Java keytool

• Download the CA certificate from the proxy and convert it to PEM format:

  /usr/java/default/bin/keytool -import -trustcacerts -file  -alias CA_ALIAS -keystore /usr/java/default/lib/security/cacerts -storepass changeit
  

More:

• The Most Common Java Keytool Keystore Commands – http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
• keytool – Key and Certificate Management Tool – http://docs.oracle.com/javase/1.4.2/docs/tooldocs/windows/keytool.html

OpenSSL

• HTTPS server banner:

  openssl s_client -connect:IPAddress:443

  after connection is established, type in “HEAD / HTTP/1.0” and press enter.
  
  Alternative:

  echo -e "HEAD / HTTP/1.0\n\n" | openssl s_client -quiet -connect IPAddress:443

• NTTPS server banner

  openssl s_client -connect:IPAddress:563
  

• IMAPS server banner:

  openssl s_client -connect:IPAddress:993
  

• POP3S server banner:

  openssl s_client -connect:IPAddress:995
  

• Identifying SSL cyphers:

  openssl s_client -connect website:443 -cipher EXPORT40
  openssl s_client -connect website:443 -cipher NULL
  openssl s_client -connect website:443 -cipher HIGH
  

• Generating password hash four unix:

  openssl passwd -1 -salt QIGCa pippo
  

  output: $1$QIGCa$/ruJs8AvmrkmzKTzM2TYE.

• Converting a PKCS12-encoded (or .pfx) certificate to PEM format:

  openssl pkcs12 -in CertFile.p12  -out NewCertFile.pem   -nodes. -cacerts
  

• Converting a DER-encoded certificate to PEM format:

  openssl x509  -in CertFile.crt.  -inform DER  -out NewCertName.pem   -outform PEM
  

• Download a proxy’s public certificate:

  openssl s_client-connect ProxyHostname:port   proxycert.pem
  

• Create a key:

  openssl genrsa -des3 -out server.key 1024
  

• Create a CSR (certificate signing request):

  openssl req -new -key server.key -out server.csr
  

• Remove a password from a key:

  cp server.key server.key.org
  openssl rsa -in server.key.org -out server.key
  

• Sign the CSR and create the certificate:

  openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
  cat server.crt server.key > certificate.pem
  

• Encrypting a file:

  cat INFILE | openssl aes-256-ecb -salt -k PASSWORD > INFILE.ssl
  

• Decrypting a file:

  cat INFILE.ssl | openssl aes-256-ecb -d -k PASSWORD > INFILE
  

Passwords related postings

Generating password hashes

• Generating unix-style MD5 hash: openssl passwd -1 -salt QIGCa pippo
  • produces: $1$QIGCa$/ruJs8AvmrknzKTzM2TYE.
• generating password hash using system’s native crypt() command: perl -e ‘print crypt(“pippo”, “\$1\$QIGCa”),”\n”‘
  • produces: $1Su6NR9CFU/6
• Using Python’s Passlib library (http://packages.python.org/passlib/):
  • Install Python (e.g. in Cygwin)
  • Install Passlib library following instructions at http://packages.python.org/passlib/install.html
  • start Python: python
  • Calculate the SHA256 hash of the word Password:
    

    >>> from passlib.hash import sha256_crypt
    >>> hash = sha256_crypt.encrypt("password")
    >>> hash
    '$5$rounds=80000$9GPMLb8EE.1QFrUk$Y0XQiZRKMhOrB2GcfCeWREG.x3jCfa5pbmxSO/hjCE3'
    >>> sha256_crypt.encrypt("password")
    '$5$rounds=80000$9fjOxTQNeyPhsCvp$XmyKju3TfWUEPXGPXMZ6sIPcv26Uok7NLPyZhx5g7R9'
    >>> sha256_crypt.encrypt("password", rounds=12345)
    '$5$rounds=12345$Kk9DTJPMRyxGFB3q$7tdzdJXq4YRu7ms6PGo7zTlOHVwYOQO1aUeUsZ3Mrl5'
    >>> sha256_crypt.verify("password", hash)
    True
    >>> sha256_crypt.verify("letmeinplz", hash)
    False
      

  • Generating BouncyCastle SHA1-512 hashes for use in Atlassian JIRA:
    

    >>> from passlib.hash import atlassian_pbkdf2_sha1
    >>> atlassian_pbkdf2_sha1.encrypt("password")
    '{PKCS5S2}fU8ppRTCuJeS8n7PGYOQMhVqZ4hUidTIiWI4K8R8IBOXm/lYywaouSLtvlTeTr3V'
    >>> atlassian_pbkdf2_sha1.encrypt("password")
    '{PKCS5S2}+X+PMcYYAwBAKIWwFsJY639EipU1NXJfc1jKC5VYHZV7zoDI4zTEpKO4xZQoegg1'
    >>> atlassian_pbkdf2_sha1.encrypt("password")
    '{PKCS5S2}1Nq7N2YM4ZyTstZaSynlnGGh2rgAG+b7SB+9xreszUhrE39BnfwNg2RGm6tqvDg2'
    >>> atlassian_pbkdf2_sha1.encrypt("password")
    '{PKCS5S2}bu1dK0WotXYuBaB0bo2RslxMAp4JawLofUFw4S5fZdAtfsm3Ats6kO6j5NaHZCdt'
    >>> atlassian_pbkdf2_sha1.encrypt("password")
    '{PKCS5S2}z/mfc47xvjcm5Ny7dw7BeExB68Oc4XiTJvUS5HRAadKr4/Aomn1WOMMrMWtikUPK'
      

  • Supported hashing algorithms:
    • Archaic Unix Schemes:
      • passlib.hash.des_crypt – DES Crypt
      • passlib.hash.bsdi_crypt – BSDi Crypt
      • passlib.hash.bigcrypt – BigCrypt
      • passlib.hash.crypt16 – Crypt16
    • Standard Unix Schemes:
      • passlib.hash.md5_crypt – MD5 Crypt
      • passlib.hash.bcrypt – BCrypt
      • passlib.hash.sha1_crypt – SHA-1 Crypt
      • passlib.hash.sun_md5_crypt – Sun MD5 Crypt
      • passlib.hash.sha256_crypt – SHA-256 Crypt
      • passlib.hash.sha512_crypt – SHA-512 Crypt
    • Other Modular Crypt Schemes:
      • passlib.hash.apr_md5_crypt – Apache’s MD5-Crypt variant
      • passlib.hash.phpass – PHPass’ Portable Hash
      • passlib.hash.pbkdf2_digest – Generic PBKDF2 Hashes
      • passlib.hash.cta_pbkdf2_sha1 – Cryptacular’s PBKDF2 hash
      • passlib.hash.dlitz_pbkdf2_sha1 – Dwayne Litzenberger’s PBKDF2 hash
      • passlib.hash.scram – SCRAM Hash
      • passlib.hash.bsd_nthash – FreeBSD’s MCF-compatible nthash encoding
      • passlib.hash.unix_disabled – Unix Disabled Account Helper
    • Standard LDAP (RFC2307) Schemes:
      • passlib.hash.ldap_md5 – MD5 digest
      • passlib.hash.ldap_sha1 – SHA1 digest
      • passlib.hash.ldap_salted_md5 – salted MD5 digest
      • passlib.hash.ldap_salted_sha1 – salted SHA1 digest
      • passlib.hash.ldap_crypt – LDAP crypt() Wrappers
      • passlib.hash.ldap_plaintext – LDAP-Aware Plaintext Handler
    • Non-Standard LDAP Schemes:
      • passlib.hash.ldap_hex_md5 – Hex-encoded MD5 Digest
      • passlib.hash.ldap_hex_sha1 – Hex-encoded SHA1 Digest
      • passlib.hash.ldap_pbkdf2_digest – Generic PBKDF2 Hashes
      • passlib.hash.atlassian_pbkdf2_sha1 – Atlassian’s PBKDF2-based Hash
      • passlib.hash.fshp – Fairly Secure Hashed Password
      • passlib.hash.roundup_plaintext – Roundup-specific LDAP Plaintext Handler
    • SQL Database Hashes:
      • passlib.hash.mssql2000 – MS SQL 2000 password hash
      • passlib.hash.mssql2005 – MS SQL 2005 password hash
      • passlib.hash.mysql323 – MySQL 3.2.3 password hash
      • passlib.hash.mysql41 – MySQL 4.1 password hash
      • passlib.hash.postgres_md5 – PostgreSQL MD5 password hash
      • passlib.hash.oracle10 – Oracle 10g password hash
      • passlib.hash.oracle11 – Oracle 11g password hash
    • MS Windows Hashes:
      • passlib.hash.lmhash – LanManager Hash
      • passlib.hash.nthash – Windows’ NT-HASH
      • passlib.hash.msdcc – Windows’ Domain Cached Credentials
      • passlib.hash.msdcc2 – Windows’ Domain Cached Credentials v2
    • Other Hashes:
      • passlib.hash.cisco_pix – Cisco PIX hash
      • passlib.hash.cisco_type7 – Cisco “Type 7” hash
      • passlib.hash.django_digest – Django-specific Hashes
      • passlib.hash.grub_pbkdf2_sha512 – Grub’s PBKDF2 Hash
      • passlib.hash.hex_digest – Generic Hexdecimal Digests
      • passlib.hash.plaintext – Plaintext
    • Cisco “Type 5” hashes

Passphrase Hashes

• Passphrase Hashes – http://www.users.zetnet.co.uk/hopwood/crypto/scan/ph.html
• Authenticators (= magic strings = marker strings): When a passphrase is verified, the first few characters of the authenticator [= “magic”] determine which mechanism is used:
  • If the first character is not “$” or “_”, the traditional crypt3 is used. 2 chars salt. Only the first 8 chars of the passwords are used.
  • “$1$”: MD5-crypt is used. [Linux, BSD]. Salt up to 8 chars long.
  • “$2$”: Blowfish is used. [Linux] – OBSOLETE
  • “$2a$”, bcrypt is used. NOTE: Some sources indicate use of Blowfish (OpenBSD) or eksblowfish.
  • “$2x$” or “$2y$”, Blowfish is used.
  • “$3$”, NT-hashman [FreeBSD] or depecated/broken SHA-256
  • “$4$”, depecated/broken SHA-512
  • “$5$”, SHA-256 [Linux]. Salt up to 16 chars long.
  • “$6$”, SHA-512 [Linux]. Salt up to 16 chars long.
  • Unknown: “$9$”, “$9a$”, $15abc$, $apr1$
  • “$md5$”: Sun MD5

Sources:

• http://stackoverflow.com/questions/6366897/hashing-a-string-using-the-algorithm-that-linux-uses-to-hash-users-passwords
• http://commons.apache.org/codec/apidocs/org/apache/commons/codec/digest/Crypt.html
• Unix crypt using SHA-256 and SHA-512 – http://www.akkadia.org/drepper/SHA-crypt.txt
• Bug 811753 – crypt() is broken in fips mode – https://bugzilla.redhat.com/show_bug.cgi?id=811753
• crypt(3) – Paper over sizeof()/strlen() bug causing 32/64-bit issues – http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/5108d56f29e4e338650bc6fd479474ae383acb46
• Password hashing weakness in DF – https://bugs.dragonflybsd.org/issues/2278

Articles

• Salt (cryptography) – http://en.wikipedia.org/wiki/Salt_%28cryptography%29
• Shadow password (Ubuntu Forums) – http://ubuntuforums.org/showthread.php?p=5318038
• “Storing Passwords – done right!” by Christoph Wille (translated by Bernhard Spuida) (2004.01.05) – http://www.aspheute.com/english/20040105.asp

---

Passwords related postings at this blog:

• Stages of checking password crackability – https://eikonal.wordpress.com/2010/07/13/stages-of-checking-password-crackability/
• Enforcing password virtues in Linux – https://eikonal.wordpress.com/2010/07/13/pam_cracklib/
• Password expiration script for Unix – https://eikonal.wordpress.com/2011/05/03/password-expiration-script-for-unix/
• PAM (Pluggable Authentication Modules) – https://eikonal.wordpress.com/2011/03/11/pam
• Password generators – https://eikonal.wordpress.com/2010/07/04/password-generators/
• Cracking Kerberos passwords – https://eikonal.wordpress.com/2010/06/17/cracking-kerberos-passwords/
• John the Ripper – https://eikonal.wordpress.com/2010/05/25/john-the-ripper/
• Cisco “password 7″ decryption – C code – https://eikonal.wordpress.com/2010/05/21/cisco-%E2%80%9Cpassword-7%E2%80%B3-decryption-%E2%80%93-c-code
• Cisco “password 7″ – https://eikonal.wordpress.com/2010/05/21/cisco-%E2%80%9Cpassword-7%E2%80%B3/
• Personal computer security > Passwords management – https://eikonal.wordpress.com/2011/02/28/personal-computer-security/
• Cryptography resources > Hash algorithms > Passphrase Hashes – https://eikonal.wordpress.com/2010/03/17/cryptography-resources/

Steganography

• “New Tool Hides Data In Plain Sight On HDDs” (SlashDot; 2011.04.25) – http://it.slashdot.org/story/11/04/25/1558237/New-Tool-Hides-Data-In-Plain-Sight-On-HDDs
  “A group of researchers has developed a new application that can hide sensitive data on a hard drive without encrypting it or leaving any obvious signs that the data is present. The new steganography system relies on the old principle of hiding valuables in plain sight. Developed by a group of academic researchers in the US and Pakistan, the system can be used to embed secret data in existing structures on a given HDD by taking advantage of the way file systems are designed and implemented. The software does this by breaking a file to be hidden into a number of fragments and placing the individual pieces in clusters scattered around the hard drive.”
  • “Researchers Propose New Steganography System for Hiding Data” by Dennis Fisher (Threat Post)- https://threatpost.com/en_us/blogs/researchers-propose-new-steganography-system-hiding-data-042511
    • “Designing a cluster-based covert channel to evade disk investigation and forensic” by Hassan Khana, Mobin Javedb, Syed Ali Khayamb and Fauzan Mirzab – http://www.sciencedirect.com/

SSL tools

• SSLSNIFF by Thoughtcrime Labs – http://www.thoughtcrime.org/software/sslsniff/

Library of embeded devices’ hard-wired SSL keys

• “Database of Private SSL Keys Published” (SlashDot; 2010.12.22) – http://it.slashdot.org/article.pl?sid=10/12/20/1414210
• “Group Publishes Database of Embedded Private SSL Keys” by Dennis Fisher (ThreatPost; 2010.12.20) – https://threatpost.com/en_us/blogs/group-publishes-database-embedded-private-ssl-keys-122010
• “Breaking SSL on Embedded Devices” – http://www.devttys0.com/2010/12/breaking-ssl-on-embedded-devices/
• “Default SSL Keys in Multiple Routers” by Craig Heffner (Full Disclosure mail list; 2010.12.18) – http://seclists.org/fulldisclosure/2010/Dec/492
• LittleBlackBox code – http://littleblackbox.googlecode.com | http://code.google.com/p/littleblackbox/

Skype protocol(s?) cracked

• “Skype’s Biggest Secret Revealed” by Sean O’Neil (2010.07.07) – http://www.enrupt.com/index.php/2010/07/07/skype-biggest-secret-revealed
  • code: http://cryptolib.com/ciphers/skype/
• “Skype’s Innermost Security Layers Claimed To Be Reverse-Engineered” by Robin Wauters (2010.07.08) – http://techcrunch.com/2010/07/08/skypes-innermost-security-layers-claimed-to-be-reverse-engineered/

Cisco “password 7″ decryption – C code

Source: http://insecure.org/sploits/cisco.passwords.html

---

Description:	Cisco passwords can be trivially decrypted although this isn't really the fault of Cisco (since the router itself needs to be able to decrypt them).
Author:	Jared Mauch 
Compromise:	Obtain extra access to Cisco routers
Vulnerable Systems:	Cisco routers
Date:	11 November 1997 

/* This code is originally from a Bugtraq post by Jared Mauch . I patched it with an improved translation table by Janos Zsako -Fyodor (fyodor@insecure.org) */ #include #include char xlat[] = { 0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f, 0x41, 0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72, 0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44, 0x48, 0x53 , 0x55, 0x42 }; char pw_str1[] = " password 7 "; char pw_str2[] = "enable password 7 "; char pw_str3[] = "ip ftp password 7 "; char pw_str4[] = " ip ospf message-digest-key 1 md5 7 "; char *pname; cdecrypt(enc_pw, dec_pw) char *enc_pw; char *dec_pw; { unsigned int seed, i, val = 0; if(strlen(enc_pw) & 1) return(-1); seed = (enc_pw[0] - '0') * 10 + enc_pw[1] - '0'; if (seed > 15 || !isdigit(enc_pw[0]) || !isdigit(enc_pw[1])) return(-1); for (i = 2 ; i = 'A' && enc_pw[i] <= 'F') { val += enc_pw[i] - 'A' + 10; continue; } if(strlen(enc_pw) != i) return(-1); } dec_pw[++i / 2] = 0; return(0); } usage() { fprintf(stdout, "Usage: %s -p \n", pname); fprintf(stdout, " %s \n", pname); return(0); } main(argc,argv) int argc; char **argv; { FILE *in = stdin, *out = stdout; char line[257]; char passwd[65]; unsigned int i, pw_pos; pname = argv[0]; if(argc > 1) { if(argc > 3) { usage(); exit(1); } if(argv[1][0] == '-') { switch(argv[1][1]) { case 'h': usage(); break; case 'p': bzero(passwd, sizeof(passwd)); if(cdecrypt(argv[2], passwd)) { fprintf(stderr, "Error.\n"); exit(1); } fprintf(stdout, "password: %s\n", passwd); break; default: fprintf(stderr, "%s: unknow option.", pname); } return(0); } if((in = fopen(argv[1], "rt")) == NULL) exit(1); if(argc > 2) if((out = fopen(argv[2], "wt")) == NULL) exit(1); } while(1) { for(i = 0; i < 256; i++) { if((line[i] = fgetc(in)) == EOF) { if(i) break; fclose(in); fclose(out); return(0); } if(line[i] == '\r') i--; if(line[i] == '\n') break; } pw_pos = 0; line[i] = 0; if(!strncmp(line, pw_str1, strlen(pw_str1))) pw_pos = strlen(pw_str1); if(!strncmp(line, pw_str2, strlen(pw_str2))) pw_pos = strlen(pw_str2); if(!strncmp(line, pw_str3, strlen(pw_str3))) pw_pos = strlen(pw_str3); if(!strncmp(line, pw_str4, strlen(pw_str4))) pw_pos = strlen(pw_str4); if(!pw_pos) { fprintf(stdout, "%s\n", line); continue; } bzero(passwd, sizeof(passwd)); if(cdecrypt(&line[pw_pos], passwd)) { fprintf(stderr, "Error.\n"); exit(1); } else { if(pw_pos == strlen(pw_str1)) fprintf(out, "%s", pw_str1); else if (pw_pos == strlen(pw_str2)) fprintf(out, "%s", pw_str2); else if (pw_pos == strlen(pw_str3)) fprintf(out, "%s", pw_str3); else if (pw_pos == strlen(pw_str4)) fprintf(out, "%s", pw_str4); fprintf(out, "%s\n", passwd); } } }

---

Also see http://freeworld.thc.org/root/tools/ciscocrack.c

---

Related: https://eikonal.wordpress.com/2010/05/21/cisco-%e2%80%9cpassword-7%e2%80%b3/

Cisco “password 7″

• “How do I Decrypt Cisco Passwords?” – http://www.topbits.com/decrypt-cisco-passwords.html
• Cisco password decryption – http://insecure.org/sploits/cisco.passwords.html

---

Local info:

• Cisco “password 7″ decryption – Perl code (2010.01.28) – https://eikonal.wordpress.com/2010/01/28/ciso-password-7-decryption-perl-code/
• Cisco “Password 7″ Cracker – javascript code (2010.01.07) – https://eikonal.wordpress.com/wp-admin/post-new.php
• Cisco “Password 7″ Cracker – C code (2010.05.21) – https://eikonal.wordpress.com/2010/05/21/cisco-%e2%80%9cpassword-7%e2%80%b3-decryption-%e2%80%93-c-code/

Cryptography resources

Sites

• Cryptology ePrint Archive – http://eprint.iacr.org/
• Cryptolib.com – http://cryptolib.com/ | Ciphers: http://cryptolib.com/ciphers/
• Standard Cryptographic Algorithm Naming (Version 1.0.20a – 22 October, 2002) – http://weidai.com/scan-mirror/intro.html
• Cryptography Algorithms at Galaxy.com search engine – http://www.galaxy.com/dir962470/Algorithms.htm
• Cypherspace by Adam Back – http://www.cypherspace.org/

Historic cyphers

• The “Copiale Cipher” by Kevin Knight, Beáta Megyesi, Christiane Schaefer – http://stp.lingfil.uu.se/~bea/copiale/
  • “How Revolutionary Tools Cracked a 1700s Code” by John Markoff (The New York Times; 2011.10.24) – http://www.nytimes.com/2011/10/25/science/25code.html?_r=1

Hash algorithms

• Passphrase Hashes – http://www.users.zetnet.co.uk/hopwood/crypto/scan/ph.html

  • Authenticators: When a passphrase is verified, the first few characters of the authenticator [= “magic”] determine which mechanism is used:
    • If the first three characters are “$1$”, MD5-crypt is used.
    • If the first four characters are “$2a$”, bcrypt is used.
    • If the first character is not “$” or “_”, Traditional-crypt3 is used.

• The HashClash website – http://www.win.tue.nl/hashclash/ – hash algorithms collisions

RSA

• export-a-crypto-system sig – http://www.cypherspace.org/rsa/, http://www.cypherspace.org/rsa/rsa-details.html – a Perl 3-line implementation of RSA encryptor and decryptor.

  #!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj $/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1 lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)

  A 2-line version:

  print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*", )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`

  • Use:
    • Encryption: echo “squeamish ossifrage” | rsa -k=10001 -n=1967cb529 > msg.rsa
    • Decryption: % rsa -d -k=ac363601 -n=1967cb529 < msg.rsa
  • requires GNU dc (http://www.cypherspace.org/rsa/dc.html)

  .

Cisco “Password 7” Cracker – javascript code

Source: http://www.ifm.net.nz/cookbooks/passwordcracker.html

<script language="JavaScript1.2" type="text/javascript"> <!-- // Is the character a digit? function isDigit(theDigit) { var digitArray = new Array('0','1','2','3','4','5','6','7','8','9') for (j = 0; j < digitArray.length; j++) { if (theDigit == digitArray[j]) return true } return false } // Generate a config file ready for loading function crackPassword(form) { var crypttext=form.crypttext.value.toUpperCase() var plaintext='' var xlat="dsfd;kfoA,.iyewrkldJKDHSUBsgvca69834ncxv9873254k;fg87" var seed, i, val=0 if(crypttext.length & 1) return seed = (crypttext.charCodeAt(0) - 0x30) * 10 + crypttext.charCodeAt(1) - 0x30 if (seed > 15 || !isDigit(crypttext.charAt(0)) || !isDigit(crypttext.charAt(1))) return for (i = 2 ; i <= crypttext.length; i++) { if(i !=2 && !(i & 1)) { plaintext+=String.fromCharCode(val ^ xlat.charCodeAt(seed++)) seed%=xlat.length val = 0; } val *= 16 if(isDigit(crypttext.charAt(i))) { val += crypttext.charCodeAt(i) - 0x30 continue } if(crypttext.charCodeAt(i) >= 0x41 && crypttext.charCodeAt(i) <= 0x46) { val += crypttext.charCodeAt(i) - 0x41 + 0x0a continue } if(crypttext.length != i) return } form.plaintext.value=plaintext } --> </script> <form name="never-you-mind" id="never-you-mind" action="#"> <table border="1"> <tbody><tr><td> <p> Type 7 Password: <input name="crypttext" size="60" type="text"> </p> <p> <input value="Crack Password" onclick="crackPassword(this.form)" type="button"> </p> <p>Plain text: <input name="plaintext" size="40" type="text"> </p> </td></tr></tbody></table> </form>

---

Related: https://eikonal.wordpress.com/2010/05/21/cisco-%e2%80%9cpassword-7%e2%80%b3/