Details about new Cisco algos ($8$ = -m 9200 and $9$ = -m 9300)
#1
Remember the two "new" hash types that we've announced in August this year?

I'm speaking about the 2 new hash types used in some new Cisco routers with latest firmware, one of which is pbkdf2-hmac-sha256 based ($8$) and the other one is scrypt based ($9$).

Hashcat devs got several mails/PMs which asked for the algorithm details. Of course we are happy to spread the world and publicly discuss with you about hash algorithms.
That is why we answered the requests with the details about the algorithm, but today (after further requests) we decided it makes sense to just post the details here s.t. also others can look them up and discuss them with us (shame that we didn't get time to post the details beforehand).

But at least we did publish and discuss algorithms with you in the past, see for instance:
- http://hashcat.net/forum/thread-3550.html
- http://hashcat.net/forum/thread-2247.html
...

Of course we believe that algorithms shouldn't be a secret and that is why I will write here the full details about both algorithms and include some poc code.

On the other hand, it is funny that people are struggling to get the details about the algorithm, because they aren't very strange nor very difficult to discover.

1. $8$ - PBKDF2-HMAC-SHA256 (-m 9200)
The most important thing here to note is the default iteration count, it is set to 20000 iterations.
Beside that, for the base64 encoding the base64 table in use is the one Cisco used with older versions too (which is different from the "standard" one, see also and compare with -m 5700 = Cisco-IOS SHA256 etc which uses the same Base64 table):
./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz

Another important detail about this -m 9200 algorithm is that the salt is used AS-IS, it doesn't need to be decoded etc before feeding it to pbkdf2-hmac-sha256 ().

2. $9$ - scrypt (-m 9300)
Here the default parameters are:
N = 16384, r = 1, p =1

As with #1 the encoding uses the base64 table: ./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Salt is used directly, doesn't need to be decoded or otherwise manipulated before running the scrypt () hash function

Below I will attach the 2 poc codes. This is code I very quickly hacked together, so don't blame me for it Wink

Hope this helps and in the future I can link guys here for the details Wink
Thx

-m 9200 = Cisco $8$ code
Code:
#!/usr/bin/env perl

# Author: philsmd
# released to the public domain (Nov 2014)
# credits for the code, this public contribution and discovery of the algorithm go to author and hashcat.net (@hashcat)

# hashcat mode:
# -m 9200 = Cisco $8$
# PBKDF2-SHA256 based

use strict;
use warnings;

use Crypt::PBKDF2;
use MIME::Base64;

# Example1

my $password = "hashcat";
my $salt     = "TnGX/fE4KGHOVU";

# Example2 (args from command line)

if (scalar (@ARGV) > 0)
{
  $password = $ARGV[0];
}

if (scalar (@ARGV) > 1)
{
  $salt = $ARGV[1];
}

# fixed PBKDF2 settings

my $iterations = 20000;

# base64 table: ./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz

my $BASE64_TRANS_CISCO = {'A', '.', 'B', '/', 'C', '0', 'D', '1', 'E', '2', 'F', '3', 'G', '4', 'H', '5', 'I', '6', 'J', '7', 'K', '8', 'L', '9', 'M', 'A', 'N', 'B', 'O', 'C', 'P', 'D', 'Q', 'E', 'R', 'F', 'S', 'G', 'T', 'H', 'U', 'I', 'V', 'J', 'W', 'K', 'X', 'L', 'Y', 'M', 'Z', 'N', 'a', 'O', 'b', 'P', 'c', 'Q', 'd', 'R', 'e', 'S', 'f', 'T', 'g', 'U', 'h', 'V', 'i', 'W', 'j', 'X', 'k', 'Y', 'l', 'Z', 'm', 'a', 'n', 'b', 'o', 'c', 'p', 'd', 'q', 'e', 'r', 'f', 's', 'g', 't', 'h', 'u', 'i', 'v', 'j', 'w', 'k', 'x', 'l', 'y', 'm', 'z', 'n', '0', 'o', '1', 'p', '2', 'q', '3', 'r', '4', 's', '5', 't', '6', 'u', '7', 'v', '8', 'w', '9', 'x', '+', 'y', '/', 'z'};


# START of algo here:

my $pbkdf2 = Crypt::PBKDF2->new
(
  hasher     => Crypt::PBKDF2->hasher_from_algorithm ('HMACSHA2', 256),
  iterations => $iterations
);

my $hash_base64 = $pbkdf2->PBKDF2_base64 ($salt, $password);

# crappy way to convert it to the cisco base64 table (but who cares?)

my $hash = "";

for (my $i = 0; $i < 43; $i++)
{
  $hash .= $BASE64_TRANS_CISCO->{substr ($hash_base64, $i, 1)};
}

# just print it

my $output = sprintf ("\$8\$%s\$%s", $salt, $hash);

print $output . "\n";

-m 9300 = Cisco $8$ code
Code:
#!/usr/bin/env perl

# Author: philsmd
# released to the public domain (Nov 2014)
# credits for the code, this public contribution and discovery of the algorithm go to author and hashcat.net (@hashcat)

# hashcat mode:
# -m 9300 = Cisco $9$
# scrypt based

use strict;
use warnings;
use MIME::Base64;
use Crypt::ScryptKDF qw (scrypt_b64);

# Example1

my $password = "hashcat";
my $salt     = "2MJBozw/9R3UsU";

# Example2 (args from command line)

if (scalar (@ARGV) > 0)
{
  $password = $ARGV[0];
}

if (scalar (@ARGV) > 1)
{
  $salt = $ARGV[1];
}

# default scrypt settings for -m 9300 = Cisco $9$

my $N = 16384;
my $r = 1;
my $p = 1;

# base64 table: ./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz

my $BASE64_TRANS_CISCO = {'A', '.', 'B', '/', 'C', '0', 'D', '1', 'E', '2', 'F', '3', 'G', '4', 'H', '5', 'I', '6', 'J', '7', 'K', '8', 'L', '9', 'M', 'A', 'N', 'B', 'O', 'C', 'P', 'D', 'Q', 'E', 'R', 'F', 'S', 'G', 'T', 'H', 'U', 'I', 'V', 'J', 'W', 'K', 'X', 'L', 'Y', 'M', 'Z', 'N', 'a', 'O', 'b', 'P', 'c', 'Q', 'd', 'R', 'e', 'S', 'f', 'T', 'g', 'U', 'h', 'V', 'i', 'W', 'j', 'X', 'k', 'Y', 'l', 'Z', 'm', 'a', 'n', 'b', 'o', 'c', 'p', 'd', 'q', 'e', 'r', 'f', 's', 'g', 't', 'h', 'u', 'i', 'v', 'j', 'w', 'k', 'x', 'l', 'y', 'm', 'z', 'n', '0', 'o', '1', 'p', '2', 'q', '3', 'r', '4', 's', '5', 't', '6', 'u', '7', 'v', '8', 'w', '9', 'x', '+', 'y', '/', 'z'};

# START of algo here:

my $hash_base64 = scrypt_b64 ($password, $salt, $N, $r, $p, 32);

# crappy way to convert it to the cisco base64 table (but who cares?)

my $hash = "";

for (my $i = 0; $i < 43; $i++)
{
  $hash .= $BASE64_TRANS_CISCO->{substr ($hash_base64, $i, 1)};
}

# just print it

my $output = sprintf ("\$9\$%s\$%s", $salt, $hash);

print $output . "\n";
Reply