Cisco IOS password types overview.

[stany () PET NOTBSD ORG (Stanislav N. Vardomskiy)]

Synopsis:

This document is an overview of the passwords used by Cisco Internetwork
Operating System (IOS).  While it doesn't illustrate any new
vulnerabilities in Cisco IOS,  it confirms that Cisco is, indeed, correct
in stating that "type 5" passwords are using MD5 to generate the one way
hash, and that the hashes generated by IOS are compatible with the hashes
used by Free or OpenBSD.

The Document:

There is plenty of documentation for some of the
password types, some of the password types are self-explanatory, and some
are slightly more obscure.  I don't think that I am the first to write
something on this subject, but while perusing the search engines, I was
unable to find something that would document all of them at the same
place.  Hence this document.

I have to point out that I am not a Cisco expert.  I make my living
running or debugging Sun boxes, so I am not an expert for theoretical
stuff.  Consequently I do not know when each password type can be used,
and when each password type *should* be used.  I will just list my
findings.

Over the last little while I have been involved in a major security audit
of a large international ISP.  My specialty is UNIX, esp. Solaris, but I
am payed for results, so I started looking at the Cisco hardware they had
in place.   When I managed to obtain the running configuration for one of
the core routers in Montreal, it got me thinking.

In the short time that I have been dealing with the Cisco routers, I have
noticed 3 different types of passwords that can be present in a config
file.   The first type, the one I tenetively call "type 0" for obvious
reasons looks like this:

2611.NotBSD.org#sh run
[...]
username stany password 0 b1g3Kr37
[...]

In essence, user "stany" has a password "b1g3Kr37", and that password is
stored in clear text in the configuration file.   There is another type of
clear text passwords present, that look similar to this:
1005.NotBSD.org#sh run
[...]
enable password password
[...]
line vty 1 4
 password password
 login
!
[...]

Once again, everything very much clear text.  In both cases the password
is "password", so no decoding or brute-forcing of any kind is needed.

The next type of passwords are called "type 7".  A few years ago they have
been broken by a group of people, and rather well documented.  While I
will just refer anyone interested to bugtraq archives and [5], they look
like this:

7202.NotBSD.org#sh conf
[...]
!
line con 0
 exec-timeout 0 0
 password 7 124915121C451B16233F21
 login
line aux 0
 no exec
 password 7 055B160A2F02591B101112
 login
line vty 0
 exec-timeout 0 0
 password 7 075F314940470E171E060E
 login
line vty 1 4
 password 7 075F314940470E171E060E
 login
!
end
7202.NotBSD.org#

Lastly there are the passwords which I would call "type 5".  These are the
high security passwords that Cisco advocates using for enable
authentication.  The passwords on the core router I had console access to
the enable was protected by exactly such a password.

1005.NotBSD.org#sh conf
[...]
!
enable secret 5 $1$gN1e$mK2Zrg0RJ4gCO3Qz/DsD50
[...]

7202.NotBSD.org#sh run
[...]
!
boot system flash slot0:c7200-p-mz.111.CC.19980430.035406
enable secret level 6 5 $1$qALY$FZ0R/1cS6fPQvz7a/Y8f01
enable secret 5 $1$cCbN$MXcvCFHIwLmTjxmPYv7AT/
!
[...]

There is not much documentation on this password type except for the fact
that it is using MD5 to one-way hash the password. I started looking into
this some more, because MD5 is one of the password types that John the
Ripper[3] is capable of running a brute-force attack against, and I was
hoping that modifying it a bit to read Cisco type 5 passwords will be
feasible.

The reality turned out even more mundane then I was imagining.
Poul-Henning Kamp on his webpage[4] has a tiny note that states that Cisco
have directly lifted FreeBSD's crypt.c[5], and uses it for type 5
passwords.

In other words, it is possible to run Jack the Ripper on Cisco type 5
passwords by extracting the passwords and reformatting them into a file
that resembles /etc/shadow.  Ie:
[...]
secret:$1$gN1e$mK2Zrg0RJ4gCO3Qz/DsD50:::::
router:$1$M0r3l1nen01$31234567890abcd:::::
[...]
And running Jack the Ripper on the resulting file.

A while after you can expect to be able to extract some, commonly the
weakest, of the passwords.

Here I would like to point out once again the importance of good password
strategies - Keeping different enable passwords on different systems and
making sure that the passwords are 11 characters long.  In the latter case
the only way to get to the system is through sniffing the telnet session,
and with Cisco licensing SSH server software from Datafellows, even that
should be impossible.

To do:

Jack is a wonderful piece of software, but it is single-threaded.  This
really annoys me, because I have an 8 CPU SPARCServer 1000 sitting in my
machine room idle, and most of my other SPARCs here could probably lend a
hand as well.  If there is no project to make Jack network aware and
multi-threaded already, I will be looking into doing such a thing.  If it
exists, I would appreciate knowing about it.

Notes:

[1] There are *many* places where it is documented[2], but the following
    two URLs can be of help:
    <http://www.insecure.org/sploits/cisco.passwords.html> (Hi Fyodor!)
    and <ftp://puck.nether.net/pub/jared/decrypt.c> are probably of the
    most use.

    Rootshell (They are *still* around?  Bah.) has an archive as well,
    with the headers and attributes stripped as usual at:
    <http://openbsd.rootshell.com/archive-j457nxiqi3gq59dv/199711/ciscocrack.c>
    It also has a great explanation of type 7 password scheme by Dr.
    Mudge.

[2] Sorry, securityfocus.com, but your search engine is not really optimal
    in searching for combinations of two words one next to another, so I
    was unable to find the needed mailing list messages on your site.  It
    would be great if it will be fixed, and support regular expressions
    added too. In the meanwhile I will refrain from comments on the fact
    that <http://www.geek-girl.com/bugtraq/> now also points to
    securityfocus.com website.

[3] <http://www.openwall.com/john/>

[4] <http://www.freebsd.org/~phk/>

[5] <http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libcrypt/crypt.c>
    Probably the best version to look at is 1.7

Credits:

o Jared Mauch for writing decrypt.c
o Dr. Mudge for a very good write-up on Cisco Type 7 passwords
o Poul-Henning Kamp for actually putting on his webpage that Cisco used
  crypt.c straight out of FreeBSD
o Solar Designer for writing John the Ripper
o Figz for helping me out with confirming the format of MD5 passwords on
  OpenBSD.
o Everyone who thinks that they should have credit

I have attempted to give credit to everyone.  If I missed you, and you
think that it's a mistake, please accept my sincerest apologies, and drop
me a line so I would know the unsung heroes too.

Contact Information:

Stanislav N. Vardomskiy
Center for Recovery from BSD Abuse
stany () NotBSD org

Signed:
//Stany,
Systems Administrator
Center for Recovery from BSD Abuse, Canuckia Chapter

--
+-------+ Stanislav N Vardomskiy - Procurator Odiosus Ex Infernis[TM] +-------+
| "Backups we have; it's restores that we find tricky." Richard Letts at ASR  |
| This message is powered by JOLT!  For all the sugar and twice the caffeine. |
+--------+ My words are my own.  LARTs are provided free of charge. +---------+