Perl Script To Decode Cisco Type 7 Password Hash

I spent a lot of time the other night trying to find a perl script that would decode Cisco type 7 password hashes and many of them did not work properly. At first I thought I was doing something wrong however I am pretty sure that most of the scripts were just broken. Anyhow I finally located the below script on some site and I can’t remember where I found it so I wanted to post it here mostly for reference however if someone else finds it useful then that would be great. Below is the actual script itself followed by an example of using the script.

**UPDATE** Script was located from this site and has updates with more features.

Perl Script That Takes Cisco Type 7 Hash And Returns The Password:

perl

  1. #!/usr/bin/perl
  2. use File::Copy;
  3.  
  4. ############################################################################
  5. # Vigenere translation table
  6. ############################################################################
  7. @V=(0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f, 0x41, 0x2c, 0x2e,
  8.     0x69, 0x79, 0x65, 0x77, 0x72, 0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44,
  9.     0x48, 0x53, 0x55, 0x42, 0x73, 0x67, 0x76, 0x63, 0x61, 0x36, 0x39,
  10.     0x38, 0x33, 0x34, 0x6e, 0x63, 0x78, 0x76, 0x39, 0x38, 0x37, 0x33,
  11.     0x32, 0x35, 0x34, 0x6b, 0x3b, 0x66, 0x67, 0x38, 0x37);
  12. ############################################################################
  13.  
  14. ############################################################################
  15. # Usage guidelines
  16. ############################################################################
  17. if ($ARGV[0] eq ""){
  18.    print "This script reveals the IOS passwords obfuscated using the Vigenere algorithm.\n";
  19.    print "\n";
  20.    print "Usage guidelines:\n";
  21.    print " cdecrypt.pl 04480E051A33490E     # Reveals a single password\n";
  22.    print " cdecrypt.pl running-config.rcf   # Changes all passwords in a file to cleartext\n";
  23.    print "                                  # Original file stored with .bak extension\n";
  24. }
  25.  
  26. ############################################################################
  27. # Process arguments and execute
  28. ############################################################################
  29. if(open(F,"<$ARGV[0]")){    # If argument passed can be opened then convert a file
  30.   open(FO,">cdcout.rcf") || die("Cannot open 'cdcout.rcf' for writing ($!)\n");
  31.   while(<F>){
  32.     if (/(.*password\s)(7\s)([0-9a-fA-F]{4,})/){     # Find password commands
  33.       my $d=Decrypt($3);                             # Deobfuscate passwords
  34.       s/(.*password\s)(7\s)([0-9a-fA-F]{4,})/$1$d/;  # Remove '7' and add cleartext password
  35.     }
  36.     print FO $_;
  37.   }
  38.   close(F);
  39.   close(FO);
  40.   copy($ARGV[0],"$ARGV[0].bak")||die("Cannot copy '$ARGV[0]' to '$ARGV[0].bak'");
  41.   copy("cdcout.rcf",$ARGV[0])||die("Cannot copy '$ARGV[0]' to '$ARGV[0].bak'");
  42.   unlink "cdcout.rcf";
  43. }else{                      # If argument passed cannot be opened it is a single password
  44.   print Decrypt($ARGV[0]) . "\n";
  45. }
  46.  
  47. ############################################################################
  48. # Vigenere decryption/deobfuscation function
  49. ############################################################################
  50. sub Decrypt{
  51.   my $pw=shift(@_);                             # Retrieve input obfuscated password
  52.   my $i=substr($pw,0,2);                        # Initial index into Vigenere translation table
  53.   my $c=2;                                      # Initial pointer
  54.   my $r="";                                     # Variable to hold cleartext password
  55.   while ($c<length($pw)){                       # Process each pair of hex values
  56.     $r.=chr(hex(substr($pw,$c,2))^$V[$i++]);    # Vigenere reverse translation
  57.     $c+=2;                                      # Move pointer to next hex pair
  58.     $i%=53;                                     # Vigenere table wrap around
  59.   }                                             #
  60.   return $r;                                    # Return cleartext password
  61. }

The script is very easy to use as shown in the below example. You just type “perl cisco7decode.pl HASH-HERE” where HASH-HERE is the actual has and cisco7decode.pl is a file you create with the above code pasted in it.

Example Using cisco7decode.pl Perl Script To Crack Cisco Type 7 Passwords:

bash

  1. devqd:~ alex$ perl cdecrypt.pl 04480E051A33490E
  2. secure
  3. devqd:~ alex$

As you can see the above Cisco Type 7 password hash of 04480E051A33490E represents a password of “secure” without the quotes. I think you will be surprised at how quickly the passwords are returned. It is fairly amazing that this type of security was ever used by a company such as Cisco.

Cisco WS-C2960-24TC-L 2960 24 10/100 Catalyst Switch (Personal Computers)


New From: $199.99 USD In Stock
Used from: $73.99 USD In Stock

Learning Perl (Paperback)


List Price: $39.99 USD
New From: $16.01 USD In Stock
Used from: $9.43 USD In Stock

Share