Decrypting Cisco type 5 password hashes

Update #2: This article has been updated over athttp://retrorabble.wordpress.com/2013/10/12/cracking-cisco-password-hashes-part-2/

UPDATE:  See bottom of post for a way to run MD5 cracking on Linux

Well, I managed to find this information out by phoning Cisco directly, and since most of the information on this subject seems to be either plain wrong or incomprehensible rubbish spouted by people with no idea what checking up on facts or cross referencing is, I’ve decided to share my knowledge here:

Cisco type 5 passwords are based on FREEBSD’s MD5 function with a SALT included to make life harder; however, as a typical type 5 password also includes the SALT, it does tend to defeat the purpose of SALTing values.  For example:

enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

 

Let’s break that down:

enable secret 5     This tells us that the password is an MD5 SALTed password.

$1$     Tells us that yes, it really is a SALTed MD5 password

mERr     This is our SALT.  From here, we can use a program to crack the MD5 hash  I have used http://www.darknet.org.uk/2009/07/crack-pl-sha1-md5-hash-cracking-tool/

hx5rVt7rPNoS4wqbXKX7m0     And this is our MD5 hash

PS: I found that password hash using the Googledork: inurl:startup-config “enable secret 5″

Update: After some discussion with another member of my local LUG, we managed to get BarsWF MD5 (http://3.14.by/en/md5) cracker running under Wine.  This is a 3 stage process

1.) Grab a copy of BarsWF (if you have CUDA, yuo will need to run it under Windows, unless you want to port it to Linux.  I couldn’t get the 64 bit binary running under Wine, so ran with the x86 edition.

2.) You need a cisco type 5 password hash, of course, you already own a cisco device and have generated a SALTed MD5 hash for educational purposes, right..?  Let’s assume mine is hx5rVt7rPNoS4wqbXKX7m0

Next, we have to convert the password string into a base64 encoded string.  I usehttp://www.motobit.com/util/base64-decoder-encoder.asp But had to change the character set to windows-1250 which gave me the stringaHg1clZ0N3JQTm9TNHdxYlhLWDdtMA== now, we can attempt a brute force on it.

3.) Now, all we need to do is force the issue:

retrorabble@Lisa[~]$ BarsWF_SSE2_x32.exe -c 0aA~ -h aHg1clZ0N3JQTm9TNHdxYlhLWDdtMA==

4.) If you are on Linux and use CUDA (or whatever ATI calls it) have a look athttp://www.networkworld.com/community/node/43721 or if you realy want to push the envelope: http://hashcat.net/hashcat/ expect hashcat to feature in a future posting as it seems to be what I am looking for (i.e. a multi-threaded, multi core, non GPU, bruteforcer for salted MD5 passwords).

 

Some time ago, I wrote a blog post about cracking Cisco type 5 passwords. This seems to have generated quite a fuss online, and is referenced by many security blogs and other commentators.

Well, it’s now 2013, and GPU graphics cards can be bought for as little as £25 in town. So I have now splashed out on an Nvidia GeForce 210 with 1024MB RAM. If you are really serious about cracking passwords with CUDA, I would suggest trying to stretch the budget to 2 cards. I went for an AGP card, but will be adding a PCI card soon.

Once you have installed the card physically, the next part is making the drivers work correctly. I am currently using a server which has some X11 libraries installed, but boots into runlevel 3 as it is a server.

Installing the card:

knightmare@vmserver:[~/cuda]$ chmod +x ./NVIDIA-Linux-x86_64-319.17.run
knightmare@vmserver:[~/cuda]$ sudo apt-get remove --purge nvidia*
knightmare@vmserver:[~/cuda]$ sudo reboot -n
knightmare@vmserver:[~/cuda]$ sudo ./NVIDIA-Linux-x86_64-319.17.run


This may need to be re-run on a kernel upgrade. So keep the installer around to be on the safe side.

Using it:

For testing purposes, I decided to use openssl to generate a password:

knightmare@vmserver:[~/cuda]$ wget http://hashcat.net/files/oclHashcat-plus-0.15.7z
knightmare@vmserver:[~/cuda]$ 7za x http://hashcat.net/files/oclHashcat-plus-0.15.7z
knightmare@vmserver:[~/cuda]$ openssl passwd -salt `openssl rand -base64 3` -1 "Cisco" | tee switch.txt
knightmare@vmserver:[~/cuda]$ ./cudaHashcat-plus64.bin -a 3 -m 500 --increment --increment-min=5 --increment-max=5 switch.txt -1 ?l?d?u ?1?1?1?1?1?1?1?1?1?1 --force


cudaHashcat-plus v0.15 by atom starting...

Hashes: 1 total, 1 unique salts, 1 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Workload: 64 loops, 80 accel
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: GeForce 210, 1023MB, 1238Mhz, 2MCU
Device #1: Kernel ./kernels/4318/m0500.sm_12.64.ptx
Device #1: Kernel ./kernels/4318/markov_le_plus_v1.64.ptx
Device #1: Kernel ./kernels/4318/bzero.64.ptx

$1$iIE+$n4xAbruNLv1rGue/ONSPH.:Cisco

Session.Name...: cudaHashcat-plus
Status.........: Cracked
Input.Mode.....: Mask (?1?1?1?1?1) [5]
Hash.Target....: $1$iIE+$n4xAbruNLv1rGue/ONSPH.
Hash.Type......: md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
Time.Started...: Sat Oct 12 11:10:00 2013 (9 mins, 43 secs)
Speed.GPU.#1...: 28208 H/s
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 16465920/916132832 (1.80%)
Rejected.......: 0/16465920 (0.00%)
HWMon.GPU.#1...: -1% Util, 67c Temp, -1% Fan

Started: Sat Oct 12 11:10:00 2013
Stopped: Sat Oct 12 11:19:43 2013

As you can see, a single CPU can make short work of a 5 character password. In my experience, most password are less than 8 characters are usually lowercase. Although, this is a minor point as CUDA can use a mask attack to guess almost any password within a 7 day time frame.

Given that most corporate IT policies require a password change every 30 days, this still gives a minimum of 22 days for a hacker’s window of opportunity. Passwords should always be considered one line of defence, not the only line of defence.

Update: 13 October 2013

I’ve now added a second Ge-Froce 210 to the mix. Running the same command gives me:

knightmare@vmserver:[~/cuda]$ ./cudaHashcat-plus64.bin -a 3 -m 500 --increment --increment-min=5 --increment-max=5 switch.txt -1 ?l?d?u ?1?1?1?1?1?1?1?1?1?1 --force
cudaHashcat-plus v0.15 by atom starting...


Hashes: 1 total, 1 unique salts, 1 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Workload: 64 loops, 80 accel
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: GeForce 210, 1023MB, 1238Mhz, 2MCU
Device #2: GeForce 210, 1023MB, 1238Mhz, 2MCU
Device #1: Kernel ./kernels/4318/m0500.sm_12.64.ptx
Device #1: Kernel ./kernels/4318/markov_le_plus_v1.64.ptx
Device #1: Kernel ./kernels/4318/bzero.64.ptx
Device #2: Kernel ./kernels/4318/m0500.sm_12.64.ptx
Device #2: Kernel ./kernels/4318/markov_le_plus_v1.64.ptx
Device #2: Kernel ./kernels/4318/bzero.64.ptx


[s]tatus [p]ause [r]esume [b]ypass [q]uit =>
$1$fzXQ$mcngG/JU0gHZAWGKTbJfZ0:cisco


Session.Name...: cudaHashcat-plus
Status.........: Cracked
Input.Mode.....: Mask (?1?1?1?1?1) [5]
Hash.Target....: $1$fzXQ$mcngG/JU0gHZAWGKTbJfZ0
Hash.Type......: md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
Time.Started...: Sun Oct 13 14:54:09 2013 (4 mins, 59 secs)
Speed.GPU.#1...:    28275 H/s
Speed.GPU.#2...:    28061 H/s
Speed.GPU.#*...:    56336 H/s
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 16465920/916132832 (1.80%)
Rejected.......: 0/16465920 (0.00%)
HWMon.GPU.#1...: -1% Util, 62c Temp, -1% Fan
HWMon.GPU.#2...: -1% Util, 54c Temp, -1% Fan


Started: Sun Oct 13 14:54:09 2013
Stopped: Sun Oct 13 14:59:13 2013
knightmare@vmserver:[~/cuda]$

This was achived for approx £50 and by purchasing two low end NVidia cards from my local Computer shop. If you are really serious about this sort of thing, it pays to get a server and buy some fancier CUDA aware graphics cards



--------------------------------

一种简单的密码散列技术,胜于直接散列。
我们知道,如果直接对密码进行散列,那么黑客(统称那些有能力窃取用户数据并企图得到用户密码的人)可以对一个已知密码进行散列,然后通过对比散列值得到某用户的密码。换句话说,虽然黑客不能取得某特定用户的密码,但他可以知道使用特定密码的用户有哪些。
加Salt可以一定程度上解决这一问题。所谓加Salt,就是加点“佐料”。其基本想法是这样的——当用户首次提供密码时(通常是注册时),由系统自动往这个密码里撒一些“佐料”,然后再散列。而当用户登录时,系统为用户提供的代码撒上同样的“佐料”,然后散列,再比较散列值,已确定密码是否正确。
这里的“佐料”被称作“Salt值”,这个值是由系统随机生成的,并且只有系统知道。这样,即便两个用户使用了同一个密码,由于系统为它们生成的salt值不同,他们的散列值也是不同的。即便黑客可以通过自己的密码和自己生成的散列值来找具有特定密码的用户,但这个几率太小了(密码和salt值都得和黑客使用的一样才行)。
值得注意的是,lm算法(老算法了,但现在还在用)中就是不加料的

http://www.2cto.com/Article/201311/256680.html

你可能感兴趣的:(安全,总结,参考,文档)