[Full-disclosure] Update of ciscocrack.c

From: Jerome Poggi (Jerome.Poggi_at_hsc-labs.com)
Date: 09/29/05

Next message: Mark Senior: "RE: [Full-disclosure] Suggestion for IDS"

Previous message: Martin Pitt: "[Full-disclosure] [USN-191-1] unzip vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 29 Sep 2005 19:00:14 +0200
To: full-disclosure@lists.grok.org.uk

Recently I try to use ciscocrack to reveal some password protected with
CISCO xor algorithm, and I see that some long long password can not be
uncipher correctly.
So I update the xlat xor table from the original C file, and now it's Ok
to uncipher good PSK in CISCO WIFI router :-)

Remind tha it only work on :
  password 7,
  password-enable 7,
  ascii 7,
  key 7

The original table was :
char xlat[] = {
        0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f,
        0x41, 0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72,
        0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44
};

can be found at PacketStorm
http://packetstorm.linuxsecurity.com/Exploit_Code_Archive/ciscocrack.c

Now the new was :
char xlat[] = {
        0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f,
        0x41, 0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72,
        0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44, 0x48, 0x53,
        0x55, 0x42, 0x73, 0x67, 0x76, 0x63, 0x61, 0x36,
        0x39, 0x38, 0x33, 0x34, 0x6e, 0x63, 0x78, 0x76,
        0x39, 0x38, 0x37, 0x33, 0x32, 0x35, 0x34, 0x6b,
        0x3b, 0x66, 0x67, 0x38, 0x37,
        0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f,
        0x41, 0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72,
        0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44, 0x48, 0x53,
        0x55, 0x42, 0x73, 0x67, 0x76, 0x63, 0x61, 0x36,
        0x39, 0x38, 0x33, 0x34, 0x6e, 0x63, 0x78, 0x76,
        0x39, 0x38, 0x37, 0x33, 0x32, 0x35, 0x34, 0x6b,
        0x3b, 0x66, 0x67, 0x38, 0x37
};

It was extract from an uncompressed binary image of IOS 12.2(8)

0df4a70: 6473 6664 3b6b 666f dsfd;kfo
0df4a80: 412c 2e69 7965 7772 6b6c 644a 4b44 4853 A,.iyewrkldJKDHS
0df4a90: 5542 7367 7663 6136 3938 3334 6e63 7876 UBsgvca69834ncxv
0df4aa0: 3938 3733 3235 346b 3b66 6738 3700 0000 9873254k;fg87...

You can find the modified ciscocrack.c file in attached piece.

I extend also some buffer ... ;-)

--
Jerome POGGI                               Jerome.Poggi@hsc-labs.com
Herve Schauer Consultants   -=-   Network security consultant, CISSP
http://www.hsc.fr/                             Tel : +33 141 409 700

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

text/x-csrc attachment: ciscocrack.c

Next message: Mark Senior: "RE: [Full-disclosure] Suggestion for IDS"

Previous message: Martin Pitt: "[Full-disclosure] [USN-191-1] unzip vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]