[cisco-voip] DRS Backup Decrypter Workaround - Need Input
mtarpey1 at optimum.net
mtarpey1 at optimum.net
Tue Sep 26 16:56:01 EDT 2017
too late, the problem has been resolved........
----- Original Message -----
From: Brian Meade
Date: Tuesday, September 26, 2017 4:51 pm
Subject: Re: [cisco-voip] DRS Backup Decrypter Workaround - Need Input
To: Anthony Holloway
Cc: "cisco-voip at puck.nether.net"
> Definitely a good tip.
> That does assume you can guess the password. I've had a bunch
> of customers
> have some random cluster security password they had never heard of.
> On Tue, Sep 26, 2017 at 4:24 PM, Anthony Holloway <
> avholloway+cisco-voip at gmail.com> wrote:
> > There's an easier (IMO) way to check cluster security passwords.
> > 1) Enter the change password CLI command, and enter the
> password you have
> > admin:set password user security
> > Please enter the old password: My$3cuR1tyW0rd1
> > 2) Enter the new password as a dictionary word (I like to use
> > Please enter the new password: banana
> > Reenter new password to confirm: banana
> > 3) Say yes to the big scary warning:
> > WARNING:
> > You're handing in your resignation letter at 2:00pm today. Cool?
> > Continue (y/n)? y
> > 4) Get nervous for a minute and second guess your choice to
> follow some
> > sketchy advice from some stranger online
> > Please wait...
> > 5) Observe the outcome
> > One of two things will now have happened:
> > 1) "The old password did not match." This means that you do
> not have the
> > cluster security password correct, and you can try again with
> some other
> > guesses.
> > 2) "BAD PASSWORD: it does not contain enough DIFFERENT
> characters" This
> > means that your password was correct, and the "banana" you fed
> it was
> > rotten.
> > There you go. No need to have 3rd party software (not
> counting an SSH
> > client) to help you anymore.
> > On Tue, Sep 26, 2017 at 9:43 AM Brian Meade wrote:
> >> I'd probably use it less. Right now, I use it for almost
> every project
> >> to verify cluster security passwords.
> >> I'd probably have to make this more of a last resort in that
> case and
> >> make sure to get sign-off from the customer.
> >> On Tue, Sep 26, 2017 at 10:38 AM, Pete Brown wrote:
> >>> I could use some public input regarding the next release of
> the DRS
> >>> Backup Decrypter. In a nutshell, the application will have
> to be online in
> >>> order to decrypt backup sets from newer UCOS versions.
> >>> Last year Cisco started patching DRS with a new algorithm (
> >>> PBEWithHmacSHA1AndDESede) to encrypt the random backup
> passwords. I
> >>> haven't been able to find a .NET implementation of this
> algorithm. The
> >>> only workaround I've come up with is to have the DRS Backup
> Decrypter make
> >>> a call to a Java webservice that can perform the decryption.
> >>> The problems with this approach are pretty obvious. Aside
> from having
> >>> to be online, the encrypted cluster security password and
> 'EncryptKey' from
> >>> a backup set will need to be submitted to a web service that I've
> >>> written for decryption. I can publish a public copy of this
> webservice,>>> but for those behind corporate proxies (myself
> included), the code could be
> >>> made available to run the service within their own networks.
> In that case
> >>> the DRS Backup Decrypter would be pointed to the internal
> copy of the
> >>> webservice.
> >>> I personally detest utilities that can't operate offline,
> but it's the
> >>> only workaround I can come up with at this point. So my
> question is this -
> >>> would anyone actually use it given the webservice dependency?
> >>> _______________________________________________
> >>> cisco-voip mailing list
> >>> cisco-voip at puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/cisco-voip
> >> _______________________________________________
> >> cisco-voip mailing list
> >> cisco-voip at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cisco-voip