It should be noted that many algorithms require the Cisco IOS to have access to the cleartext password.
The Vigenere algorithm is used to obfuscate the passwords (not really encrypt them as there is no encryption key) in order to prevent “shoulder surfing” from exposing passwords to someone who briefly looks at a running configuration.
If, however, someone gets hold of the configuration they can easily retrieve the passwords using the reverse translation of the Vigenere algorithm.
- This can be done using various “type-7” password crackers or indeed within the IOS itself
- Cisco IOS uses this level-7 encryption when the “service password-encryption” command is used. Here is a Perl Script which deobfuscates the Cisco Viginere password Read more…
The latest Cisco TAC Newsletter had an interesting tip on recovering hidden pre-shared keys (which I’ve needed to do many times). So simple, it’s brilliant :) here’s the reprint: Read more…
Ever bought one of those APC Masterswitch PDU’s from eBay, then tried to login to the admin interface with the usual default “apc” / “apc” but found that the password had been changed?
Manuals:
The usual password recovery procedures (well documented) are quite tedious, requiring emails and serial numbers. What a pain!
- If you use one in your home lab this vulnerability will help you if you happen to buy one from eBay with the password set.
- If you use them on a production network – this could become an attack vector, so replace them or upgrade!
Here’s how to hack the password: Read more…
Decrypting Type 7 Password on Cisco Router
You know those type 7 (non-MD5) so-called “encryption” strings that appear when service password-encryption is used? A lot of people copy the string and go to websites (google cisco password cracker) and use a java applet or something to decrypt them.
However, you can actually do this on any cisco router. This is how you do it. Read more…
