Date: Sun, 08 Feb 1998 18:37:16 +0000
From: Major Malfunction
Organization: The Church of The WibblyWobblyWeb
X-Mailer: Mozilla 4.04 [en] (Win95; I)
To: The Dark Tangent
Subject: CISCO - Pass the Password
DT,
Page is now up... can you link it on DEFCON?
(It has a handy little on-line version too...)
http://www.alcrypto.co.uk/cisco/
cheers,
MM
--
BobbyWrite (b), Whenever, Major Malfunction,
all Writes Reserved, all Wrongs Revenged.
No more Password Misery!!!
Useful Cisco Password
Utilities, or Uk! Pooh! for short
----------
All sorts of clever people have come up with these lovely utilities for
converting Cisco passwords into plain text. Here is a handy little
resource for those crucial moments when you just simply forgot to bring
your Unix box to the party...
What am I saying??? What I really meant was, some criminally insane
sociopaths have abused their positions of power/knowledge to subvert the
very fabric of society by wantonly spreading their evil lies and
dangerous propaganda, corrupting the innocent in droves along the way,
causing mass hysteria, chaos, panic in the streets, flood, famine,
pestilence, unwanted pregnancies etc. etc...
It falls to me, therefore, to expose their underground activities, for
the world to see, because only be learning their devious tricks can we
hope to ever get the better of them...
OK. So what are we actually talking about here? Well... A Cisco router is
one of those funny black boxes that sits in your server room, and
connects you to that Internet thingy. Cisco sell a *lot* of these boxes,
and a large percentage of the Internet is made up of them... They turn
over getting on for 8 Billion dollars, selling little black boxes, and,
since the security of your network is in part (and often completely)
dependant on them, they have taken careful steps to ensure that your
router is safe from that world of uninvited guests queuing at your
netstep... One of the ways they've protected you is by the use of
passwords. It is possible to provide a password to stop any Harry, Dick
or Tom from logging into your router and tweaking it's configuration...
Since this password contains the keys to your netdom, they encrypt it for
added security. Again, since this key is so important, they spent several
minutes, possibly even hours, devising an encryption scheme that makes
your password completely safe from prying eyes (rather than spending any
of those nice dollars on licencing some strong crpyto)... This encryption
scheme is so secure that it was reputedly cracked during a casual
conversation over a cup of coffee in a fast-food restaurant, and the
algorithm noted down on a napkin. The algorithm is now widely known, and
several versions of the cracker have been published. In addition to the
cracker itself, you will also need to know how to get the encrypted
password out of the Cisco in the first place, and that is what we are
going to look at now:
As every little schoolthang knows, every good adventure starts with a
map/secret message/tunnel/high class hooker/etc., and this is no
exception... We have a secret message AND a back door... First we must
obtain the secret message - to do this, you'll need to have physical
access to the Cisco. The simplest way is to phone your ISP and tell
him/her/geek that you are moving some stuff around in the server room,
and need to power it off for a bit. Once it's powered off, follow these
steps very carefully...
1. Disconnect the network connection (you wouldn't want your
ISPBitch logging in to see what you were up to, now would you...?)
2. Connect your notebook/pc/Cray/aleph to the 'Console' port. This is an
RJ45 style connecter on the back of your Cisco providing Serial (RS232)
data. Don't plug anything else into it! I have blown up perfectly good
Ciscos by accidentally plugging ISDN/Network into these (still not sure
which - and I can't afford to find out!).
3. Fire up HyperTerm or your favourite comms proggy (at 9600,n,8,1),
switch logging on, and power up the Cisco.
You should see it booting up:
System Bootstrap, Version 5.2(5), RELEASE SOFTWARE
Copyright (c) 1986-1994 by cisco Systems
2500 processor with 1024 Kbytes of main memory
Send an ESC or BREAK signal (CTL-Break in
Hyperterm), and you should see something like:
Abort at 0x10E7EBA (PC)
Followed by a '>' prompt...
4. type ' prompt (Note: If you find that it still boots up as normal, you probably didn't hit 'Break' fast enough... You have to catch it good and
early before it's copied the stored configuration into boot RAM).
6. type enable
The 'Router>' prompt should now change to 'Router#' and you've rooted your router!
7. type sh conf
You'll now get some pages of configuration... just hit the space bar
whenever you get a '--More--' prompt, until you get back to the Router# prompt.
You've now got all the data you need, so we can put the router back how
we found it:
8. type conf term
9. type config-register 0x2102
10. type exit
11. disconnect from the Cisco, reconnect the network and power
cycle it (switch it off and on, dummy!).
Your log file should now contain a complete dump of the
Cisco... simply find the encrypted entries (they will look something like
' enable password 7 14341B180F0B187875212766'), cut and paste them into
the field below and hit the Cisco logo, or process them yourself using the programs provided. Enjoy.
----------
Original source code:
SPHiXe's 'C' version:
<ciscocrack.c
Riku Meskanen's perl version: <ios7decrypt.pl
BigDog's Psion 3/5 OPL version: <cisco.opl
Major Malfunction's Palm-Pilot 'C' port:
<ciscopw_1-0.zip
Mudge's description of what's going on (and some credits):
<mudge.txt
----------
BobbyRite (b) 1997,8, <Major
Malfunction , All Writes Reversed, all Wrongs degneveR.