Python tool for converting plain text to Type9 passwords

Brett Verney — Wed, 31 Mar 2021 04:22:14 GMT

Hi all,

I've attempted to create a tool that takes a plain text password and converts it in to a Type9 (scrypt) encrypted password. The idea is to be able to build full CLI configurations for IOS/IOS-XE without having to ship configs with plain text passwords, and also not have to find a switch or router lying around to generate the Type9 password.

My current code is:

from passlib.hash import scrypt
import sys

# Illegal Cisco IOS characters
invalid_chars = r"\~?|[]<>{}:;+=/\"\'"
# Translate the Base64 table to custom Cisco table
base64chars  = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
cisco64chars = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
transtable = str.maketrans(base64chars, cisco64chars)

def main():
    while True:
        try:
            pwd = input('\n' + 'Enter a Plain Text Password to Encrypt: ')
        except KeyboardInterrupt:
            sys.exit(0)
        else:
            # Maximum characters
            if len(pwd) > 64:
                print ('Password must be between 1 and 64 characters. Try again.')
                main()
            else:
                for char in pwd:
                    if char in invalid_chars:
                        print ('Illegal characters. Try again.')
                        main()         
                else:
                    # Encrypt using - 2^14 iterations, random salt of 14 chars (80 bits/10 bytes)
                    hash = str(scrypt.using(rounds=14, salt_size=10).hash(pwd))[22:]
                    # Make the Base64 translation
                    hash = hash.translate(transtable)
                    print ('\n Your Type 9 hash is: $9$' + hash)
                    sys.exit(0)

When specifying the password 'abc123' the resulting hash is - $9$MUmVJ6dlPaphXE$y6mDuGoy.6i7lLBL9bhCOoGu/RryL3VaVL7am0uz/ko

When I copy and paste this on to a cisco switch with

username admin secret 9 $9$MUmVJ6dlPaphXE$y6mDuGoy.6i7lLBL9bhCOoGu/RryL3VaVL7am0uz/ko

The password of 'abc123' is incorrect.

I suspect it's something to do with the way I am handling the salt (do I base64 encode/decode the salt, am I supposed to encrypt the salt using scrypt at all), but I'm really not sure!

If anyone has an ideas, or wants to help me figure this out offline, I will be forever grateful! I am at my wits end, with this one.

-Brett

Re: Python tool for converting plain text to Type9 passwords

Brian Sak — Wed, 31 Mar 2021 15:53:05 GMT

I'm not familiar enough with the cryptographic features of the Type 9 passwords and their use of scrypt to recognize what is incorrect about your implementation. However, I was able to find some other work along these lines done in Java which you may be able to use to identify the issue. Here is videgro's Github repo for the Java implementation and associated blog which may help.

Re: Python tool for converting plain text to Type9 passwords

Brett Verney — Tue, 06 Jul 2021 00:55:55 GMT

Brian,

With that Java implementation and a Perl implementation (as well as help from someone in the community) I was able to successfully come up with some code to make this work.

I have posted the code on github - GitHub - wifiwizardofoz/ciscoPWDhasher: A Python Cisco IOS, IOS-XE and NX-OS password hashing tool.

Thanks for taking the time to reply!

-Brett

topic Re: Python tool for converting plain text to Type9 passwords in Other Security

Python tool for converting plain text to Type9 passwords

Re: Python tool for converting plain text to Type9 passwords

Re: Python tool for converting plain text to Type9 passwords