07-03-2008 03:18 AM
Hi All
I have a question about setting up user accounts on a Cisco router.
I have seen a statement like the following on a Cisco router
username cisco privilege 15 secret 5 $1$s4bl$Lb.b/v/HgWKTdfP/h9
However if I try and enter the command "username <myname> privilege 15 secret 5 <password in plain text> I get the following error
BETE_R1-3640(config)#username michael privilege 15 secret 5 password
ERROR: The secret you entered is not a valid encrypted secret.
To enter an UNENCRYPTED secret, do not specify type 5 encryption.
When you properly enter an UNENCRYPTED secret, it will be encrypted.
Which seems to suggest that I have to enter the password in MD5 encrypted fashion. Is this the case?
If yes, is there some way that you can create a MD5 encrypted password to enter on your router?
Best Regards,
Michael
Solved! Go to Solution.
07-03-2008 03:59 AM
Michael,
As per my experience you need to always discard the "5" when you want to encrypt the password. The secret keyword ensures that the password is md5 protected
The converted MD5 password can then be seen using the show run command. The line can then be entered as it is (including the 5) on other routers for similar configuration
Narayan
07-03-2008 04:06 AM
Michael,
You will only specify 5 if the password has been previously encrypted. If you are entering a password and it is not encrypted it not accept it because it is not a valid MD5 string. Below is how to configure a username/password that will use the MD5 encryption.
username
in the config it will show an encrypted MD5 password.
Mark
07-03-2008 03:59 AM
Michael,
As per my experience you need to always discard the "5" when you want to encrypt the password. The secret keyword ensures that the password is md5 protected
The converted MD5 password can then be seen using the show run command. The line can then be entered as it is (including the 5) on other routers for similar configuration
Narayan
03-24-2019 08:19 PM
07-03-2008 04:06 AM
Michael,
You will only specify 5 if the password has been previously encrypted. If you are entering a password and it is not encrypted it not accept it because it is not a valid MD5 string. Below is how to configure a username/password that will use the MD5 encryption.
username
in the config it will show an encrypted MD5 password.
Mark
07-03-2008 04:30 AM
Hi There
Cheers for the response and information.
As per your posts, I entered "username michael privilege 15 secret password" and the show run shows
"username michael privilege 15 secret xxx."
When I initially seen this I thought that the command entered by who ever configured this router was "username
However thinking a little more about this and it now makes sense. As if this configuration was being loaded back in from say a tftp server after some problem, then the password is indeed in it's MD5 hashed format, hence the requirement for the number "5" after the word secret.
Can I just ask if either of you guys are aware of a tool which would generate a MD5 hashed password, suitable to be entered as ".... secret 5
I tried using another Cisco router and taking the MD5 hashed enable secret password and using it in my "username ...." command. And although the command is accepted without any error, when I try to then log in using this password, I get "Login invalid".
Best Regards,
Michael
07-03-2008 04:37 AM
The only way I know a MD5 password can be cracked is by brute force or dictionary attack. I have not seen any applications that you can copy and paste the encrypted password and display the password. The 7 type passwords on the other hand can easily be broken.
Mark
07-03-2008 04:55 AM
Hi Mark
I don't mean to crack the password. What I mean is, if there is any tool which you could use to GENERATE an MD5 hashed version of a password which a Cisco router would accept and would be usable.
Say that you are paranoid about the password being seen by someone looking over your shoulder while you enter it into the router. So you have a tool/application into which you could enter a plain text string and have an MD5 hash password, suitable for use with a Cisco device generated. Of course if the plain text password can be seen while you configure the router, it can be seen as you enter it in to a 3rd party tool/application.
I was really just curious, as it seems that you can enter an MD5 hashed password if you use the number "5" after the "secret" keyword. But as I mentioned above, I believe this is purely only used in the case where a routers configuration has to be restored from a backup.
Again, thanks for the response and information.
Best Regards,
Michael
07-03-2008 05:26 AM
Though you will find many MD5 generators on the web when you google, they never work with the secret command and u will still get the same error.
Its best to configure the unencypted string and leave it to the router to do the encyption. Try to configure the command when no one is looking around :-)
Narayan
06-15-2016 01:23 PM
I realized this was answered but I wanted to add to this another solution.
In certain versions of 15 ios code if you enter the enable secret unencrypted by default the OS will encrypt it but with a type 4 password which is weaker than a type 5. To fix this you can either upgrade the code to correct the bug or you can manually enter a type 5. To generate a type 5 password simply:
Copy a type 5 password from an IOS platform that does not support type 4.
Log on to a cisco device running a version 12 IOS. enter your command "enable secret <password>"
Then show run | in enable secret
copy and paste the output into your 15 code device that exhibits this bug.
This article helped me find the answer for this. It explains it in great detail.
https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20130318-type4
07-03-2008 04:56 AM
One of the most challenging ways to crack an md5 Hash is the use of rainbow tables. There are some online Tools available to get a vision of what is possible with that (http://md5.thekaine.de).
Especially ophcrack (not for md5, but windows passwords) is an amazing prove on how weak those mechanisms are.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide