锐捷password 7 解密

参考链接

• 锐捷交换机中的password与secret的区别_小宇飞刀的博客-CSDN博客_锐捷交换机密码复杂度
  https://blog.csdn.net/xieyunc/article/details/80155249
• Cisco password decryption
  https://insecure.org/sploits/cisco.passwords.html
• 挨踢茶馆-思科IOS Type 7密码在线解密
  https://www.xiaopeiqing.com/cisco-password-cracker/

锐捷的password 7 算法和思科的password 7 算法一样，但是xlat参数不一样。

'''
选择明文攻击
根据已有密码和算法计算xlat
'''
def getxlat(enc_pw,dec_pw):
	xlat = [9999, 9999, 9999, 9999, 9999, 9999, 9999, 9999,9999, 9999, 9999, 9999, 9999, 9999, 9999,9999, 9999, 9999, 9999, 9999, 9999, 9999, 9999,9999, 9999, 9999, 9999, 9999, 9999, 9999]
	#seed为enc_pw的前两个字母
	seed = int(enc_pw[0:2])
	print("seed:",seed)
	val = 0
	#enc_pw中的每两个字母对应一个明文字母
	for i in range(2,len(enc_pw)):
		print(i)
		if i%2 == 0 and i >2 :
			seed = seed +1
			xlat[seed] = val ^ ord(dec_pw[int(i/2 - 2)])
			
			val = 0
			print(seed,xlat[seed])
		val = val *16
		tmp = enc_pw[i].upper()
		if tmp >= '0' and  tmp <= '9' :
			val = val  + ord(tmp) - ord('0')
			continue

		if tmp >= 'A' and  tmp <= 'F' : 
			val = val + ord(tmp) - ord('A') + 10;
			continue
	print(xlat)
	return xlat

def decode(xlat,enc_pw):
	test_pw = ''
	seed = int(enc_pw[0:2])
	print("seed:",seed)
	val = 0

	for i in range(2,len(enc_pw)):
		print(i)
		if i%2 == 0 and i >2 :
			seed = seed +1
			test_pw_char = chr(val ^xlat[seed])
			test_pw += test_pw_char
			val = 0
			print(seed,xlat[seed],test_pw_char)
		val = val *16
		tmp = enc_pw[i].upper()
		if tmp >= '0' and  tmp <= '9' :
			val = val  + ord(tmp) - ord('0')
			continue

		if tmp >= 'A' and  tmp <= 'F' : 
			val = val + ord(tmp) - ord('A') + 10;
			continue
	print(test_pw)
	
if __name__ == "__main__" :
	enc_pw = '1100320c1843080143797f'+'\0'
	dec_pw = 'ruijie@123'
	xlat = getxlat(enc_pw,dec_pw)
	
	xlat = [9999, 42,   64,   35,   35,   87,   120,  102,  94,   99,   79,   117,  114, 71, 101, 114, 42, 109, 65, 114, 75, 76, 9999, 9999, 9999, 9999, 9999, 9999, 9999, 9999]
	enc_pw = '1100320c1843080143797f'+'\0'
	decode(xlat,enc_pw)