Daren Matthews

It should be noted that many algorithms require the Cisco IOS to have access to the cleartext password.

The Vigenere algorithm is used to obfuscate the passwords (not really encrypt them as there is no encryption key) in order to prevent “shoulder surfing” from exposing passwords to someone who briefly looks at a running configuration.

If, however, someone gets hold of the configuration they can easily retrieve the passwords using the reverse translation of the Vigenere algorithm.

• This can be done using various “type-7” password crackers or indeed within the IOS itself
• Cisco IOS uses this level-7 encryption when the “service password-encryption” command is used. Here is a Perl Script which deobfuscates the Cisco Viginere password

Level-5 encryption uses the one-way MD5 hash algorithm to convert passwords to a more secure form, but these passwords cannot be used for all purposes because even the router cannot convert them back to cleartext.

DOWNLOADS, CODE & LINKS:

• An Excel Spreadsheet containing Visual Basic macro which includes a function to deobfuscate Cisco passwords. Thanks to Keith Hand (see comments on this post) for converting the Perl script.
• Ruby-based source code is housed here => https://github.com/claudijd/c7decrypt (Thanks to Jonathan Claudius for converting the Perl code)
• OR: just use the web app created by Andrew Pennebaker (see comment 3): http://ios7.yellosoft.us/
• OR: Use Phillip Dieppa’s Objective-C code: (see comment 5)

Original Perl Script for Deobfuscating Cisco IOS Level-7 Password:

The following script can be used to retrieve the original cleartext password from the level-7 encrypted (obfuscated) password:

Download: cdecrypt perl script

#!/usr/bin/perl
use File::Copy;

############################################################################
# Vigenere translation table
############################################################################
@V=(0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f, 0x41, 0x2c, 0x2e,
    0x69, 0x79, 0x65, 0x77, 0x72, 0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44,
    0x48, 0x53, 0x55, 0x42, 0x73, 0x67, 0x76, 0x63, 0x61, 0x36, 0x39,
    0x38, 0x33, 0x34, 0x6e, 0x63, 0x78, 0x76, 0x39, 0x38, 0x37, 0x33,
    0x32, 0x35, 0x34, 0x6b, 0x3b, 0x66, 0x67, 0x38, 0x37);
############################################################################

############################################################################
# Usage guidelines
############################################################################
if ($ARGV[0] eq ""){
   print "This script reveals the IOS passwords obfuscated using the Vigenere algorithm.\n";
   print "\n";
   print "Usage guidelines:\n";
   print " cdecrypt.pl 04480E051A33490E     # Reveals a single password\n";
   print " cdecrypt.pl running-config.rcf   # Changes all passwords in a file to cleartext\n";
   print "                                  # Original file stored with .bak extension\n";
}

############################################################################
# Process arguments and execute
############################################################################
if(open(F,"<$ARGV[0]")){    # If argument passed can be opened then convert a file
  open(FO,">cdcout.rcf") || die("Cannot open 'cdcout.rcf' for writing ($!)\n");
  while(<F>){
    if (/(.*password\s)(7\s)([0-9a-fA-F]{4,})/){     # Find password commands
      my $d=Decrypt($3);                             # Deobfuscate passwords
      s/(.*password\s)(7\s)([0-9a-fA-F]{4,})/$1$d/;  # Remove '7' and add cleartext password
    }
    print FO $_;
  }
  close(F);
  close(FO);
  copy($ARGV[0],"$ARGV[0].bak")||die("Cannot copy '$ARGV[0]' to '$ARGV[0].bak'");
  copy("cdcout.rcf",$ARGV[0])||die("Cannot copy '$ARGV[0]' to '$ARGV[0].bak'");
  unlink "cdcout.rcf";
}else{                      # If argument passed cannot be opened it is a single password
  print Decrypt($ARGV[0]) . "\n";
}

############################################################################
# Vigenere decryption/deobfuscation function
############################################################################
sub Decrypt{
  my $pw=shift(@_);                             # Retrieve input obfuscated password
  my $i=substr($pw,0,2);                        # Initial index into Vigenere translation table
  my $c=2;                                      # Initial pointer
  my $r="";                                     # Variable to hold cleartext password
  while ($c<length($pw)){                       # Process each pair of hex values
    $r.=chr(hex(substr($pw,$c,2))^$V[$i++]);    # Vigenere reverse translation
    $c+=2;                                      # Move pointer to next hex pair
    $i%=53;                                     # Vigenere table wrap around
  }                                             #
  return $r;                                    # Return cleartext password
}

Installation

• Download and install ActiveState Perl.
• Create a text file called cdecrypt.pl
• Copy the above source code into the text file and save it.

Usage guidelines

Usage: cdecrypt.pl [file | password]

• file: If the argument is a file, the script will deobfuscate all occurrences of “… password 7 password” and replace them with a cleartext password. The original file will be stored with the .bak extension.
• password: If the argument is a single obfuscated password it will be deobfuscated.

Author

Bostjan Sustar, based on C code by Jared Mauch © 2008 NIL Data Communications