Cisco - 
The Pilot Cisco Decryptor was done as a trivial exercise in writing Pilot
applications back in November 1997. As it turns out, cisco passwords of
type 7 are only trivially encoded by XOR'ing the plaintext password
against a constant value.

Having finished a FORTH implementation of the 'decryptor' we figured it
would be cute to have a little GUI around a C implementation.

Here's how the actual cisco implementation works:

password 7 08204E - is a standard looking cisco password entry.

The first two digits are a decimal representation of a nibble (ie 0-15 or
0-F). The next two digits are the hex representation of the plaintext
password XOR'd against the constant value. In this case 0x20 gets XOR'd
against 0x41 - which results in 'a'. 4E gets XOR'd against 2c which
begets 'b'. 

The First two digits representing the nibble are the offset into the
constant value for the start of the XOR'ing. Each subsequent byte is just
incremented along in the constant value.

What's the constant value? After much playing around in setting passwords
on a cisco it turns out that the constant value is:
  tfd;kfoA,.iyewrkldJKD - thus in the above example 08 is the index into
this which ends up being 'A' or 0x41.

Please note that the l0pht pilot cisco decryptor is pre-alpha release. (I
prefer the FORTH implementation which we will put up on the web shortly -
nice thing is that you can store it in your OpenBoot prom on SUN's :-)

Here are some sample values to plug into the application
08204E  - ab
1513090F - abc
104F0B1A011214 - abcdef

.mudge

L0pht Heavy Industries
http://www.l0pht.com (ell-zero-ph-t)
