Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: Cisco IOS password types overview.

Re: Cisco IOS password types overview.

From: Andrew Brown <atatat_at_ATATDOT.NET>
Date: Mon, 4 Oct 1999 18:18:32 -0400

>In the short time that I have been dealing with the Cisco routers, I have
>noticed 3 different types of passwords that can be present in a config
>file. The first type, the one I tenetively call "type 0" for obvious
>reasons looks like this:
>
>2611.NotBSD.org#sh run
>[...]
>username stany password 0 b1g3Kr37
>[...]
>
>In essence, user "stany" has a password "b1g3Kr37", and that password is
>stored in clear text in the configuration file. There is another type of
>clear text passwords present, that look similar to this:

it's in cleartext since the router admin hasn't said "service
password-encryption" anywhere in the config. if they had, then
password would have been encrypted using the "reversible" algorithm
number 7 (cisco prorietary) and secrets would have been encrypted
using algorithm number 5 (md5).
>Lastly there are the passwords which I would call "type 5". These are the
>high security passwords that Cisco advocates using for enable
>authentication. The passwords on the core router I had console access to
>the enable was protected by exactly such a password.
>
>1005.NotBSD.org#sh conf
>[...]
>!
>enable secret 5 $1$gN1e$mK2Zrg0RJ4gCO3Qz/DsD50
>[...]
>
>7202.NotBSD.org#sh run
>[...]
>!
>boot system flash slot0:c7200-p-mz.111.CC.19980430.035406
>enable secret level 6 5 $1$qALY$FZ0R/1cS6fPQvz7a/Y8f01
>enable secret 5 $1$cCbN$MXcvCFHIwLmTjxmPYv7AT/
>!
>[...]

yeah. those are md5 hashes, much like freebsd (and now openbsd).
that's three fields, all preceded by dollar signs.

the first one is a "version number" (for lack of a better term) and
has been "1" whereever i've seen it.

the next field ("qALY" in your enable secret level line above) is the
salt, much like the salt that unix crypt()ed passwords use, except
longer. i don't recall the details of exactly what it does, but it's
a lot more "variable" bits that the 12 you get from the two character
salt in the standard unix password. here you get 48 bits of salt (at
least...again, i don't recall exactly what the interpretation of them
is).

the last field ("FZ0R/1cS6fPQvz7a/Y8f01" in the same line above) is
the base-64 encoded md5 hash. 22 chars at 6 bits per char gets you
132 bits. the last four are blank since md5 only gives you 128 bits.
hence, the last character will only be one of four instead of one of
64. 

--
|-----< "CODE WARRIOR" >-----|
codewarrior_at_daemon.org             * "ah!  i see you have the internet
twofsonet_at_graffiti.com (Andrew Brown)                that goes *ping*!"
andrew_at_crossbar.com       * "information is power -- share the wealth."
Received on Oct 04 1999
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos