Saturday, September 11, 2010

Cisco 'show everything' and password cracking

To do a 'show everything' on a cisco device, use 'show tech-support'. This includes show run, process listings, interface info, and basically every bit of information you can get through running other commands. Note that user type 7 passwords (see below) are automatically sanitised from the output.

Cisco still uses a terrible password encryption scheme for user passwords that can be trivially cracked. The following user password uses the weak encryption (you can tell by the number 7 preceeding the hash):
username jdoe password 7 07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D
While user passwords are encrypted using this weak scheme, enable passwords are MD5 hashes that look like this (note the 5):
enable secret 5 $1$iUjJ$cDZ03KKGh7mHfX2RSbDqP.
Cisco is stuck using the reversible encryption scheme for the near future due to the need to support certain authentication protocols (notably CHAP).

Enable (MD5) passwords can be cracked using standard tools such as John the Ripper or rainbow tables.

Type 7 passwords can be cracked with the following simple perl script.
#!/usr/bin/perl -w
# $Id:,v 1.1 1998/01/11 21:31:12 mesrik Exp $
# Credits for orginal code and description,
# SPHiXe, .mudge et al. and for John Bashinski 
# for Cisco IOS password encryption facts.
# Use for any malice or illegal purposes strictly prohibited!

@xlat = ( 0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f, 0x41,
0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72, 0x6b, 0x6c,
0x64, 0x4a, 0x4b, 0x44, 0x48, 0x53, 0x55, 0x42 );
while (<>) {
  if (/(password|md5)\s+7\s+([\da-f]+)/io) {
    if (!(length($2) & 1)) {
      $ep = $2; $dp = "";
      ($s, $e) = ($2 =~ /^(..)(.+)/o);
      for ($i = 0; $i < length($e); $i+=2) {
        $dp .= sprintf "%c",hex(substr($e,$i,2))^$xlat[$s++];

No comments: