Vulnerability Development mailing list archives
Re: Cisco IOS password types overview.
From: atatat () ATATDOT NET (Andrew Brown)
Date: Mon, 4 Oct 1999 18:18:32 -0400
In the short time that I have been dealing with the Cisco routers, I have noticed 3 different types of passwords that can be present in a config file. The first type, the one I tenetively call "type 0" for obvious reasons looks like this: 2611.NotBSD.org#sh run [...] username stany password 0 b1g3Kr37 [...] In essence, user "stany" has a password "b1g3Kr37", and that password is stored in clear text in the configuration file. There is another type of clear text passwords present, that look similar to this:
it's in cleartext since the router admin hasn't said "service password-encryption" anywhere in the config. if they had, then password would have been encrypted using the "reversible" algorithm number 7 (cisco prorietary) and secrets would have been encrypted using algorithm number 5 (md5).
Lastly there are the passwords which I would call "type 5". These are the high security passwords that Cisco advocates using for enable authentication. The passwords on the core router I had console access to the enable was protected by exactly such a password. 1005.NotBSD.org#sh conf [...] ! enable secret 5 $1$gN1e$mK2Zrg0RJ4gCO3Qz/DsD50 [...] 7202.NotBSD.org#sh run [...] ! boot system flash slot0:c7200-p-mz.111.CC.19980430.035406 enable secret level 6 5 $1$qALY$FZ0R/1cS6fPQvz7a/Y8f01 enable secret 5 $1$cCbN$MXcvCFHIwLmTjxmPYv7AT/ ! [...]
yeah. those are md5 hashes, much like freebsd (and now openbsd). that's three fields, all preceded by dollar signs. the first one is a "version number" (for lack of a better term) and has been "1" whereever i've seen it. the next field ("qALY" in your enable secret level line above) is the salt, much like the salt that unix crypt()ed passwords use, except longer. i don't recall the details of exactly what it does, but it's a lot more "variable" bits that the 12 you get from the two character salt in the standard unix password. here you get 48 bits of salt (at least...again, i don't recall exactly what the interpretation of them is). the last field ("FZ0R/1cS6fPQvz7a/Y8f01" in the same line above) is the base-64 encoded md5 hash. 22 chars at 6 bits per char gets you 132 bits. the last four are blank since md5 only gives you 128 bits. hence, the last character will only be one of four instead of one of 64. -- |-----< "CODE WARRIOR" >-----| codewarrior () daemon org * "ah! i see you have the internet twofsonet () graffiti com (Andrew Brown) that goes *ping*!" andrew () crossbar com * "information is power -- share the wealth."
Current thread:
- Cisco IOS password types overview. Stanislav N. Vardomskiy (Oct 02)
- Re: Cisco IOS password types overview. Larry Chin (Oct 04)
- Re: Cisco IOS password types overview. Andrew Brown (Oct 04)
- Re: Cisco IOS password types overview. Stanislav N. Vardomskiy (Oct 04)
- Re: Cisco IOS password types overview. Andrew Brown (Oct 04)
- Vacation messages Blue Boar (Oct 04)
- Re: Cisco IOS password types overview. Stanislav N. Vardomskiy (Oct 04)