Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 7 Aug 2010 20:04:58 -0600
From: Robert Ramsey <>
Subject: Re: Cracking CISCO ASA 5510


Thanks for the quick response.  I used the patch and john is working
now with my Pix passwords (I'll try some ASA passwords on Monday).

I have another question.

In my Pix, I have a login password, enable password, and user account
password.  I set each password to "cangetin".  The original entries
look like this:

enable password TynyB./ftknE77QP encrypted
passwd TynyB./ftknE77QP encrypted
username rramsey password jgBZqYtsWfGcUKDi encrypted privilege 15

I modify them:


Without any salt, the first two passwords are obviously the same.
Looking at the associated threads for the example below, it looks like
the first few characters of the username are used for salt.  Since the
login password and enable password doesn't have a user name, they
don't have any salt (which is why they look the same).  How does jtr
know that there's no salt for the "enable" and "passwd" accounts?

I added "cangetin" to the beginning of the password.lst so each
password would break immediately.  When I run john on my three
passwords the "enable" and "passwd" accounts break immediately (as
predicted) but the rramsey account doesn't.  In fact, when I hit the
space bar to get a status, I can see that john is trying other
passwords.  Why doesn't the rramsey account break right away?

I tried two tests.  First test had all three passwords in one file.
Since john stated "no different salts" I figured I should put rramsey
in a separate file.  With rramsey in its own file, I still wasn't able
to break it right away...

[rramsey@...ora run]$ ./john
Loaded 3 password hashes with no different salts (PIX MD5 [pix-md5 SSE2])
cangetin         (enable)
cangetin         (passwd)
guesses: 2  time: 0:00:00:02 (3)  c/s: 2093K  trying: kh1m3 - 49345678
guesses: 2  time: 0:00:00:03 (3)  c/s: 3335K  trying: lstygg - lstyke
guesses: 2  time: 0:00:00:04 (3)  c/s: 4165K  trying: ciameet - ciameed
guesses: 2  time: 0:00:00:05 (3)  c/s: 4907K  trying: marndms - marndub
Session aborted

[rramsey@...ora run]$ ./john --wordlist=password.lst
Loaded 1 password hash (PIX MD5 [pix-md5 SSE2])
guesses: 0  time: 0:00:00:00 100.00% (ETA: Sat Aug  7 20:02:14 2010)
c/s: 52650  trying: saved - hallo

Thanks in advance,


On Sat, Aug 7, 2010 at 12:16 PM, Solar Designer <> wrote:
> On Sat, Aug 07, 2010 at 05:47:04PM +0000, Robert Ramsey wrote:
>> The two versions of jtr I tried follow:
>> john-1.7.6.tar (source), using linux-x86-sse2 with make
>> john- (rpm), pulled down with yum
>> Looking at the example above this should just work.  Am I missing something?
> PIX hashes are not supported by the official JtR.  The support is added
> with the jumbo patch, so you need to apply it:
>> When I try to crack a password from one of my 2500 series routers, john works
>> just fine:
>> [rramsey@...ora run]$ cat
>> enable:$1$Tkln$T7WMpUgXmrrAhLV7ptiWB/
>> home:$1$7OIB$denN36OJ68zxWcPIdZsGI.
> These are FreeBSD-style MD5-based crypt(3) hashes, also used by many
> Linux distros and by some Cisco products, which the official JtR
> includes support for.  So no patch is needed for these.  You may want to
> use a 64-bit build of JtR for much better performance at these hashes,
> though.  (Or Simon's patch from the wiki for even better performance,
> but that's tricky.)
> Alexander

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.