Posts: 3
Threads: 1
Joined: Oct 2014
Hello,
I'm trying to un-hash an ASA username/pwd. I have the username, and the hash for the password from the config. When I use hash-type 2400 for the Cisco PIX, it does not work, but when I select the 2410, it fails with a line length exception. What is the proper method for entering this? I've heard that the ASA will salt the 1st 4 of the username, but not sure how to enter this in the password file. From what I understand, the console/enable hashes are straight MD5, but the actual LOCAL user database hashes are different (with the 4-character salt?)
I know the password at this point, so its more of a training exercise.
Any guidance, or a polite RTFM it was right <here> would be great!
Thank you
Posts: 8
Threads: 0
Joined: Aug 2014
I am no expert but if I understand correctly, the hash is calculated from using the plaintext password + the first four characters of the username. So if you have a wordlist, you will need to append those first four characters to every line in the wordlist.
Example ASA configuration:
username test password W77doHGDnHvf5vZv encrypted
The password above is hash1234, so in your wordlist there needs to be a word hash1234test to get a successful hit.
Posts: 2,940
Threads: 12
Joined: May 2012
(10-02-2014, 08:28 PM)stevedtech Wrote: What is the proper method for entering this?
[...]
Any guidance, or a polite RTFM it was right <here> would be great!
It was right here:
http://hashcat.net/wiki/doku.php?id=example_hashes
Posts: 3
Threads: 1
Joined: Oct 2014
(10-02-2014, 11:29 PM)epixoip Wrote: (10-02-2014, 08:28 PM)stevedtech Wrote: What is the proper method for entering this?
[...]
Any guidance, or a polite RTFM it was right <here> would be great!
It was right here: http://hashcat.net/wiki/doku.php?id=example_hashes
Im sorry epixoip, but I don't see where an example hash answers my question on the link.
Gearjunkie's response is helpful though! Given this, that means we know the last 4 characters of the password (because we have the username) - how would the command line be written then? Would the mask be something like ?a?a?a?a?a?a?a?a?1?2?3?1, where you define character sets 1=t 2=e 3=s?
You'd have to run it through for each increment then, right? Ex:
?a?1?2?3?1
Then ?a?a?1?2?3?1
Then ?a?a?a?1?2?3?1
and so on... or is the a way to automatically append this charset sequence?
The wordlist would work, but if the password was any sort of complex it wouldn't have a great chance of finding it/it being in the wordlist right?
Posts: 2,268
Threads: 16
Joined: Feb 2013
10-03-2014, 01:16 AM
(This post was last modified: 10-03-2014, 01:18 AM by philsmd.)
If you look at the example hash page that epixoip linked, it is very clear to see, that you need to specify:
hash
alt
There is something particular w/ 2410, i.e. that salt is limited to 4 chars (but can be less than that).
This is already all that is particular to 2410, i.e. as for all the other salted hash types, the salt is something known and as such you do not specify it in your dicts/mask etc, but you pass it to hashcat/oclHashcat together with the hash
For instance (hashes masked as per the forum rules):
./oclHashcat64.bin -m 2410 W7XXXHGDnXXX5vXX:test -a 3 hash?d?d?d?d
works perfectly and recovers the correct password.
Posts: 3
Threads: 1
Joined: Oct 2014
Ahh - ok I got it. Thank you philsmd (and thank you epixoip).
I failed to realize that this is what the example was portraying.
2410 Cisco-ASA MD5 02dMBMYkTdC5Ziyp:36
So the :36 is actually the salt itself (although a username of '36' is a bit odd...)
That clears it up, I appreciate all your quick responses!
