Penetration Testing mailing list archives
Re: [PEN-TEST] Router Password Recovery
From: Randy Williams <randyw () SHORE NET>
Date: Tue, 30 Jan 2001 23:35:34 -0500
On Wed, 31 Jan 2001, Robert van der Meulen wrote:
Hi, Quoting Randy Williams (randyw () SHORE NET):Be careful about what's called "encrypted" here. Cisco's normal encryption (referred to as "Cisco 7", for it's ridiculous 7-bit hash) is easily cracked. Using an MD5-based hash (referred to as "enable secret" passwords), the encryption is uncrackable. As mentioned before, you'll have to reset the password.Be careful with using terms like 'uncrackable'. MD5-based hashes are currently mostly uncrackable in a mathematically-infeasable kind of way, but are very much not so when using attacks like dictionary-based ones. I have successfully used dictionary attacks against md5 hashes in the past, and probably will in the future.
An excellent point, and my apologies for not being more clear. What I meant to indicate is that there's no known tool that will "recover" the original password from the hashed version, unlike ciscocrack for Cisco 7 passwords. Most definitely, dictionary attacks will work against this type of hash, simply because most people use lousy passwords :) With a lengthy, mixed-character set password, using MD5 (or a similarly long encryption cipher), you're going to have a VERY hard time cracking such a password. RW
Current thread:
- [PEN-TEST] Router Password Recovery Smith, Lonnie (Jan 30)
- Re: [PEN-TEST] Router Password Recovery Bill Pennington (Jan 30)
- Re: [PEN-TEST] Router Password Recovery UID Zero (Jan 30)
- Re: [PEN-TEST] Router Password Recovery Frank Keeney (Jan 30)
- Re: [PEN-TEST] Router Password Recovery Greg (Jan 31)
- Re: [PEN-TEST] Router Password Recovery Frank Keeney (Jan 30)
- <Possible follow-ups>
- Re: [PEN-TEST] Router Password Recovery Justin Shaffer (Jan 30)
- Re: [PEN-TEST] Router Password Recovery Randy Williams (Jan 30)
- Re: [PEN-TEST] Router Password Recovery Robert van der Meulen (Jan 30)
- Re: [PEN-TEST] Router Password Recovery Randy Williams (Jan 31)
- Re: [PEN-TEST] Router Password Recovery Randy Williams (Jan 30)
- Re: [PEN-TEST] Router Password Recovery Leif Sawyer (Jan 30)