What is up with this hardcoded credential?

I came across this hash from a buddy today. (066bae9070a9a95b3e03019db131cd40)

Anyway the hash comes up in articles such as [this](https://www.redteam-pentesting.de/en/advisories/rt-sa-2018-003/-cisco-rv320-unauthenticated-diagnostic-data-retrieval).

It claims the exploit uses a “hardcoded password NKDebug12#$%” I tried running hashcat against this hash and it is not cracking it, something is off here lol.

hashcat -a 0 -m 0 hash.txt dict.txt –force

I’ve also tried -m 2400 and -m 2410

Now according to [this](https://github.com/0x27/CiscoRV320Dump) article this credential uses some weird encoding? But I think this is specific to what is seen in his exploit, but i’m not sure.

>A few notes on the “hashing” of the password, before we go any further. On these, in the config file, you will find a variable named PASSWD followed by an md5 hash. This md5 hash is md5($password.$auth_key), where the auth_key is a static value you can find by doing a GET / and parsing. There is a seemingly common one that I hardcoded into the RCE exploit as a fallback incase the page parser bullshit regex fails.

Yeah I just don’t understand this lol.


More Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed