 4907K trying: marndms - marndub Session aborted [rramsey@...ora run]$ ./john --wordlist=password.lst rramsey.pw Loaded 1 password hash (PIX MD5 [pix-md5 SSE2]) guesses: 0 time: 0:00:00:00 100.00% (ETA: Sat Aug 7 20:02:14 2010) c/s: 52650 trying: saved - hallo Thanks in advance, Rob On Sat, Aug 7, 2010 at 12:16 PM, Solar Designer <solar@...nwall.com> wrote: > On Sat, Aug 07, 2010 at 05:47:04PM +0000, Robert Ramsey wrote: >> The two versions of jtr I tried follow: >> >> john-1.7.6.tar (source), using linux-x86-sse2 with make >> john-184.108.40.206-1.fc13.i686 (rpm), pulled down with yum >> >> Looking at the example above this should just work. Am I missing something? > > PIX hashes are not supported by the official JtR. The support is added > with the jumbo patch, so you need to apply it: > > http://www.openwall.com/john/#contrib > http://openwall.info/wiki/john/how-to-extract-tarballs-and-apply-patches > >> When I try to crack a password from one of my 2500 series routers, john works >> just fine: >> >> [rramsey@...ora run]$ cat 2500.pw >> enable:$1$Tkln$T7WMpUgXmrrAhLV7ptiWB/ >> home:$1$7OIB$denN36OJ68zxWcPIdZsGI. > > These are FreeBSD-style MD5-based crypt(3) hashes, also used by many > Linux distros and by some Cisco products, which the official JtR > includes support for. So no patch is needed for these. You may want to > use a 64-bit build of JtR for much better performance at these hashes, > though. (Or Simon's patch from the wiki for even better performance, > but that's tricky.) > > Alexander >
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.