• Home »
  • Security »
  • Crack Cisco IOS Password Hashes, Crack Cisco Type 5 & Type 7 Password Hashes

Crack Cisco IOS Password Hashes, Crack Cisco Type 5 & Type 7 Password Hashes

Cisco devices running the Cisco IOS have three types of ways to display passwords in the device configuration which include Type 0, Type 5, and Type 7. Below we describe all three methods of storing passwords in the Cisco IOS device configuration and how to obtain the password from each method either by simply reading the password, by quickly converting the password from the Cisco defined encryption algorithm, or by cracking MD5 UNIX password hashes.

Cisco Password Types:

  • Cisco Type 0 Password: These passwords are stored in IOS configuration as plaintext. Least secure.
  • Cisco Type 5 Password: These passwords are stored as MD5 UNIX hashes which are salted. Most secure.
  • Cisco Type 7 Password: These passwords are stored in a Cisco defined encryption algorithm. Not secure except for protecting against shoulder surfing attacks.

Crack Cisco Type 5 Password Hashes:

The most secure of the available password hashes is the Cisco Type 5 password hash which is a MD5(Unix) hash. My preferred application to crack these types of hashes is oclHashcat and more specifically oclHashcat-plus which is open source and can be downloaded here. oclHashcat-plus takes advantage of GPU’s instead of CPU’s which makes it extremely fast when cracking passwords. Below is information on what the Cisco configuration line will look like that stores the Type 5 password, an example Cisco Type 5 password hash, and an example cracking a Cisco Type 5 password.

Cisco Type 5 Password Example In Cisco IOS Configuration:

text

  1. enable secret 5 $1$c7We$oWwyT8o77NKC.4FfDlDNV0

In the above example the password was set as QUESTIONDEFENSE and below you can see an example of oclHashcat working to crack the Type 5 password hash from the above example. In the command issued below the –gpu-watchdog=0 switch tells oclHashcat to not monitor the GPU temperature, the -m 500 switch tells oclHashcat what type of hash we are cracking (in this example it is MD5(Unix), ciscotype5.txt is a text file located in the same directory as the oclHashcat application and includes our example hash, and /wordlists/small.dic specifies the wordlist we are using in this example.

Cracking Cisco Type 5 Password Hash With oclHashcat-Plus:

text

  1. [root@dev oclHashcat-plus-0.06]# ./oclHashcat-plus64.bin --gpu-watchdog=0 -m 500 ciscotype5.txt /wordlists/small.dic
  2. oclHashcat-plus v0.6 by atom starting...
  3.  
  4. Hashes: 1
  5. Unique salts: 1
  6. Unique digests: 1
  7. Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
  8. GPU-Loops: 64
  9. GPU-Accel: 40
  10. Password lengths range: 1 - 15
  11. Platform: AMD compatible platform found
  12. Watchdog: Temperature limit disabled
  13. Device #1: Cayman, 2048MB, 0Mhz, 24MCU
  14. Device #2: Cayman, 2048MB, 0Mhz, 24MCU
  15. Device #3: Cayman, 2048MB, 0Mhz, 24MCU
  16. Device #4: Cayman, 2048MB, 0Mhz, 24MCU
  17. Device #1: Allocating 144MB host-memory
  18. Device #1: Kernel ./kernels/4098/m0500.Cayman.64.kernel (796578 bytes)
  19. Device #2: Allocating 144MB host-memory
  20. Device #2: Kernel ./kernels/4098/m0500.Cayman.64.kernel (796578 bytes)
  21. Device #3: Allocating 144MB host-memory
  22. Device #3: Kernel ./kernels/4098/m0500.Cayman.64.kernel (796578 bytes)
  23. Device #4: Allocating 144MB host-memory
  24. Device #4: Kernel ./kernels/4098/m0500.Cayman.64.kernel (796578 bytes)
  25.  
  26. Scanned dictionary /wordlists/small.dic: 792070995 bytes, 60122736 words, starting attack...
  27.  
  28. $1$c7We$oWwyT8o77NKC.4FfDlDNV0:QUESTIONDEFENSE
  29.  
  30. Status.......: Cracked
  31. Hash.Type....: md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
  32. Input.Mode...: File (/wordlists/small.dic)
  33. Time.Running.: 12 secs
  34. Speed.Plains.:  7892.3k c/s
  35. Speed.Words..:  7892.3k c/s
  36. Recovered....: 1/1 Digests, 1/1 Salts
  37. Progress.....: 59738641/60122736 (99.36%)
  38.  
  39. Started: Tue Aug 30 23:23:17 2011
  40. Stopped: Tue Aug 30 23:23:33 2011
  41. [root@dev oclHashcat-plus-0.06]#

As you can see above oclHashcat-plus is really fast and was able to crack the password hash in 12 seconds at a rate of 7.892 million combinations per second. With GPU password cracking there are not many passwords that are safe anymore. Below is an example I used in a previous article of cracking a Cisco Type 7 password using a simple Perl script. In the example below I ran the Perl script on my Macbook and the password was returned in less than 5 seconds.

Cracking Cisco Type 7 Password Hashes With Perl Script:

text

  1. devqd:~ alex$ perl cdecrypt.pl 04480E051A33490E
  2. secure
  3. devqd:~ alex$

You can find the details of the Perl script used above in this article. So no matter how the password is stored in a Cisco configuration if you have access to the configuration you can likely crack the password.

TcL Scripting for Cisco IOS (Networking Technology) (Paperback)


List Price: $67.99 USD
New From: $47.63 USD In Stock
Used from: $38.00 USD In Stock

Implementing Cisco IOS Network Security (IINS): (CCNA Security exam 640-553) (Authorized Self-Study Guide) (Hardcover)


List Price: $68.00
New From: $4.46 USD In Stock
Used from: $0.01 USD In Stock

Share