HSC
Network Security Consulting Agency Since 1989 - Specialized in Unix, Windows, TCP/IP and Internet
 Text mode: access to the page content
Hervé Schauer Consultants
You are here: Home > Resources > Tips > PIX password cracker
Search:  
 Version française
   Services   
o Skills & Expertise
o Consulting
o ISO 27001 services
o Vulnerabilities monitoring
o Audit & Assessment
o Penetration tests
o Vunerability assessment (TSAR)
o Forensics
o Training courses
o E-learning
   Conferences   
o Agenda
o Past events
o Tutorials
   Resources   
o Thematic index
o Tips
o Lectures
o Courses
o Articles
o Tools (download)
o Vulnerability watch
   Company   
o Hervé Schauer
o Job opportunities
o Credentials
o History
o Partnerships
o Associations
   Press and
 communication 		  
o HSC Newsletter
o Press review
o Press releases
o Publications
   Contacts   
o How to reach us
o Specific inquiries
o Directions to our office
o Hotels near our office
|>|PIX password cracker  

by Nicolas Jombart (07/01/2004) 



PIX password cracker

An advisory about Cisco PIX password encryption weakness was 
published on june 2002 : http://www.oxid.it/downloads/pix_passwd.txt

It was very easy with this to write a small tool useful when a
password is lost :

% cat dico
britney
Bonjour1
hsc
matrix

% john -w:dico -rules -stdout | ./pix_crack YtT8/k6Np8F1yz2c -
words: 155  time: 0:00:00:00 100%  w/s: 6613  current: Matrixing
YtT8/k6Np8F1yz2c -> hsc

To get the code from the web page :
% w3m -dump http://www.hsc.fr/ressources/breves/pix_crack.html | \ 
  awk '/==(CUT)==/,/==STOP==/' | sed -e 's/^.\{21\}//'

/* ==CUT== */
/*
Copyright (c) 2002-2003 Herve Schauer Consultants
Nicolas Jombart <Nicolas.Jombart(@)hsc.fr>

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
   notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
   notice, this list of conditions and the following disclaimer in the
   documentation and/or other materials provided with the distribution.
3. The name of the author may not be used to endorse or promote products
   derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/

#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#ifdef __FreeBSD__
#include <md5.h>
#else
#include <openssl/md5.h>
#endif
#include <string.h>

/* Sat Jul 19 2003 HSC

   Ported out of FreeBSD (need OpenSSL - only tested under Linux) :
   Denis Ducamp <Denis.Ducamp(@)hsc.fr>
	gcc -Os -s -Wall -ansi -pedantic pix_crack.c -o pix_crack -lcrypto

   While it should always work under FreeBSD :
	cc pix_crack.c -lmd -lcrypt

   my_crypt_to64 is _crypt_to64 from /src/lib/libcrypt/misc.c FreeBSD

   To test, you can try  YtT8/k6Np8F1yz2c -> hsc
*/

/*
 * $Id: pix_crack.tip,v 1.4 2004/04/08 17:12:36 jombart Exp $
 * $RCS: pix_crack.c,v 1.5 2002/06/29 16:02:47 ecu Exp ecu $
 */

#ifdef __FreeBSD__
#define MD5_Init          MD5Init
#define MD5_Update        MD5Update
#define MD5_Final         MD5Final
#define my_crypt_to64     _crypt_to64
#define MD5_DIGEST_LENGTH 16
#else
static char itoa64[] =          /* 0 ... 63 => ascii - 64 */
        "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";

void
my_crypt_to64(char *s, unsigned long v, int n)
{
        while (--n >= 0) {
                *s++ = itoa64[v&0x3f];
                v >>= 6;
        }
}
#endif

/* plaintext -> pix encrypted password
 * see http://www.securiteam.com/securitynews/5FP0P0A7FM.html
 */
void chiffre(char *hash, const char *word) {

  MD5_CTX ctx;
  unsigned char final[MD5_DIGEST_LENGTH+1];
  static char cisco_encoded [MD5_DIGEST_LENGTH+1];
  char *p;

  memset(cisco_encoded, 0, MD5_DIGEST_LENGTH+1);
  MD5_Init(&ctx);
  MD5_Update(&ctx, (unsigned char *) word, MD5_DIGEST_LENGTH);
  MD5_Final(final, &ctx);

  p = hash;
  my_crypt_to64(p, *(unsigned long *) (final+0), 4); p += 4;
  my_crypt_to64(p, *(unsigned long *) (final+4), 4); p += 4;
  my_crypt_to64(p, *(unsigned long *) (final+8), 4); p += 4;
  my_crypt_to64(p, *(unsigned long *) (final+12), 4); p += 4;
  *p  = '\0';
}

int main(int argc, char **argv) {

  char hash[MD5_DIGEST_LENGTH+1];
  char mot[MD5_DIGEST_LENGTH+1];
  char *tmp;
  FILE *dict;
  int i, j, found = 0;

  if(argc != 3) { 
    printf("Usage : %s hash dict_file\n", argv[0]);
    exit(-1);
  }

  if(strcmp(argv[2], "-")) {
    dict = fopen(argv[2], "r");
    if(!dict) { perror(argv[2]); exit(0); }
  } else {
    dict = stdin;
  }

  while(fgets(mot, MD5_DIGEST_LENGTH+1, dict)) {
    /* erase newline and fill with zeros */
    for(tmp=mot;*tmp;tmp++) if(*tmp=='\n') *tmp='\0';
    for(i=0;mot[i];i++); for(j=i+1;j<MD5_DIGEST_LENGTH;j++) mot[j]='\0';
    /* calc hash and compare */
    chiffre(hash, mot);
    if(!strncmp(hash, argv[1], MD5_DIGEST_LENGTH)) { found = 1; break; }
  }

  if(found) printf("%s -> %s\n", hash, mot);
  fclose(dict);
  exit(1);

}
/* ==STOP== */
Last modified on 30 Mars 2006 at 19:27:36 CET - webmaster@hsc.fr
Information on this server - © 1989-2010 Hervé Schauer Consultants