Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 8 Dec 2014 17:08:50 +0100
From: Nicolas Collignon <>
Subject: Cisco ACS repository passwords decryption / samples request


I had to audit several Cisco ACS configurations recently and wanted to
check for passwords quality.
Cisco ACS configurations contain several hashes types including at
least md5crypt and another hash format for "ACS repositories".

The repository hash format is just 3DES-CBC with hardcoded key/iv.
Since the padding handling of Cisco ACS passwords hash function looks
wrong^Wweird, i'm not sure if the provided code works for passwords
between 8-15 chars and above 16 chars.

If anyone is able to provide repository passwords hashes for the
following passwords, i could check/fix the code:
 - @A1aaaaaaaaaaaa
 - @A2aaaaaaaaaaaab
 - @A3aaaaaaaaaaaabc
 - @A4aaaaaaaaaaaaa@...aaaaaaaaaaaa

The hashes can be found in the configuration dump.
repository backup
  url ftp://x.x.x.x/ACS/
  user <login> password hash <40-hexdigits-string>

I'm sending the email to this list because the question has already
been asked in April 2013, subject "RE: Cisco ACS username: hash or
crypt or.... and de-encoding?"
So the conclusion is john is not needed for ACS repositories.

The attached script is able to decrypt all hashes from the 2013 emails:
$ python \
           e9946ba7c6d935abb632cebc1f3caf125fb12f1d \
           539857e4263c18843a60c877a8372cc4e33a2675 \

e9946ba7c6d935abb632cebc1f3caf125fb12f1d => Abcd123
539857e4263c18843a60c877a8372cc4e33a2675 => aBcd123
9d6afb513cd6b08be15f600545bba0496fd4efd5 => a

Hope it can help...

-- Nicolas Collignon

View attachment "" of type "text/x-python" (1095 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.