ASA username password encryption ?? What type of hash is it?

rodsculthorp66 · ‎01-30-2015

I am generating configuration files for customer equipment from a perl script and everything works fine, but I do not feel comfortable embedding passwords in plain text. I am expecting that the customer may have to load some of the configs and it does not follow good security practices to leave the passwords un-encrypted. I have been able to work out the process of hashing passwords fed in from the command line for standard router and switches that use the IOS MD5, and the Type 7 hash used for radius keys, but I have no idea what the crypto method is for the ASA user accounts. I have been working through several of the known hash types to try and match output to a known input, but since I do not know if the algorithm is static or dynamic, I do not know if I will find a match.

Anyone have any insight in to what algorithm is used for the hash?

Thanks,

Rod

David paull · ‎01-30-2015

It's probably PIX-MD5 no salt.

rodsculthorp66 · ‎02-02-2015

I will try that and let you know.

Marvin Rhoads · ‎01-31-2015

As best as I know, it's a variant of base-64 encoded MD5 hash.

Cisco doesn't publish the method but some folks assert you can recreate the password programmatically. Reference.

rodsculthorp66 · ‎02-02-2015

I have read through a couple of write-ups on this and one seemed interesting in that it referenced a MD5 has (16 or 32 character maximum, depending on the version of IOS) and a 4 character hash based on the first four characters of the username. If I get a chance, I will try this, but it is a heck of a lot harder to code in for a script to pass in through the command line.