銳捷password 7 解密

參考鏈接

• 銳捷交換機中的password與secret的區別_小宇飛刀的博客-CSDN博客_銳捷交換機密碼復雜度
  https://blog.csdn.net/xieyunc/article/details/80155249
• Cisco password decryption
  https://insecure.org/sploits/cisco.passwords.html
• 挨踢茶館-思科IOS Type 7密碼在線解密
  https://www.xiaopeiqing.com/cisco-password-cracker/

銳捷的password 7 算法和思科的password 7 算法一樣，但是xlat參數不一樣。

'''
選擇明文攻擊
根據已有密碼和算法計算xlat
'''
def getxlat(enc_pw,dec_pw):
	xlat = [9999, 9999, 9999, 9999, 9999, 9999, 9999, 9999,9999, 9999, 9999, 9999, 9999, 9999, 9999,9999, 9999, 9999, 9999, 9999, 9999, 9999, 9999,9999, 9999, 9999, 9999, 9999, 9999, 9999]
	#seed為enc_pw的前兩個字母
	seed = int(enc_pw[0:2])
	print("seed:",seed)
	val = 0
	#enc_pw中的每兩個字母對應一個明文字母
	for i in range(2,len(enc_pw)):
		print(i)
		if i%2 == 0 and i >2 :
			seed = seed +1
			xlat[seed] = val ^ ord(dec_pw[int(i/2 - 2)])
			
			val = 0
			print(seed,xlat[seed])
		val = val *16
		tmp = enc_pw[i].upper()
		if tmp >= '0' and  tmp <= '9' :
			val = val  + ord(tmp) - ord('0')
			continue

		if tmp >= 'A' and  tmp <= 'F' : 
			val = val + ord(tmp) - ord('A') + 10;
			continue
	print(xlat)
	return xlat

def decode(xlat,enc_pw):
	test_pw = ''
	seed = int(enc_pw[0:2])
	print("seed:",seed)
	val = 0

	for i in range(2,len(enc_pw)):
		print(i)
		if i%2 == 0 and i >2 :
			seed = seed +1
			test_pw_char = chr(val ^xlat[seed])
			test_pw += test_pw_char
			val = 0
			print(seed,xlat[seed],test_pw_char)
		val = val *16
		tmp = enc_pw[i].upper()
		if tmp >= '0' and  tmp <= '9' :
			val = val  + ord(tmp) - ord('0')
			continue

		if tmp >= 'A' and  tmp <= 'F' : 
			val = val + ord(tmp) - ord('A') + 10;
			continue
	print(test_pw)
	
if __name__ == "__main__" :
	enc_pw = '1100320c1843080143797f'+'\0'
	dec_pw = 'ruijie@123'
	xlat = getxlat(enc_pw,dec_pw)
	
	xlat = [9999, 42,   64,   35,   35,   87,   120,  102,  94,   99,   79,   117,  114, 71, 101, 114, 42, 109, 65, 114, 75, 76, 9999, 9999, 9999, 9999, 9999, 9999, 9999, 9999]
	enc_pw = '1100320c1843080143797f'+'\0'
	decode(xlat,enc_pw)