«
»

Cisco Password Recovery

So you have a cisco device that is password protected, perhaps it is a mission critical core device and you lost the password. It doesn’t matter why, but maybe when you recover it, take note of it this time.

So what I present here is a method for actually recovering the MD5 hashed “Enable” password through a dictionary attack (and physical access).

First, let us look at the actual password as the IOS stores it:

enable secret 5 $1$mERr$Q4J3cxRImm68KXqMDsLDs/

Wait a minute, we’re not even going to be able to get that far since we can’t do a show run on the device, because that requires privileged exec permissions and you forgot that password.

So first we have to recover that config file. Eject the flash card storing the filesystem. I don’t think you can do this to a live system without making it a little unstable, but who cares. Insert that flash card into your PCMCIA slot on that oldschool laptop and open the file with a text editor.

What if the flash isn’t ejectable? Or maybe we’re just really insecure of our ability to eject PCMCIA cards? Then this isn’t a mission critical core piece of equipment. Power it off and enter rommon mode, then tftp the config to your computer and open it with a text editor.

Now lets get back to that password:
enable secret 5 $1$mERr$Q4J3cxRImm68KXqMDsLDs/

If you’re familiar with Unix, BSD, or Linux password files, then this whole thing looks familiar. That’s because Cisco uses the same FreeBSD crypto libraries as the rest of the world (except Microsoft; they’re fucking stupid “special”).

The 5 is Cisco IOS’ way of knowing that this is an MD5 hashed password (there are other algorithms). The rest of it is the hashed password. The $ is a field seperator, like a space or tab mark except that it makes way more sense than a space (for nerd reasons I will mention later). So we have THREE fields: hash type, salt and the hash itself (Here is the 342 page CryptLib manual).

So here the hash type $1$ is MD5; there are other algorithms (Blowfish, SHA256, SHA512 and Sun’s version of MD5) but we only care about MD5 for now (The others are $2$ & $2a$ – Blowfish; $md5$ – Sun MD5; $5$ – SHA256 and $6$ – SHA512). And then there’s the seed mERr which isn’t very complicated at all. And then there’s the actual hash itself.

One other point to mention is that the hash is Base64 encoded so that it is at least printable, otherwise it is just random binary garbage. Base64 is the reason $ is used as a field separator. Go read Base64 if you’re confused.

Now that we know the nature of this beast, lets slay it. OpenSSL is a free open source toolkit based on (you guessed it) the crypto libraries from FreeBSD. We can use the OpenSSL toolkit to generate this exact hash output.

Do this at your favorite *nix prompt:

 openssl passwd -1  -table -salt "C6orX" "password"

The output looks like:

password        $1$C6orX$k2Z7bDauFo1.E7Y1ruIhf/

Now generate a wordlist. Make damn sure it is in Unix format and not the lame-ass Windows or Mac format. It needs to have normal line breaks, not fucked up 2-byte breaks. I use AWLG.org, but just make sure your wordlist has any potential passwords that might have been used. Save that wordlist somewhere. We are going to feed the wordlist to OpenSSL, which will generate the hashes. Let’s just pretend for easy sake that the enable password was in fact “password”. Run your wordlist that contains “password” through openssl and feed it to grep.

Alex@0G081F ~
$ openssl passwd -1 -salt C6orX -table -in wordlist.txt | grep k2Z7bDauFo1
password        $1$C6orX$k2Z7bDauFo1.E7Y1ruIhf/

So what does this mean? We used openssl to generate password hashes (passwd) of type MD5 (-1) with the specified salt (-salt C6orX) output as a table format (-table) reading in from our wordlist (-in wordlist.txt) and then we pipe it to grep searching for a known chunk of text in the hash (grep k2Z7bDauFo1). After a few minutes of working, grep finds the line and spits it out. HOLY SHIT IT WORKS!

Understand now? Does it seem all that complicated? It really isn’t.

And to top it off, John the Ripper works even better if you don’t have a dictionary. YAY!!

10 points for whomever finds my password from above ;)

This entry was posted on 2008/10/21 at 20:27 and is filed under cisco, Computing, Linux, News, rant, Security with tags , , , , , . You can follow any responses to this entry through the RSS 2.0 feed You can leave a response, or trackback from your own site.

2 Responses to “Cisco Password Recovery”

  1. Harshad Joshi Says:
    2008/10/21 at 21:12

    Cool, its cool. Thanks.

  2. Code to generate Cisco “secret” password hashes? - Admins Goodies Says:
    2011/08/23 at 23:55

    [...] per this website, the OpenSSL command line utility appears to provide the functionality you [...]

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.