I spent a lot of time the other night trying to find a perl script that would decode Cisco type 7 password hashes and many of them did not work properly. At first I thought I was doing something wrong however I am pretty sure that most of the scripts were just broken. Anyhow I finally located the below script on some site and I can’t remember where I found it so I wanted to post it here mostly for reference however if someone else finds it useful then that would be great. Below is the actual script itself followed by an example of using the script.
**UPDATE** Script was located from this site and has updates with more features.
Perl Script That Takes Cisco Type 7 Hash And Returns The Password:
- #!/usr/bin/perl
- use File::Copy;
- ############################################################################
- # Vigenere translation table
- ############################################################################
- @V=(0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f, 0x41, 0x2c, 0x2e,
- 0x69, 0x79, 0x65, 0x77, 0x72, 0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44,
- 0x48, 0x53, 0x55, 0x42, 0x73, 0x67, 0x76, 0x63, 0x61, 0x36, 0x39,
- 0x38, 0x33, 0x34, 0x6e, 0x63, 0x78, 0x76, 0x39, 0x38, 0x37, 0x33,
- 0x32, 0x35, 0x34, 0x6b, 0x3b, 0x66, 0x67, 0x38, 0x37);
- ############################################################################
- ############################################################################
- # Usage guidelines
- ############################################################################
- if ($ARGV[0] eq ""){
- print "This script reveals the IOS passwords obfuscated using the Vigenere algorithm.\n";
- print "\n";
- print "Usage guidelines:\n";
- print " cdecrypt.pl 04480E051A33490E # Reveals a single password\n";
- print " cdecrypt.pl running-config.rcf # Changes all passwords in a file to cleartext\n";
- print " # Original file stored with .bak extension\n";
- }
- ############################################################################
- # Process arguments and execute
- ############################################################################
- if(open(F,"<$ARGV[0]")){ # If argument passed can be opened then convert a file
- open(FO,">cdcout.rcf") || die("Cannot open 'cdcout.rcf' for writing ($!)\n");
- while(<F>){
- if (/(.*password\s)(7\s)([0-9a-fA-F]{4,})/){ # Find password commands
- my $d=Decrypt($3); # Deobfuscate passwords
- s/(.*password\s)(7\s)([0-9a-fA-F]{4,})/$1$d/; # Remove '7' and add cleartext password
- }
- print FO $_;
- }
- close(F);
- close(FO);
- copy($ARGV[0],"$ARGV[0].bak")||die("Cannot copy '$ARGV[0]' to '$ARGV[0].bak'");
- copy("cdcout.rcf",$ARGV[0])||die("Cannot copy '$ARGV[0]' to '$ARGV[0].bak'");
- unlink "cdcout.rcf";
- }else{ # If argument passed cannot be opened it is a single password
- print Decrypt($ARGV[0]) . "\n";
- }
- ############################################################################
- # Vigenere decryption/deobfuscation function
- ############################################################################
- sub Decrypt{
- my $pw=shift(@_); # Retrieve input obfuscated password
- my $i=substr($pw,0,2); # Initial index into Vigenere translation table
- my $c=2; # Initial pointer
- my $r=""; # Variable to hold cleartext password
- while ($c<length($pw)){ # Process each pair of hex values
- $r.=chr(hex(substr($pw,$c,2))^$V[$i++]); # Vigenere reverse translation
- $c+=2; # Move pointer to next hex pair
- $i%=53; # Vigenere table wrap around
- } #
- return $r; # Return cleartext password
- }
The script is very easy to use as shown in the below example. You just type “perl cisco7decode.pl HASH-HERE” where HASH-HERE is the actual has and cisco7decode.pl is a file you create with the above code pasted in it.
Example Using cisco7decode.pl Perl Script To Crack Cisco Type 7 Passwords:
- devqd:~ alex$ perl cdecrypt.pl 04480E051A33490E
- secure
- devqd:~ alex$
As you can see the above Cisco Type 7 password hash of 04480E051A33490E represents a password of “secure” without the quotes. I think you will be surprised at how quickly the passwords are returned. It is fairly amazing that this type of security was ever used by a company such as Cisco.
Cisco WS-C2960-24TC-L 2960 24 10/100 Catalyst Switch (Personal Computers)
|
||||||||
Learning Perl (Paperback)
|
||||||||
Hi there, glad you liked the script. For information you found it at my site here:
URL: mccltd DOT net/blog/?p=1034
Some kind contributors have also included an Excel Visual Basic macro, a Ruby on Rails-b ased source code and also a web app and finally some C code.
Have fun.
Daren.
Hello Daren,
Thanks for leaving feedback. It definitely could have been your site though it appears the article linked above was posted in December of 2011 and my article was posted in August of 2011 so I assume it would only be possible if you added a new article when contributions were released. Regardless thanks for the info on the contributions and for taking the time to leave feedback on the site.
Thanks.
alex
Hi there – yes I republished it after some visitors created new code for it. Adding the “UPDATE” comments at the beginning of the article. No worries though I just wanted to mention the other code. All the best, Daren.
Hello Daren,
Ahh… cool. Thanks for following up and for posting the script initially. I have used it numerous times!
Thanks.
alex