Cisco ASA
#1
I had read elsewhere that the ASA hashing was the same as the pix md5 so I decide to give it a shot with oclHashcat-plus.

The file format I used was username:hash. hashcat complained that the hashes were wrong and would not work until I ignored the username. This is problematic because I'm fairly certain the hashes were salted with the first four characters of the username.

So clearly the hashing for ASA is different that PIX unless I'm doing something wrong.

Any idea if/when ASA hashing will be supported?
#2
The ASA does use the same hashing mechanism as PIX. They are NOT different.
You should just be specifying hash and salt on the command-line. Username is irrelevant.
#3
As far as I know, Cisco-PIX MD5 hashing doesn't involve any salting.
#4
(10-18-2012, 04:15 PM)unix-ninja Wrote: The ASA does use the same hashing mechanism as PIX. They are NOT different.
You should just be specifying hash and salt on the command-line. Username is irrelevant.

Thanks for the information!

I'm using version 0.9 on windows and giving me an error that --salt-file is a "unknown option". Is there a different way to specify a salt list on the command line or just not supported on the windows version?
#5
(10-18-2012, 04:36 PM)M@LIK Wrote: As far as I know, Cisco-PIX MD5 hashing doesn't involve any salting.

When I try to crack known ASA hashes it fails...until i append the first four characters of the username to the end of the password.

Then it works great. just trying to do this with oclHashcat now instead of JtR....
#6
So instead of using a salt file, i just created a wordlist rule file that looks like this:

$c$i$s$c

That will append the first four characters to the end of the password if the username was 'cisco'. Works just fine!
#7
That's what I was exactly writing you, see below.

It's not very professional, but you can get away with rules or multi-rules.

Make a rule-file with all first four bytes of the usernames, you can use:
Code:
sed "s|.|$&|g" < usernames.txt | cut -b 1-8 | sort -u > usernames.rule

Then you can run:
Code:
-plus -m2400 -r usernames.rule hashfile dict
#8
(10-18-2012, 05:34 PM)M@LIK Wrote: That's what I was exactly writing you, see below.

It's not very professional, but you can get away with rules or multi-rules.

Make a rule-file with all first four bytes of the usernames, you can use:
Code:
sed "s|.|$&|g" < usernames.txt | cut -b 1-8 | sort -u > usernames.rule

Then you can run:
Code:
-plus -m2400 -r usernames.rule hashfile dict

Now, how would I do this for a brute force attack? I would need some sort of "salt file" correct?
#9
Pipe maskprocessor to -plus, and you can use rules.
Code:
mp64 -i ?d?d?d?d | -plus -m2400 -r usernames.rule hashfile
This above will brute-force all digits from length one to four, plus appending usernames to the guess.
#10
(10-18-2012, 06:21 PM)M@LIK Wrote: Pipe maskprocessor to -plus, and you can use rules.
Code:
mp64 -i ?d?d?d?d | -plus -m2400 -r usernames.rule hashfile
This above will brute-force all digits from length one to four, plus appending usernames to the guess.

Ah. Very nice. That will certainly do the trick. It does hinder the ability to guesstimate how long the job will take though.