[cisco-voip] DRS Backup Decrypter Workaround - Need Input

Tue Sep 26 16:51:10 EDT 2017

Definitely a good tip.

That does assume you can guess the password.  I've had a bunch of customers
have some random cluster security password they had never heard of.

On Tue, Sep 26, 2017 at 4:24 PM, Anthony Holloway <
avholloway+cisco-voip at gmail.com> wrote:

> There's an easier (IMO) way to check cluster security passwords.
>
> 1) Enter the change password CLI command, and enter the password you have
>
> admin:set password user security
> Please enter the old password: My$3cuR1tyW0rd1
>
> 2) Enter the new password as a dictionary word (I like to use banana):
>
>    Please enter the new password: banana
> Reenter new password to confirm: banana
>
> 3) Say yes to the big scary warning:
>
> WARNING:
> You're handing in your resignation letter at 2:00pm today.  Cool?
>
> Continue (y/n)? y
>
> 4) Get nervous for a minute and second guess your choice to follow some
> sketchy advice from some stranger online
>
> Please wait...
>
> 5) Observe the outcome
>
> One of two things will now have happened:
>
> 1) "The old password did not match."  This means that you do not have the
> cluster security password correct, and you can try again with some other
> guesses.
> 2) "BAD PASSWORD: it does not contain enough DIFFERENT characters" This
> means that your password was correct, and the "banana" you fed it was
> rotten.
>
> There you go.  No need to have 3rd party software (not counting an SSH
> client) to help you anymore.
>
>
> On Tue, Sep 26, 2017 at 9:43 AM Brian Meade <bmeade90 at vt.edu> wrote:
>
>> I'd probably use it less.  Right now, I use it for almost every project
>> to verify cluster security passwords.
>>
>> I'd probably have to make this more of a last resort in that case and
>> make sure to get sign-off from the customer.
>>
>> On Tue, Sep 26, 2017 at 10:38 AM, Pete Brown <jpb at chykn.com> wrote:
>>
>>> I could use some public input regarding the next release of the DRS
>>> Backup Decrypter.  In a nutshell, the application will have to be online in
>>> order to decrypt backup sets from newer UCOS versions.
>>>
>>> Last year Cisco started patching DRS with a new algorithm (
>>> PBEWithHmacSHA1AndDESede) to encrypt the random backup passwords.  I
>>> haven't been able to find a .NET implementation of this algorithm.  The
>>> only workaround I've come up with is to have the DRS Backup Decrypter make
>>> a call to a Java webservice that can perform the decryption.
>>>
>>> The problems with this approach are pretty obvious.  Aside from having
>>> to be online, the encrypted cluster security password and 'EncryptKey' from
>>> a backup set will need to be submitted to a web service that I've
>>> written for decryption.  I can publish a public copy of this webservice,
>>> but for those behind corporate proxies (myself included), the code could be
>>> made available to run the service within their own networks.  In that case
>>> the DRS Backup Decrypter would be pointed to the internal copy of the
>>> webservice.
>>>
>>> I personally detest utilities that can't operate offline, but it's the
>>> only workaround I can come up with at this point.  So my question is this -
>>> would anyone actually use it given the webservice dependency?
>>>
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>
>>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20170926/57461ef1/attachment.html>