Cisco Decrypt Type 4 Password In A; However, examining on IOS 12.x and later displays that by hand getting into a password encrypted with a increased list (generated from this script) to a Cisco settings will not really only end up being allowed, but will perform usually for authentication. Cisco Decrypt Type 4 Password In A; However, examining on IOS 12.x and later displays that by hand getting into a password encrypted with a increased list (generated from this script) to a Cisco settings will not really only end up being allowed, but will perform usually for authentication. 1 Router (Cisco 4221 with Cisco IOS XE Release 16.9.4 universal image or comparable) 1 Switch (Cisco 2960 with Cisco IOS Release 15.2(2) lanbasek9 image or comparable) 1 PC (Windows with a terminal emulation program, such as Tera Term) Console cables to configure the Cisco IOS devices via the console ports; Ethernet cables as shown in the topology. I've got a copy of a Cisco ASA config and i want to crack the following example passwords. I've got the following lines in the config. ASA Version 8.4(2)! Hostname ciscoasa. Enable password 8Ry2YjIyt7RRXU24 encrypted. Passwd 2KFQnbNIdI.2KYOU encrypted. 'Cisco 4' is called by Cisco 'SHA256'. It is obviously in base 64 and 43 characters long. It is easy to tell (with access to the Cisco device) that it is not salted. Well it turns out that it is just base 64 encoded SHA256 with character set './0-9A-Za-z'. The hardest part was getting a valid hash.
Update #2: This article has been updated over at https://retrorabble.wordpress.com/2013/10/12/cracking-cisco-password-hashes-part-2/
UPDATE: See bottom of post for a way to run MD5 cracking on Linux
Well, I managed to find this information out by phoning Cisco directly, and since most of the information on this subject seems to be either plain wrong or incomprehensible rubbish spouted by people with no idea what checking up on facts or cross referencing is, I’ve decided to share my knowledge here:
Cisco type 5 passwords are based on FREEBSD’s MD5 function with a SALT included to make life harder; however, as a typical type 5 password also includes the SALT, it does tend to defeat the purpose of SALTing values. For example:
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
Let’s break that down:
enable secret 5 This tells us that the password is an MD5 SALTed password.
$1$ Tells us that yes, it really is a SALTed MD5 password
mERr This is our SALT. From here, we can use a program to crack the MD5 hash I have used http://www.darknet.org.uk/2009/07/crack-pl-sha1-md5-hash-cracking-tool/ Amtlib framework cc 2017 mac download.
hx5rVt7rPNoS4wqbXKX7m0 And this is our MD5 hash
PS: I found that password hash using the Googledork: inurl:startup-config “enable secret 5”
Update: After some discussion with another member of my local LUG, we managed to get BarsWF MD5 (http://3.14.by/en/md5) cracker running under Wine. This is a 3 stage process
1.) Grab a copy of BarsWF (if you have CUDA, yuo will need to run it under Windows, unless you want to port it to Linux. I couldn’t get the 64 bit binary running under Wine, so ran with the x86 edition.
2.) You need a cisco type 5 password hash, of course, you already own a cisco device and have generated a SALTed MD5 hash for educational purposes, right.? Let’s assume mine is hx5rVt7rPNoS4wqbXKX7m0
Next, we have to convert the password string into a base64 encoded string. I use http://www.motobit.com/util/base64-decoder-encoder.asp But had to change the character set to windows-1250 which gave me the string aHg1clZ0N3JQTm9TNHdxYlhLWDdtMA now, we can attempt a brute force on it.
3.) Now, all we need to do is force the issue:
retrorabble@Lisa[~]$ BarsWF_SSE2_x32.exe -c 0aA~ -h aHg1clZ0N3JQTm9TNHdxYlhLWDdtMA Photograv software version download.
Cisco Decode Secret 4
4.) If you are on Linux and use CUDA (or whatever ATI calls it) have a look at http://www.networkworld.com/community/node/43721or if you realy want to push the envelope: http://hashcat.net/hashcat/expect hashcat to feature in a future posting as it seems to be what I am looking for (i.e. a multi-threaded, multi core, non GPU, bruteforcer for salted MD5 passwords).
Cisco Enable Secret 4 Decrypt
I will update this post as and when new information is added.