search

heyglen / network_tech

Cisco config syntax and snippets for Sublime Text
http://network-tech.readthedocs.io
Apache License 2.0
89 stars 20 forks source link

cisco IOS password 7 decode #21

Closed merriry closed 5 years ago

merriry commented 5 years ago

Which Syntax?:

cisco IOS password 7 decode

Expected behavior and actual behavior:

password decode algorithm is incomplete

Steps to reproduce the problem:

try to decode a longer password with a high salt, or make it > ~20 char

Fix:

Run the following command on a switch:

username test privilege 15 password aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

(80 "a") Look at result in config:

username test privilege 15 password 7 08204D4F08180416130A0D052B2A2529323423120617020057585952550F021917585956525354550A5A07065956051207055A0A070E204D4F08180416130A0D052B2A2529323423120617020057585952

This password has a salt of 8 and starts repeating at the 106(53) char (broke up hash for clarity):

08
204D4F08180416130A0D052B2A2529323423120617020057585952550F021917585956525354550A5A07065956051207055A0A070E
204D4F08180416130A0D052B2A2529323423120617020057585952

Since algorithm is well known, run algorithm backwards on section to recover key:

a="204D4F08180416130A0D052B2A2529323423120617020057585952550F021917585956525354550A5A07065956051207055A0A070E"
ciscopwkey=""
for i in range(0,len(a),2):
    ciscopwkey+=(chr(int(a[i] + a[i+1],16) ^ ord("a")))
print ciscopwkey

result:

A,.iyewrkldJKDHSUBsgvca69834ncxv9873254k;fg87dsfd;kfo

since salt was 8, the last 8 char get moved to the front:

dsfd;kfoA,.iyewrkldJKDHSUBsgvca69834ncxv9873254k;fg87

use this in the decode algorithm:

salt= int(password[0:2])
TRANSLATION_KEY="dsfd;kfoA,.iyewrkldJKDHSUBsgvca69834ncxv9873254k;fg87"
decoded_password = ''
for password_index in range(2,len(password),2):
    decoded_password += chr(int(password[password_index] + password[password_index+1], 16) ^ ord(TRANSLATION_KEY[salt]))
    salt += 1
    if salt==53:salt=0
print decoded_password

results(these were entered on a switch):

username test privilege 15 password 7 140713181F13253920

returns: 

password
username test privilege 15 password 7 061207285F471A1817121307001D26242A2F23343100101911054251594743011614125757455E53595812591402595C091C15105F0E050025494F051E0A051B1F04093929313C2430230102110C0E524D57545B4F

returns:

thisisareallylongpasswordthatwouldnormallybreakmostdecodealgorithmsbutwearegoodtogo!

Code is all yours, don't even need attribution

heyglen commented 5 years ago

Great stuff. merged your PR.

Thanks again.