Cisco devices running the Cisco IOS have three types of ways to display passwords in the device configuration which include Type 0, Type 5, and Type 7. Below we describe all three methods of storing passwords in the Cisco IOS device configuration and how to obtain the password from each method either by simply reading the password, by quickly converting the password from the Cisco defined encryption algorithm, or by cracking MD5 UNIX password hashes.
Cisco Password Types:
- Cisco Type 0 Password: These passwords are stored in IOS configuration as plaintext. Least secure.
- Cisco Type 5 Password: These passwords are stored as MD5 UNIX hashes which are salted. Most secure.
- Cisco Type 7 Password: These passwords are stored in a Cisco defined encryption algorithm. Not secure except for protecting against shoulder surfing attacks.
Crack Cisco Type 5 Password Hashes:
The most secure of the available password hashes is the Cisco Type 5 password hash which is a MD5(Unix) hash. My preferred application to crack these types of hashes is oclHashcat and more specifically oclHashcat-plus which is open source and can be downloaded here. oclHashcat-plus takes advantage of GPU’s instead of CPU’s which makes it extremely fast when cracking passwords. Below is information on what the Cisco configuration line will look like that stores the Type 5 password, an example Cisco Type 5 password hash, and an example cracking a Cisco Type 5 password.
Cisco Type 5 Password Example In Cisco IOS Configuration:
enable secret 5 $1$c7We$oWwyT8o77NKC.4FfDlDNV0
In the above example the password was set as QUESTIONDEFENSE and below you can see an example of oclHashcat working to crack the Type 5 password hash from the above example. In the command issued below the –gpu-watchdog=0 switch tells oclHashcat to not monitor the GPU temperature, the -m 500 switch tells oclHashcat what type of hash we are cracking (in this example it is MD5(Unix), ciscotype5.txt is a text file located in the same directory as the oclHashcat application and includes our example hash, and /wordlists/small.dic specifies the wordlist we are using in this example.
Cracking Cisco Type 5 Password Hash With oclHashcat-Plus:
[root@dev oclHashcat-plus-0.06]# ./oclHashcat-plus64.bin --gpu-watchdog=0 -m 500 ciscotype5.txt /wordlists/small.dic oclHashcat-plus v0.6 by atom starting... Hashes: 1 Unique salts: 1 Unique digests: 1 Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes GPU-Loops: 64 GPU-Accel: 40 Password lengths range: 1 - 15 Platform: AMD compatible platform found Watchdog: Temperature limit disabled Device #1: Cayman, 2048MB, 0Mhz, 24MCU Device #2: Cayman, 2048MB, 0Mhz, 24MCU Device #3: Cayman, 2048MB, 0Mhz, 24MCU Device #4: Cayman, 2048MB, 0Mhz, 24MCU Device #1: Allocating 144MB host-memory Device #1: Kernel ./kernels/4098/m0500.Cayman.64.kernel (796578 bytes) Device #2: Allocating 144MB host-memory Device #2: Kernel ./kernels/4098/m0500.Cayman.64.kernel (796578 bytes) Device #3: Allocating 144MB host-memory Device #3: Kernel ./kernels/4098/m0500.Cayman.64.kernel (796578 bytes) Device #4: Allocating 144MB host-memory Device #4: Kernel ./kernels/4098/m0500.Cayman.64.kernel (796578 bytes) Scanned dictionary /wordlists/small.dic: 792070995 bytes, 60122736 words, starting attack... $1$c7We$oWwyT8o77NKC.4FfDlDNV0:QUESTIONDEFENSE Status.......: Cracked Hash.Type....: md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5 Input.Mode...: File (/wordlists/small.dic) Time.Running.: 12 secs Speed.Plains.: 7892.3k c/s Speed.Words..: 7892.3k c/s Recovered....: 1/1 Digests, 1/1 Salts Progress.....: 59738641/60122736 (99.36%) Started: Tue Aug 30 23:23:17 2011 Stopped: Tue Aug 30 23:23:33 2011 [root@dev oclHashcat-plus-0.06]#
As you can see above oclHashcat-plus is really fast and was able to crack the password hash in 12 seconds at a rate of 7.892 million combinations per second. With GPU password cracking there are not many passwords that are safe anymore. Below is an example I used in a previous article of cracking a Cisco Type 7 password using a simple Perl script. In the example below I ran the Perl script on my Macbook and the password was returned in less than 5 seconds.
Cracking Cisco Type 7 Password Hashes With Perl Script:
devqd:~ alex$ perl cdecrypt.pl 04480E051A33490E secure devqd:~ alex$
You can find the details of the Perl script used above in this article. So no matter how the password is stored in a Cisco configuration if you have access to the configuration you can likely crack the password.