Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Cisco ASA
10-18-2012, 03:48 PM
Post: #1
Cisco ASA
I had read elsewhere that the ASA hashing was the same as the pix md5 so I decide to give it a shot with oclHashcat-plus.

The file format I used was username:hash. hashcat complained that the hashes were wrong and would not work until I ignored the username. This is problematic because I'm fairly certain the hashes were salted with the first four characters of the username.

So clearly the hashing for ASA is different that PIX unless I'm doing something wrong.

Any idea if/when ASA hashing will be supported?
Find all posts by this user
10-18-2012, 04:15 PM
Post: #2
RE: Cisco ASA
The ASA does use the same hashing mechanism as PIX. They are NOT different.
You should just be specifying hash and salt on the command-line. Username is irrelevant.
Find all posts by this user
10-18-2012, 04:36 PM
Post: #3
RE: Cisco ASA
As far as I know, Cisco-PIX MD5 hashing doesn't involve any salting.
Find all posts by this user
10-18-2012, 04:43 PM
Post: #4
RE: Cisco ASA
(10-18-2012 04:15 PM)unix-ninja Wrote:  The ASA does use the same hashing mechanism as PIX. They are NOT different.
You should just be specifying hash and salt on the command-line. Username is irrelevant.

Thanks for the information!

I'm using version 0.9 on windows and giving me an error that --salt-file is a "unknown option". Is there a different way to specify a salt list on the command line or just not supported on the windows version?
Find all posts by this user
10-18-2012, 04:50 PM
Post: #5
RE: Cisco ASA
(10-18-2012 04:36 PM)M@LIK Wrote:  As far as I know, Cisco-PIX MD5 hashing doesn't involve any salting.

When I try to crack known ASA hashes it fails...until i append the first four characters of the username to the end of the password.

Then it works great. just trying to do this with oclHashcat now instead of JtR....
Find all posts by this user
10-18-2012, 05:03 PM
Post: #6
RE: Cisco ASA
So instead of using a salt file, i just created a wordlist rule file that looks like this:

$c$i$s$c

That will append the first four characters to the end of the password if the username was 'cisco'. Works just fine!
Find all posts by this user
10-18-2012, 05:34 PM
Post: #7
RE: Cisco ASA
That's what I was exactly writing you, see below.

It's not very professional, but you can get away with rules or multi-rules.

Make a rule-file with all first four bytes of the usernames, you can use:
Code:
sed "s|.|$&|g" < usernames.txt | cut -b 1-8 | sort -u > usernames.rule

Then you can run:
Code:
-plus -m2400 -r usernames.rule hashfile dict
Find all posts by this user
10-18-2012, 05:37 PM
Post: #8
RE: Cisco ASA
(10-18-2012 05:34 PM)M@LIK Wrote:  That's what I was exactly writing you, see below.

It's not very professional, but you can get away with rules or multi-rules.

Make a rule-file with all first four bytes of the usernames, you can use:
Code:
sed "s|.|$&|g" < usernames.txt | cut -b 1-8 | sort -u > usernames.rule

Then you can run:
Code:
-plus -m2400 -r usernames.rule hashfile dict

Now, how would I do this for a brute force attack? I would need some sort of "salt file" correct?
Find all posts by this user
10-18-2012, 06:21 PM
Post: #9
RE: Cisco ASA
Pipe maskprocessor to -plus, and you can use rules.
Code:
mp64 -i ?d?d?d?d | -plus -m2400 -r usernames.rule hashfile
This above will brute-force all digits from length one to four, plus appending usernames to the guess.
Find all posts by this user
10-18-2012, 07:47 PM
Post: #10
RE: Cisco ASA
(10-18-2012 06:21 PM)M@LIK Wrote:  Pipe maskprocessor to -plus, and you can use rules.
Code:
mp64 -i ?d?d?d?d | -plus -m2400 -r usernames.rule hashfile
This above will brute-force all digits from length one to four, plus appending usernames to the guess.

Ah. Very nice. That will certainly do the trick. It does hinder the ability to guesstimate how long the job will take though.
Find all posts by this user