Cisco Password Encryption reversed (EN) Geschrieben von HAL 9000 am Oktober 17th, 2005
http://evilscientists.de/blog/?page_id=343 What¹s it all about? The Cisco VPN Client uses weak encryption to store user and group passwords in your local profile file. I coded a little tool to reveal the saved passwords from a given profile file. The Cisco Password Revealer along with the source code can be downloaded here. The main problem of the method used to encrypt the passords is, that the whole procedure is deterministically and no user input is used. This effectively means that the encryption keys the Cisco Client calculates can also be calculated by any other program whensoever this programm knows the algorithm. This algorithm was now reversed. The algorithm The algorithm which is used to encrypt a given user/group password is shown below (for further details just consult the source code): * The current date as a string is retrieved (e.g. Mon Sep 19 20:00:00 2005) * Then a SHA-1 Hash h1 is computed (20 Bytes) * h1 is modified and a new Hash h2 is calculated * h1 is again modified and h3 is calculated * the 3DES key is made of h2 and the first 4 bytes of h3 * The password is encrypted using 3DES in CBC Mode. The IV consists of the first 8 bytes from h1. * The algorithm computes a last hash h4 from the encrypted pasword * The key ³enc_UserPassword² in our profile file now looks like ths: h1|h4|encrypted password You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
