Posts: 16
Threads: 5
Joined: Jul 2012
I had read elsewhere that the ASA hashing was the same as the pix md5 so I decide to give it a shot with oclHashcat-plus.
The file format I used was username:hash. hashcat complained that the hashes were wrong and would not work until I ignored the username. This is problematic because I'm fairly certain the hashes were salted with the first four characters of the username.
So clearly the hashing for ASA is different that PIX unless I'm doing something wrong.
Any idea if/when ASA hashing will be supported?
Posts: 100
Threads: 2
Joined: Mar 2012
The ASA does use the same hashing mechanism as PIX. They are NOT different.
You should just be specifying hash and salt on the command-line. Username is irrelevant.
Posts: 414
Threads: 14
Joined: Mar 2012
As far as I know, Cisco-PIX MD5 hashing doesn't involve any salting.
Posts: 16
Threads: 5
Joined: Jul 2012
(10-18-2012, 04:15 PM)unix-ninja Wrote: The ASA does use the same hashing mechanism as PIX. They are NOT different.
You should just be specifying hash and salt on the command-line. Username is irrelevant.
Thanks for the information!
I'm using version 0.9 on windows and giving me an error that --salt-file is a "unknown option". Is there a different way to specify a salt list on the command line or just not supported on the windows version?
Posts: 16
Threads: 5
Joined: Jul 2012
(10-18-2012, 04:36 PM)M@LIK Wrote: As far as I know, Cisco-PIX MD5 hashing doesn't involve any salting.
When I try to crack known ASA hashes it fails...until i append the first four characters of the username to the end of the password.
Then it works great. just trying to do this with oclHashcat now instead of JtR....
Posts: 16
Threads: 5
Joined: Jul 2012
So instead of using a salt file, i just created a wordlist rule file that looks like this:
$c$i$s$c
That will append the first four characters to the end of the password if the username was 'cisco'. Works just fine!
Posts: 414
Threads: 14
Joined: Mar 2012
That's what I was exactly writing you, see below.
It's not very professional, but you can get away with
rules or
multi-rules.
Make a rule-file with all first four bytes of the usernames, you can use:
Code:
sed "s|.|$&|g" < usernames.txt | cut -b 1-8 | sort -u > usernames.rule
Then you can run:
Code:
-plus -m2400 -r usernames.rule hashfile dict
Posts: 16
Threads: 5
Joined: Jul 2012
(10-18-2012, 05:34 PM)M@LIK Wrote: That's what I was exactly writing you, see below.
It's not very professional, but you can get away with rules or multi-rules.
Make a rule-file with all first four bytes of the usernames, you can use:
Code:
sed "s|.|$&|g" < usernames.txt | cut -b 1-8 | sort -u > usernames.rule
Then you can run:
Code:
-plus -m2400 -r usernames.rule hashfile dict
Now, how would I do this for a brute force attack? I would need some sort of "salt file" correct?
Posts: 414
Threads: 14
Joined: Mar 2012
Pipe
maskprocessor to -plus, and you can use rules.
Code:
mp64 -i ?d?d?d?d | -plus -m2400 -r usernames.rule hashfile
This above will brute-force all digits from length one to four, plus appending usernames to the guess.
Posts: 16
Threads: 5
Joined: Jul 2012
(10-18-2012, 06:21 PM)M@LIK Wrote: Pipe maskprocessor to -plus, and you can use rules.
Code:
mp64 -i ?d?d?d?d | -plus -m2400 -r usernames.rule hashfile
Ah. Very nice. That will certainly do the trick. It does hinder the ability to guesstimate how long the job will take though.
