SANS Penetration Testing

Ever Crack a Password using a Cisco Device?*

[Editor's Note: Here's a short but sweet article by Tim Medin on using Cisco IOS's own capabilities for decoding Type 7 passwords. Now, you might think — "Why don't I just use one of the conversion websites on the Internet for decoding that?" Or, "I know a free downloadable hacker tool that does just that." But, in some environments, taking sensitive passwords from devices and pasting them into free web-based tools or even downloaded computer attack tools is a BIG HUGE no-no, as you may be leaking some sensitive info to places you shouldn't be. Tim's technique lets you use the router itself to decode the password. Simple, fun, and effective. Thanks, Tim! -Ed.]

If you've done penetation testing for a while, you probably already know that the Cisco Type 7 password is easily reversible. The password is encrypted (not hashed) using the Vigenčre cipher, which dates to 16th century. Moreover, the static key is known to the world (it's dsfd;kfoA,.iyewrkldJKDHSUBsgvca69834ncxv9873254k;fg87, if you are wondering. You can memorize that if you want and impress your friends at the next Hacker Jeopardy event you attend).

There are plenty of tools to reverse this password, but who needs them when you have a Cisco device handy. Yes, you can reverse the password right on the Cisco device! Lemme show you how.

If we have the encrypted value of 0539030E2D405725490B10220A1F173D24362C72 here are the commands to decrypt the password on your Cisco device:

cisco# conf tcisco(config)# key chain thisisatestcisco(config-keychain)# key 1cisco(config-keychain)# key-string 7 0539030E2D405725490B10220A1F173D24362C72cisco(config-keychain)# ctrl+zcisco# show key chainKey-chain thisisatest:    key 1 -- text "ReallyL0ngPassword!"

We start by entering configuration mode via "conf t" (short for configure terminal). We then create a new key chain named "thisistest" (the name doesn't matter). We then tell the device that we are providing a key-string and that it is a type 7 password. Finally, exit configuration mode with ctrl+z and display the key chain. Boom, the password is ReallyL0ngPassword!.

Since you were likely not born in a barn, and your mom doesn't work here, you should clean up after yourself. To do this simply enter back into configuration mode and remove the keychain with the "no" prefix to the command.

cisco# conf tcisco(config)# no key chain thisisatestcisco(config-keychain)# ctrl+z

Super easy, and you don't have to download a tool or expose the password to some random site on the internet.

*For pedantic people: No, it isn't technically cracking, but the title of "Have you ever decrypted terrible, 1500s era enciphered passwords on a Cisco Systems, Inc.** network device?" would have been terrible.

** Cisco® and Cisco Systems, Inc® are registrered trademarks registered trademarks in the United States and certain other countries.***

*** Yes, Canada is another country. I learned that when I went through Canadian customs.****

**** Never tell a customs agent, "You take this whole other country thing very seriously, huh?"

Join me for SEC560: Network Penetration Testing and Ethical Hacking at
SANS Boston 2013! Boston, MA on Monday, Aug 5 - Saturday, Aug 10, 2013 or
SANS Golden Gate 2013 San Francisco, CA on Dec 16, 2013 - Dec 21, 2013.

-Tim Medin
Counter Hack

6 Comments

Posted September 18, 2013 at 6:25 PM | Permalink | Reply

Abuzaid

Very informative, I have been looking for this for sometime. Have been working with Cisco devices for over 15 years, but never thought of this trick to decrypt messages.

Posted September 19, 2013 at 4:10 PM | Permalink | Reply

Tim Medin

Abuzaid, I'm glad we could help.

Posted December 28, 2013 at 6:38 AM | Permalink | Reply

aneesh ahmad

Thanks for the post and the information. Good to know,

Posted May 17, 2015 at 6:55 PM | Permalink | Reply

Antonietta

My programmer —s trying t persuade m to move tto .net fom PHP.
I hae always disliked te idea beecause f the expenses.
But h'• tryiong none the less. I'e bn using
WordPredss n numerous websites for abut year nd am concerned
about switching tto anoter platform. I hav heard excellent
tings abbout blogengine.net. Is there wa I can import all my wordpress ontent into it?
ny kind oof hel would be greatly appreciated!

Posted November 4, 2015 at 2:21 AM | Permalink | Reply

bouwtekening tuinhuis

Way cool! Some very valid points! I appreciate you penning
this article plus the rest of the site is extremely good.

Posted November 9, 2015 at 3:35 AM | Permalink | Reply

Juanita

I think the admin of this site is really working hard in favor of his web site, since here every data is quality based data.

Post a Comment - Cancel Reply






Captcha


* Indicates a required field.