锐捷RG-NBR1300G-E网关路由器密码破解

参考链接

• 锐捷password 7 解密 - 东坡何罪 - 博客园
  https://www.cnblogs.com/dongpohezui/p/16065709.html

• 锐捷交换机中的password与secret的区别_小宇飞刀的博客-CSDN博客_锐捷交换机密码复杂度
  https://blog.csdn.net/xieyunc/article/details/80155249
• Cisco password decryption
  https://insecure.org/sploits/cisco.passwords.html
• 挨踢茶馆-思科IOS Type 7密码在线解密
  https://www.xiaopeiqing.com/cisco-password-cracker/

   

看到代码时候完全不懂 password 7 是什么，后来终于查到这是变种的思科cisco算法加密，希望以后的人可以通过粘贴代码直接就能搜到解决方法。

0为不加密
5为使用MD5加密
7为使用cisco的私有算法加密

!
web-ac topology ac-connect GigabitEthernet 0/0
web quick-set
macc quick-set
webmaster username admin password 7 1100320c1843080143797f
frn
!

把代码整个粘到sublime里面，将需要破解的密码粘贴到1100320c1843080143797f的位置，Ctrl+B即可破解。。

 

def getxlat(enc_pw,dec_pw):
    xlat = [9999, 9999, 9999, 9999, 9999, 9999, 9999, 9999,9999, 9999, 9999, 9999, 9999, 9999, 9999,9999, 9999, 9999, 9999, 9999, 9999, 9999, 9999,9999, 9999, 9999, 9999, 9999, 9999, 9999]
    #seed为enc_pw的前两个字母
    seed = int(enc_pw[0:2])
    print("seed:",seed)
    val = 0
    #enc_pw中的每两个字母对应一个明文字母
    for i in range(2,len(enc_pw)):
        print(i)
        if i%2 == 0 and i >2 :
            seed = seed +1
            xlat[seed] = val ^ ord(dec_pw[int(i/2 - 2)])
            
            val = 0
            print(seed,xlat[seed])
        val = val *16
        tmp = enc_pw[i].upper()
        if tmp >= '0' and  tmp <= '9' :
            val = val  + ord(tmp) - ord('0')
            continue

        if tmp >= 'A' and  tmp <= 'F' : 
            val = val + ord(tmp) - ord('A') + 10;
            continue
    print(xlat)
    return xlat

def decode(xlat,enc_pw):
    test_pw = ''
    seed = int(enc_pw[0:2])
    print("seed:",seed)
    val = 0

    for i in range(2,len(enc_pw)):
        print(i)
        if i%2 == 0 and i >2 :
            seed = seed +1
            test_pw_char = chr(val ^xlat[seed])
            test_pw += test_pw_char
            val = 0
            print(seed,xlat[seed],test_pw_char)
        val = val *16
        tmp = enc_pw[i].upper()
        if tmp >= '0' and  tmp <= '9' :
            val = val  + ord(tmp) - ord('0')
            continue

        if tmp >= 'A' and  tmp <= 'F' : 
            val = val + ord(tmp) - ord('A') + 10;
            continue
    print(test_pw)
    
if __name__ == "__main__" :
#    enc_pw = '1100320c1843080143797f'+'\0'
#    dec_pw = 'ruijie@123'
#    xlat = getxlat(enc_pw,dec_pw)
#   比东坡何罪大神的xlat多生成了几位。
#   把代码整个粘到sublime里面，将需要破解的密码粘贴到1100320c1843080143797f的位置，Ctrl+B即可破解。
    xlat = [9999, 42,   64,   35,   35,   87,   120,  102,  94,   99,   79,   117,  114, 71, 101, 114, 42, 109, 65, 114, 75, 76, 101, 37, 97, 73, 82, 119, 111, 108]
    enc_pw = '1100320c1843080143797f'+'\0'
    decode(xlat,enc_pw)