Perl Script That Takes Cisco Type 7 Hash And Returns The Password:
#!/usr/bin/perl
use File::Copy;
############################################################################
# Vigenere translation table
############################################################################
@V=(0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f, 0x41, 0x2c, 0x2e,
0x69, 0x79, 0x65, 0x77, 0x72, 0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44,
0x48, 0x53, 0x55, 0x42, 0x73, 0x67, 0x76, 0x63, 0x61, 0x36, 0x39,
0x38, 0x33, 0x34, 0x6e, 0x63, 0x78, 0x76, 0x39, 0x38, 0x37, 0x33,
0x32, 0x35, 0x34, 0x6b, 0x3b, 0x66, 0x67, 0x38, 0x37);
############################################################################
############################################################################
# Usage guidelines
############################################################################
if ($ARGV[0] eq ""){
print "This script reveals the IOS passwords obfuscated using the Vigenere algorithm.n";
print "n";
print "Usage guidelines:n";
print " cdecrypt.pl 04480E051A33490E # Reveals a single passwordn";
print " cdecrypt.pl running-config.rcf # Changes all passwords in a file to cleartextn";
print " # Original file stored with .bak extensionn";
}
############################################################################
# Process arguments and execute
############################################################################
if(open(F,"<$ARGV[0]")){ # If argument passed can be opened then convert a file
open(FO,">cdcout.rcf") || die("Cannot open 'cdcout.rcf' for writing ($!)n");
while(<F>){
if (/(.*passwords)(7s)([0-9a-fA-F]{4,})/){ # Find password commands
my $d=Decrypt($3); # Deobfuscate passwords
s/(.*passwords)(7s)([0-9a-fA-F]{4,})/$1$d/; # Remove '7' and add cleartext password
}
print FO $_;
}
close(F);
close(FO);
copy($ARGV[0],"$ARGV[0].bak")||die("Cannot copy '$ARGV[0]' to '$ARGV[0].bak'");
copy("cdcout.rcf",$ARGV[0])||die("Cannot copy '$ARGV[0]' to '$ARGV[0].bak'");
unlink "cdcout.rcf";
}else{ # If argument passed cannot be opened it is a single password
print Decrypt($ARGV[0]) . "\n";
}
############################################################################
# Vigenere decryption/deobfuscation function
############################################################################
sub Decrypt{
my $pw=shift(@_); # Retrieve input obfuscated password
my $i=substr($pw,0,2); # Initial index into Vigenere translation table
my $c=2; # Initial pointer
my $r=""; # Variable to hold cleartext password
while ($c<length($pw)){ # Process each pair of hex values
$r.=chr(hex(substr($pw,$c,2))^$V[$i++]); # Vigenere reverse translation
$c+=2; # Move pointer to next hex pair
$i%=53; # Vigenere table wrap around
} #
return $r; # Return cleartext password
}
The script is very easy to use as shown in the below example. You just type “perl cisco7decode.pl HASH-HERE” where HASH-HERE is the actual has and cisco7decode.pl is a file you create with the above code pasted in it.
Example Using cisco7decode.pl Perl Script To Crack Cisco Type 7 Passwords:
[root@localhost perl_script]# perl cdecrypt.pl 04480E051A33490E
secure
As you can see the above Cisco Type 7 password hash of 04480E051A33490E represents a password of “secure” without the quotes. I think you will be surprised at how quickly the passwords are returned. It is fairly amazing that this type of security was ever used by a company such as Cisco.
