mailing list archives
Ciscos VPN-Client-Passwords can be decrypted
From: Thierry Zoller <Thierry () sniff-em com>
Date: Sun, 16 Oct 2005 21:28:41 +0200
 heise published a news article today.
 EvilScientists reverse engineered the algorithm Cisco uses to _obscufate_ the
Cisco uses 3des to encrypt the passwords, however it does so using
a deterministic encryption sheme (no user input) and thus must be
The algorithm  found was as follows :
* GetDate - convert to string
* Generate an SHA Hash from that string h1 (20 Bytes)
* h1 is modified into Hash h2
* h1 is modified into Hash h3
* h2 and the first 4 Bytes from h3 give the 3DES Key
* The clear text password no encrypted in 3DES CBC Mode. The IV is the first 8 Bytes of h1.
* If the size of the clear text password is not a multiple of the
Block size, the differece to the next block is calculcated and padded
with a Digit. -> length of password is known
* A last hash is calculated from the encrypted Password h4
* The value of the Key enc_UserPassword is: h1|h4|verschlüsseltes Passwort
I take no credit I am only translating and forwarding.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Ciscos VPN-Client-Passwords can be decrypted Thierry Zoller (Oct 16)