Monday, May 24, 2010

Decrypting Cisco Device Login Passwords

If your router or switch has been globally configured with the service password-encryption command, the passwords in the configuration will be encrypted for secrecy. In dire cases we would like to retrieve this password and that is when this procedure using the key chain command can be of great help. For this to work you have to be already logged into the device of which you are decrypting the password and you should have the authorization to execute these commands.

Key chains are typically used in EIGRP and RIPv2 routing protocols for authentication. A key chain can have number of keys and each key will have a key string associated with it.

Switch(config)#key chain CRACK
Switch(config-keychain)#do sh run | inc Admin
username Admin privilege 15 password 7 107E290A1600421908
Switch(config-keychain)#key 1
Switch(config-keychain-key)#key-string 7 107E290A1600421908
Switch(config-keychain-key)#exit
Switch#sh key chain CRACK
Key-chain CRACK:
key 1 -- text "P@ssw0rd"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]

You can also decrypt the enable, line vty and console passwords using this method. However this method cannot be used to decrypt passwords which have been configured using the secret command (e.g: enable secret password or username username secret password ) as they use the more secure MD5 encryption. Considering the Security implication it is adviced to apply the enable secret password command and use TACACS+ or RADIUS for authentication. Using Cisco ACS you can block non-privileged administrators from using key chain command.

No comments: