privilege 15 secret 5     

decrypt password

 $1$dcJp$laJp5rgLFuOCksyhkBXYD0

Hi There

Cheers for the response and information.

As per your posts, I entered "username michael privilege 15 secret password" and the show run shows

"username michael privilege 15 secret xxx."

When I initially seen this I thought that the command entered by who ever configured this router was "username provilege 15 secret 5 " (with the 5 after the keyword "secret") and could not understand why when I tried this command I got the error.

However thinking a little more about this and it now makes sense. As if this configuration was being loaded back in from say a tftp server after some problem, then the password is indeed in it's MD5 hashed format, hence the requirement for the number "5" after the word secret.

Can I just ask if either of you guys are aware of a tool which would generate a MD5 hashed password, suitable to be entered as ".... secret 5 " or is this not the done thing?

I tried using another Cisco router and taking the MD5 hashed enable secret password and using it in my "username ...." command. And although the command is accepted without any error, when I try to then log in using this password, I get "Login invalid".

Best Regards,

Michael

The only way I know a MD5 password can be cracked is by brute force or dictionary attack. I have not seen any applications that you can copy and paste the encrypted password and display the password. The 7 type passwords on the other hand can easily be broken.

Mark

Hi Mark

I don't mean to crack the password. What I mean is, if there is any tool which you could use to GENERATE an MD5 hashed version of a password which a Cisco router would accept and would be usable.

Say that you are paranoid about the password being seen by someone looking over your shoulder while you enter it into the router. So you have a tool/application into which you could enter a plain text string and have an MD5 hash password, suitable for use with a Cisco device generated. Of course if the plain text password can be seen while you configure the router, it can be seen as you enter it in to a 3rd party tool/application.

I was really just curious, as it seems that you can enter an MD5 hashed password if you use the number "5" after the "secret" keyword. But as I mentioned above, I believe this is purely only used in the case where a routers configuration has to be restored from a backup.

Again, thanks for the response and information.

Best Regards,

Michael

Though you will find many MD5 generators on the web when you google, they never work with the secret command and u will still get the same error.

Its best to configure the unencypted string and leave it to the router to do the encyption. Try to configure the command when no one is looking around :-)

Narayan

I realized this was answered but I wanted to add to this another solution.

In certain versions of 15 ios code if you enter the enable secret unencrypted by default the OS will encrypt it but with a type 4 password which is weaker than a type 5. To fix this you can either upgrade the code to correct the bug or you can manually enter a type 5. To generate a type 5 password simply:

Copy a type 5 password from an IOS platform that does not support type 4. 

Log on to a cisco device running a version 12 IOS. enter your command "enable secret <password>"

Then show run | in enable secret

copy and paste the output into your 15 code device that exhibits this bug.

This article helped me find the answer for this. It explains it in great detail.

https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20130318-type4

One of the most challenging ways to crack an md5 Hash is the use of rainbow tables. There are some online Tools available to get a vision of what is possible with that (http://md5.thekaine.de).

Especially ophcrack (not for md5, but windows passwords) is an amazing prove on how weak those mechanisms are.