<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2769" name=GENERATOR></HEAD>
<BODY style="MARGIN: 4px 4px 1px; FONT: 10pt Tahoma">
<DIV>Here is a link to the tool that will decrypt both passwords.</DIV>
<DIV>Cisco is aware, but their fix was to upgrade to the new client.</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>To: <A href="mailto:full-disclosure@lists.grok.org.uk">full-disclosure@lists.grok.org.uk</A> <BR>Cc: <A href="mailto:bugtraq@securityfocus.com">bugtraq@securityfocus.com</A> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Dear List,</DIV>
<DIV> </DIV>
<DIV>[1] heise published a news article today.<BR>[2] EvilScientists reverse engineered the algorithm Cisco uses to<BR>_obscufate_ the<BR> passwords.<BR>[3] PoC</DIV>
<DIV> </DIV>
<DIV>Summary :<BR>Cisco uses 3des to encrypt the passwords, however it does so using<BR>a deterministic encryption sheme (no user input) and thus must be<BR>reproducible.</DIV>
<DIV> </DIV>
<DIV>The algorithm [2] found was as follows :</DIV>
<DIV> </DIV>
<DIV>* GetDate - convert to string<BR>* Generate an SHA Hash from that string h1 (20 Bytes)<BR>* h1 is modified into Hash h2<BR>* h1 is modified into Hash h3<BR>* h2 and the first 4 Bytes from h3 give the 3DES Key<BR>* The clear text password no encrypted in 3DES CBC Mode. The IV is the<BR>first 8 Bytes of h1.<BR>* If the size of the clear text password is not a multiple of the<BR> Block size, the differece to the next block is calculcated and padded<BR> with a Digit. -> length of password is known<BR>* A last hash is calculated from the encrypted Password h4<BR>* The value of the Key "enc_UserPassword" is: h1|h4|verschlüsseltes Passwort</DIV>
<DIV> </DIV>
<DIV>Credits:<BR>[1] <A href="http://www.heise.de/newsticker/meldung/64954">http://www.heise.de/newsticker/meldung/64954</A> <BR>[2] <A href="http://evilscientists.de/blog/?page_id=339">http://evilscientists.de/blog/?page_id=339</A> <BR>[3] <A href="http://www.evilscientists.de/blog/?dl=CiscoPasswordRevealer.rar">http://www.evilscientists.de/blog/?dl=CiscoPasswordRevealer.rar</A> <BR><BR></DIV></BODY></HTML>