12 replies to this topic

[rakshit]

Are the PIX passwords encrypted using a reversible algorithm? , if so .. what can i use to decrpyt it.


Please suggest me some good PIX password crackers

[duper]

Did you try this:

http://www.oxid.it/cpfpc.html

[rakshit]

I need a PIX password decryptor for eg a cisco PIX password i found was : 7Y051HhCcoiRTSQZ

Now i want to dicipher it to get the clear text password.


ALso i wanna know what sort of encryption does PIX firewalls ........ intake .. i.e. do they have MD5 encryption or DES encryption etc etc

[jabzor]

I need a PIX password decryptor for eg a cisco PIX password i found was : 7Y051HhCcoiRTSQZ

Now i want to dicipher it to get the clear text password.


ALso i wanna know what sort of encryption does PIX firewalls ........ intake .. i.e. do they have MD5 encryption or DES encryption etc etc

http://www.oxid.it/d.../pix_passwd.txt .. for part a, as already given above.
For the second part of the question, you are too vague - they support md5, des, aes, etc .. depends on the version and what you are looking to do.

[rakshit]

Lines drawn out from a PIX firewall config file


:
PIX Version 6.0(1) ------ PIXµ±Ç°µÄ²Ù×÷ϵͳ°æ±¾Îª6.0
Nameif ethernet0 outside security0
Nameif ethernet1 inside security100 ------ ÏÔʾĿǰpixÖ»ÓÐ2¸ö½Ó¿Ú
Enable password 7Y051HhCcoiRTSQZ encrypted
Passed 7Y051HhCcoiRTSQZ encrypted ------ pix·À»ðǽÃÜÂëÔÚĬÈÏ״̬ÏÂÒѱ»¼ÓÃÜ£¬ÔÚÅäÖÃÎļþÖв»»áÒÔÃ÷ÎÄÏÔʾ£¬telnet ÃÜÂëȱʡΪcisco
Hostname PIX525 ------ Ö÷»úÃû³ÆΪPIX525
Domain-name 123.com ------ ±¾µØµÄÒ»¸öÓòÃû·þÎñÆ÷123.com£¬Í¨³£ÓÃ×÷


Now tell me .. in which encryption the password is based .. md5 , des or something else

[jabzor]

http://c3rb3r.openwall.net/mdcrack/ or use Cain


Here, output from setting one of my pix with the passwd and enable pass 'cisco':

# Authorized Users Only! #
Type help or '?' for a list of available commands.
FW0> en
Password:
FW0# conf t
FW0(config)# enable pass cisco
FW0(config)# password cisco
FW0(config)# wr mem
Building configuration...
Cryptochecksum: 3546179b b76ad681 3f591c5b e17016aa

1481 bytes copied in 1.200 secs (1481 bytes/sec)
[OK]
FW0(config)# end
FW0# show conf | incl encrypted
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted

and cracking the hash on an old P4:

C:\MDCrack-183\MDCrack-sse.exe 2KFQnbNIdI.2KYOU

System / Starting MDCrack v1.8(3)
System / Running as C:\MDCrack-183\MDCrack-sse.exe 2KFQnbNIdI.2KYOU
System / Charset is: abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
System / Detected processor(s): 1 x INTEL Pentium IV | MMX | SSE | SSE2
System / Detected hash format: PIX-E
System / Target hash: 2KFQnbNIdI.2KYOU
System / >> Using PIX Enable cores: maximal candidate/user salt size: 16/54 bytes
Info / Press ESC for available runtime shortcuts (Ctrl-c to quit)
Info / Thread #0: >> Using Core 1
Info / Thread #0: Candidate size: 1 ( + user salt: 0 )
Info / Thread #0: Candidate size: 2 ( + user salt: 0 )
Info / Thread #0: Candidate size: 3 ( + user salt: 0 )
Info / Thread #0: Candidate size: 4 ( + user salt: 0 )
Info / Thread #0: Candidate size: 5 ( + user salt: 0 )
----------------------------------------------------------/ Thread #0 (Success)\----
System / Thread #0: Collision found: cisco
Info / Thread #0: Candidate/Hash pairs tested: 222 433 622 ( 2.22e+008 ) in 43s 812ms
Info / Thread #0: Allocated key space: 4.85e+028 candidates, 0.00% done
Info / Thread #0: Average speed: ~ 5 076 944 ( 5.08e+006 ) h/s

System / Detected hash format: PIX-E
System / Thread #0: Collision found: cisco

Edited by jabzor, 18 August 2008 - 05:18 PM.

[rakshit]

im working with MDCrack ... for past two days....... and my stats so far:



System / Starting MDCrack v1.8(3)
System / Running as mdcrack M☺☻
System / Resuming saved session: "C:\Documents and Settings\********\Applicatio
n Data\MDCrack\latest.mds"
{
File creation date 08/19/2008 00:12
File last modified 08/19/2008 03:53
Hash 7Y051HhCcoiRTSQZ
Last candidate yMDY&6a
Candidate max size 16
Candidate/hash max pairs 0
Charset abcdefghijklmnopqrstuvwxyz0123456789ABCDEF
GHIJKLMNOPQRSTUVWXYZ~!@##$%&*()[];',
Salt (prepended) <none>
Salt (appended) <none>
Hash algorithm PIX Enable
All collisions no
User Account <none>
HMAC Message <none>
Salt <none>
}


System / Charset is: abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVW
XYZ~!@#$%&*()[];',
System / Detected processor(s): 2 x INTEL Itanium | MMX | SSE | SSE2
System / Target hash: 7Y051HhCcoiRTSQZ
System / >> Using PIX Enable cores: maximal candidate/user salt size: 16/54 byte
s
Info / Press ESC for available runtime shortcuts (Ctrl-c to quit)
Info / Thread #0: >> Using Core 1
Info / Thread #1: >> Using Core 1
Info / Thread #0: Candidate size: 7 ( + user salt: 0 )
Info / Thread #1: Candidate size: 7 ( + user salt: 0 )


I just wanna know if im using the correct hash to go about with MDCrack................ caz im bruteforcing this hash with 2 days now... and with modified charset as u can see

Does MDCrack crack all passwords for all PIX version or it depends on something else...

[jabzor]

It appears that you haven't yet completed the 16byte char the mdcrack sets aside, if they made the enable password really long you're basically not going to crack it anytime soon.
The pix hashes should be the same for every version, unless they were running cisco 7 or whatever other hashing in some far earlier version in which case they wouldn't be detected as pix-e and you could use cis7.exe that comes with mdcrack, or any number of online crackers.

Edited by jabzor, 18 August 2008 - 06:58 PM.

[rakshit]

C:\Documents and Settings\plzbrasdi>cis7 7Y051HhCcoiRTS


( Error ) Unrecognized ciphertext format.


Probably............ the pix password is kept long, so it is taking time.


By the way am i doing bruteforcing correctly! for PIX cracking ?
i dont mind waiting.... to get the result!

[rakshit]

Thanks jabzor .. u been a gr8 help!

[jabzor]

What did it finally end up as?

[rakshit]

I found two PIX firewall configs....... while i was analyzing both of them............. i found some difference in their password ... section


PIX1: Enable password 7Y051HhCcoiRTSQZ encrypted
Passed 7Y051HhCcoiRTSQZ encrypted ------ ->(2)




PIX2: enable password GT7rQihWFevPs4V8 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted ->(2)

what are those italic lines ... are they some sort of a salt ... or something else

cud u explain me the differnce in line (1) and (2) one being the same as in Enable password and some having different encryption.

[mecca_]

cud u explain me the differnce in line (1) and (2) one being the same as in Enable password and some having different encryption.

I'm not sure how much this varies between each encryption mechanism, but usually the first 2 or so characters in an encrypted hash are the salt. The two hashes are different because the salt is different. The actual results can be exactly the same.

Here is a quick ( and ugly ) example:

#!/usr/bin/perl -w
use strict;
for(my $i = 0; $i < 20; $i++){
	my $enc = &crypto;
	print "$enc\n";
}
sub crypto
{
	my @salt_chars = ('a'..'z','A'..'Z','0'..'9');
	my $salt = $salt_chars[rand(63)] . $salt_chars[rand(63)];
	$_ = crypt("blah", "$salt");
}

mecca@genome:~$ perl test.pl 
39VlenLEtpbHA
kxaJwc2bjWb9c
1bkn/HJU35K7c
iwEv3.xsfCL9g
6mH93tCPDlhwI
ny.vElCSkhKpc
lSDTQgeJQ3wpk
8fGh/j83Asy9I
PCn1hzKExxRzM
bREDC2tJgwAJM
zWVw/zA1JYtfI
p0WaNonKb9bls
G16/qAPjs7.tU
oDkjjnhmXxelI
Z3OWh01KM5BUk
eWLS3NpO9B3qY
et.0Vw0eHLnr6
P6NMQ3KXbaDSU
69fMlyCVIwmtw
TbmV05JKbG7yQ

I used crypt to make a hash of the word "blah." While each of those hashes are completely different, their encrypted value is exactly the same.

Edited by mecca_, 31 August 2008 - 01:10 PM.