Tuesday, August 27, 2013

Cisco Password 7 Decrypter

#!/usr/bin/perl
use File::Copy;

############################################################################
# Vigenere translation table
############################################################################
@V=(0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f, 0x41, 0x2c, 0x2e,
    0x69, 0x79, 0x65, 0x77, 0x72, 0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44,
    0x48, 0x53, 0x55, 0x42, 0x73, 0x67, 0x76, 0x63, 0x61, 0x36, 0x39,
    0x38, 0x33, 0x34, 0x6e, 0x63, 0x78, 0x76, 0x39, 0x38, 0x37, 0x33,
    0x32, 0x35, 0x34, 0x6b, 0x3b, 0x66, 0x67, 0x38, 0x37);
############################################################################

############################################################################
# Usage guidelines
############################################################################
if ($ARGV[0] eq ""){
   print "This script reveals the IOS passwords obfuscated using the Vigenere algorithm.n";
   print "n";
   print "Usage guidelines:n";
   print " cdecrypt.pl 04480E051A33490E     # Reveals a single passwordn";
   print "                                  # Original file stored with .bak extensionn";
}

############################################################################
# Process arguments and execute
############################################################################
print Decrypt($ARGV[0]) . " " . $ARGV[0] . "\n";  # Prints the plain text password and the encrypted one

############################################################################
# Vigenere decryption/deobfuscation function
############################################################################
sub Decrypt{
  my $pw=shift(@_);                             # Retrieve input obfuscated password
  my $i=substr($pw,0,2);                        # Initial index into Vigenere translation table
  my $c=2;                                      # Initial pointer
  my $r="";                                     # Variable to hold cleartext password
  while ($c<length($pw)){                       # Process each pair of hex values
    $r.=chr(hex(substr($pw,$c,2))^$V[$i++]);    # Vigenere reverse translation
    $c+=2;                                      # Move pointer to next hex pair
    $i%=53;                                     # Vigenere table wrap around
  }                                             #
  return $r;                                    # Return cleartext password
}

Saturday, August 10, 2013

Using aircrack-ng, airdecap-ng, tshark, and grep regex

Recently in a capture the flag event I had to utilize aircrack-ng to break the WEP key on a packet capture, then airdecap-ng to decrypt the contents of the WEP packets and export them to another packet capture, use tshark to output to text and then use a grep regular expression to extract base64 Authentication Basic username and passwords.

Below are the commands that I ran to accomplish this:

# aircrack-ng WIRELESS-C2.cap 
Opening WIRELESS-C2.cap
Read 73650 packets.

   #  BSSID              ESSID                     Encryption

   1  00:40:10:20:00:03  Wireless Challenge Two    WEP (25704 IVs)

Choosing first network as target.

Opening WIRELESS-C2.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 25704 ivs.


                                            Aircrack-ng 1.2 beta1


                            [00:00:00] Tested 397 keys (got 25082 IVs)

   KB    depth   byte(vote)
    0    2/  4   DA(31232) C0(30976) 22(30720) E8(30720) 16(30208) 25(30208) D0(30208) 
    1    0/  1   1C(35840) 03(32256) 7F(32000) B7(32000) F2(30464) 95(30208) 86(29952) 
    2    0/  5   91(34048) CC(33792) 2D(32512) 58(31232) 84(31232) 2F(30720) 3D(30720) 
    3    5/ 26   0A(30208) 39(30208) 5B(30208) 62(29952) ED(29696) 02(29696) 2E(29696) 
    4    0/  1   C4(35072) 19(31744) 31(30464) CD(30208) 10(29696) 6E(29696) D5(29696) 

                         KEY FOUND! [ C0:1C:91:0A:C4 ] 
        Decrypted correctly: 100%

# airdecap-ng -w c01c910ac4 WIRELESS-C2.cap

## Open up in Wireshark the WIRELESS-C2-dec.cap
## Add filter for (http.request.method == "GET") || (http.request.method == "POST")
## After the filter is applied find the management.asp page
## Right-click and follow TCP stream
## In the open window you find the "Authorization: Basic cm9vdDphZG1pbg=="
## The base64 encoding is the admin username and password
## Decoded the username and password is root:admin

## OR you can use tshark and export the packet information to a file

# tshark -V -r WIRELESS-C2-dec.cap > WIRELESS-dec.txt

## Then wrote a short and sweet regex to extract base64 encoded strings

# cat WIRELESS-C2-dec.txt | grep '\+*[A-Za-z0-9]\{11,\}\+='   # Find base64 encoded text that is 11 characters or longer

## Walla!  Authorization: Basic cm9vdDphZG1pbg==\r\n
## Then you can decode it from the command line by doing the following

echo "cm9vdDphZG1pbg==" | base64 -d



# Note on WPA2 packet captures
 #aircrack-ng <file>.cap -w Wordlist.txt - This is to find the password used

# Then to decrypt the packet capture
# airdecap-ng <file>.pcap -e <SSID> -p <password>


Thursday, August 8, 2013

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...