{"id":451,"date":"2018-01-18T15:46:27","date_gmt":"2018-01-18T15:46:27","guid":{"rendered":"https:\/\/www.attackdebris.com\/?p=451"},"modified":"2020-11-14T12:09:12","modified_gmt":"2020-11-14T12:09:12","slug":"451","status":"publish","type":"post","link":"https:\/\/www.attackdebris.com\/?p=451","title":{"rendered":"Cracking Cisco ASA SHA-512 Hashes with Hashcat"},"content":{"rendered":"

I haven’t seen too much detail around about how to crack Cisco ASA PBKDF2 (Password-Based Key Derivation Function 2) SHA-512 hashes, which I believe have been supported in some ASA versions from as early as March 2016.<\/p>\n

 <\/div>\n

As always the hashes can be recovered from the appropriate Cisco ASA config file.<\/p>\n

 <\/div>\n

Here are some examples of how the hashes can appear in the ASA config files. In the examples below all 3 sample hashes can be easily cracked using any respectable word-list:<\/p>\n

enable password $sha512$5000$vlCP+V07DGEJ9TcSV\/GpuA==$2S8SLoECmbtb\/o17ZhXuKg== pbkdf2\n\nusername admin password $sha512$5000$SvZkzlRDO115YrLXsZuWCg==$Yu0w7sFjhLnbtZQJ\/nyp+A== pbkdf2 privilege 15\n\nusername admin password $sha512$5000$OZ45Ro7002bnyFGXlIghqg==$T9oP1zKSTmv74Nizd8ku3A== pbkdf2 privilege 15<\/pre>\n
 <\/div>\n
Some modification of the hashes is required before they can be imported into hashcat. Basically the first $ needs to be removed and all subsequent $’s need to be replaced with colons.<\/p>\n
 <\/div>\n
For example:<\/p>\n
$sha512$5000$SvZkzlRDO115YrLXsZuWCg==$Yu0w7sFjhLnbtZQJ\/nyp+A==<\/pre>\n
 <\/div>\n
Becomes:<\/p>\n
sha512:5000:SvZkzlRDO115YrLXsZuWCg==:Yu0w7sFjhLnbtZQJ\/nyp+A==<\/pre>\n
 <\/div>\n
This hash can now be fed into hashcat as a single:<\/p>\n
hashcat64.exe -m 12100 sha512:5000:SvZkzlRDO115YrLXsZuWCg==:Yu0w7sFjhLnbtZQJ\/nyp+A== c:\\Tools\\wordlists\\pw_topten.txt<\/pre>\n
 <\/div>\n
\"\"<\/a><\/div>\n
 <\/p>\n
Or via a file:<\/p>\n
hashcat64.exe -m 12100 sha512.txt c:\\Tools\\wordlists\\pw_topten.txt<\/pre>\n
 <\/div>\n
\"\"<\/a><\/div>\n
 <\/p>\n
Cracked hashes:<\/p>\n
sha512:5000:vlCP+V07DGEJ9TcSV\/GpuA==:2S8SLoECmbtb\/o17ZhXuKg==: (i.e. blank)\n\nsha512:5000:SvZkzlRDO115YrLXsZuWCg==:Yu0w7sFjhLnbtZQJ\/nyp+A==:cisco<\/pre>\n
 <\/div>\n
I leave the final hash (below) to be cracked as a challenge for the reader (it can be cracked with any respectable word-list):<\/p>\n
 $sha512$5000$OZ45Ro7002bnyFGXlIghqg==$T9oP1zKSTmv74Nizd8ku3A==<\/pre>\n
Thanks to my colleague Marius for the initial pointer on the hash type.<\/p>\n","protected":false},"excerpt":{"rendered":"
I haven’t seen too much detail around about how to crack Cisco ASA PBKDF2 (Password-Based Key Derivation Function 2) SHA-512 hashes, which I believe have been supported in some ASA versions from as early as March 2016.   As always the hashes can be recovered from the appropriate Cisco ASA config file.   Here are some examples of how … <\/p>\n
Continue reading<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[13],"tags":[],"class_list":["post-451","post","type-post","status-publish","format-standard","hentry","category-passwords","item-wrap"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/s3MDvd-451","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=\/wp\/v2\/posts\/451","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=451"}],"version-history":[{"count":35,"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=\/wp\/v2\/posts\/451\/revisions"}],"predecessor-version":[{"id":589,"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=\/wp\/v2\/posts\/451\/revisions\/589"}],"wp:attachment":[{"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=451"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=451"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=451"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}