I spent a lot of time the other night trying to find a perl script that would decode Cisco type 7 password hashes and many of them did not work properly. At first I thought I was doing something wrong however I am pretty sure that most of the scripts were just broken. Anyhow I finally located the below script on some site and I can’t remember where I found it so I wanted to post it here mostly for reference however if someone else finds it useful then that would be great. Below is the actual script itself followed by an example of using the script.

**UPDATE** Script was located from this site and has updates with more features.

Perl Script That Takes Cisco Type 7 Hash And Returns The Password:

#!/usr/bin/perl
use File::Copy;

############################################################################
# Vigenere translation table
############################################################################
@V=(0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f, 0x41, 0x2c, 0x2e,
    0x69, 0x79, 0x65, 0x77, 0x72, 0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44,
    0x48, 0x53, 0x55, 0x42, 0x73, 0x67, 0x76, 0x63, 0x61, 0x36, 0x39,
    0x38, 0x33, 0x34, 0x6e, 0x63, 0x78, 0x76, 0x39, 0x38, 0x37, 0x33,
    0x32, 0x35, 0x34, 0x6b, 0x3b, 0x66, 0x67, 0x38, 0x37);
############################################################################

############################################################################
# Usage guidelines
############################################################################
if ($ARGV[0] eq ""){
   print "This script reveals the IOS passwords obfuscated using the Vigenere algorithm.n";
   print "n";
   print "Usage guidelines:n";
   print " cdecrypt.pl 04480E051A33490E     # Reveals a single passwordn";
   print " cdecrypt.pl running-config.rcf   # Changes all passwords in a file to cleartextn";
   print "                                  # Original file stored with .bak extensionn";
}

############################################################################
# Process arguments and execute
############################################################################
if(open(F,"<$ARGV[0]")){    # If argument passed can be opened then convert a file
  open(FO,">cdcout.rcf") || die("Cannot open 'cdcout.rcf' for writing ($!)n");
  while(<F>){
    if (/(.*passwords)(7s)([0-9a-fA-F]{4,})/){     # Find password commands
      my $d=Decrypt($3);                             # Deobfuscate passwords
      s/(.*passwords)(7s)([0-9a-fA-F]{4,})/$1$d/;  # Remove '7' and add cleartext password
    }
    print FO $_;
  }
  close(F);
  close(FO);
  copy($ARGV[0],"$ARGV[0].bak")||die("Cannot copy '$ARGV[0]' to '$ARGV[0].bak'");
  copy("cdcout.rcf",$ARGV[0])||die("Cannot copy '$ARGV[0]' to '$ARGV[0].bak'");
  unlink "cdcout.rcf";
}else{                      # If argument passed cannot be opened it is a single password
  print Decrypt($ARGV[0]) . "n";
}

############################################################################
# Vigenere decryption/deobfuscation function
############################################################################
sub Decrypt{
  my $pw=shift(@_);                             # Retrieve input obfuscated password
  my $i=substr($pw,0,2);                        # Initial index into Vigenere translation table
  my $c=2;                                      # Initial pointer
  my $r="";                                     # Variable to hold cleartext password
  while ($c<length($pw)){                       # Process each pair of hex values
    $r.=chr(hex(substr($pw,$c,2))^$V[$i++]);    # Vigenere reverse translation
    $c+=2;                                      # Move pointer to next hex pair
    $i%=53;                                     # Vigenere table wrap around
  }                                             #
  return $r;                                    # Return cleartext password
}

The script is very easy to use as shown in the below example. You just type “perl cisco7decode.pl HASH-HERE” where HASH-HERE is the actual has and cisco7decode.pl is a file you create with the above code pasted in it.

Example Using cisco7decode.pl Perl Script To Crack Cisco Type 7 Passwords:

devqd:~ alex$ perl cdecrypt.pl 04480E051A33490E
secure
devqd:~ alex$

As you can see the above Cisco Type 7 password hash of 04480E051A33490E represents a password of “secure” without the quotes. I think you will be surprised at how quickly the passwords are returned. It is fairly amazing that this type of security was ever used by a company such as Cisco.


List Price: $720.00 USD
New From: $485.09 USD In Stock
Used from: $220.00 USD In Stock

Learning Perl (Paperback)

By (author): Randal L. Schwartz, brian d foy, Tom Phoenix


List Price: $39.99 USD
New From: $21.67 USD In Stock
Used from: $17.24 USD In Stock

DeliciousStumbleUponDiggTwitterFacebookRedditLinkedInEmail
Tags: , , , , , , , ,
4 Responses to “Perl Script To Decode Cisco Type 7 Password Hash”
  1. Daren says:

    Hi there, glad you liked the script. For information you found it at my site here:
    URL: mccltd DOT net/blog/?p=1034
    Some kind contributors have also included an Excel Visual Basic macro, a Ruby on Rails-b ased source code and also a web app and finally some C code.

    Have fun.
    Daren.

    [Reply]

    alex Reply:

    Hello Daren,

    Thanks for leaving feedback. It definitely could have been your site though it appears the article linked above was posted in December of 2011 and my article was posted in August of 2011 so I assume it would only be possible if you added a new article when contributions were released. Regardless thanks for the info on the contributions and for taking the time to leave feedback on the site.

    Thanks.
    alex

    [Reply]

  2. Daren says:

    Hi there – yes I republished it after some visitors created new code for it. Adding the “UPDATE” comments at the beginning of the article. No worries though I just wanted to mention the other code. All the best, Daren.

    [Reply]

    alex Reply:

    Hello Daren,

    Ahh… cool. Thanks for following up and for posting the script initially. I have used it numerous times!

    Thanks.
    alex

    [Reply]

  3.  
Leave a Reply

*Type the letter/number combination in the abvoe field before clicking submit.

*