Friday, June 14, 2013

Password Algorithms: Cisco Unified Personal Communicator


This application took some time to acquire online because Cisco prevents you downloading unless you are:
  • Direct Customer
  • Partner-Reseller
  • Service Contract Owners
  • CCIE Professional
  • PICA Customer
I’ve installed on my Windows 7 workstation so results may differ.
There’s a checkbox beneath the username and password fields labelled Automatically Sign In which is disabled by default.
If you check this box, a DAT file will be created in your profile under the following path:
C:\Users\dietrich\AppData\Local\Cisco\Unified Communications\Client Services Framework\Config\Profile
The name of the file is generated by UuidCreate()
The contents are encoded with Base64 and once decoded into binary appears to be DPAPI blob.
  00000000 01 00 00 00 d0 8c 9d df 01 15 d1 11 8c 7a 00 c0      ....ð..¯..Ð..z.+
  00000010 4f c2 97 eb 01 00 00 00 57 4a ac d0 b9 66 a5 4b      O-.Ù....WJ¼ð¦fÑK
  00000020 b3 47 a3 ea 37 85 af 43 00 00 00 00 32 00 00 00      ¦GúÛ7.»C....2...
  00000030 61 00 75 00 74 00 68 00 5f 00 73 00 76 00 6e 00      a.u.t.h._.s.v.n.
  00000040 2e 00 73 00 69 00 6d 00 70 00 6c 00 65 00 2e 00      ..s.i.m.p.l.e...
  00000050 77 00 69 00 6e 00 63 00 72 00 79 00 70 00 74 00      w.i.n.c.r.y.p.t.
What’s interesting about this blob in particular is the description string which is:“auth_svn.simple.wincrypt”
I initially thought this may be part of some library and sure enough it was just that! :)LibSVN to be exact.
Here’s a snippet of the code in win32_crypto.c which uses the same description to encrypt data.
/*-----------------------------------------------------------------------*/
/* Windows simple provider, encrypts the password on Win2k and later.    */
/*-----------------------------------------------------------------------*/

/* The description string that's combined with unencrypted data by the
   Windows CryptoAPI. Used during decryption to verify that the
   encrypted data were valid. */
   
static const WCHAR description[] = L"auth_svn.simple.wincrypt";

/* Implementation of svn_auth__password_set_t that encrypts
   the incoming password using the Windows CryptoAPI. */
static svn_boolean_t
windows_password_encrypter(apr_hash_t *creds,
                           const char *realmstring,
                           const char *username,
                           const char *in,
                           apr_hash_t *parameters,
                           svn_boolean_t non_interactive,
                           apr_pool_t *pool)
{
  DATA_BLOB blobin;
  DATA_BLOB blobout;
  svn_boolean_t crypted;

  blobin.cbData = strlen(in);
  blobin.pbData = (BYTE*) in;
  crypted = CryptProtectData(&blobin, description, NULL, NULL, NULL,
                             CRYPTPROTECT_UI_FORBIDDEN, &blobout);
  if (crypted)
    {
      char *coded = apr_palloc(pool, apr_base64_encode_len(blobout.cbData));
      apr_base64_encode(coded, (const char*)blobout.pbData, blobout.cbData);
      crypted = svn_auth__simple_password_set(creds, realmstring, username,
                                              coded, parameters,
                                              non_interactive, pool);
      LocalFree(blobout.pbData);
    }

  return crypted;
}

Rather than write a decryption tool, I just dumped the contents of output returned byCryptUnprotectData() in debugger.
It’s an XML file which contains plaintext credentials and this is how Personal Communicator Automatically signs in. :)
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <UserCredentialDetails><profileName>Profile1</profileName>
    <credentials><username>userid</username>
      <password>password</password>
      <credentialsType>PRESENCE_SERVICE</credentialsType>
      <rememberMe>true</rememberMe>
    </credentials>
  </UserCredentialDetails>
It may be possible to have multiple profiles but I didn’t look into it.

0 comments:

Post a Comment