cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4467
Views
10
Helpful
2
Replies

Python tool for converting plain text to Type9 passwords

Brett Verney
Level 1
Level 1

Hi all,

I've attempted to create a tool that takes a plain text password and converts it in to a Type9 (scrypt) encrypted password. The idea is to be able to build full CLI configurations for IOS/IOS-XE without having to ship configs with plain text passwords, and also not have to find a switch or router lying around to generate the Type9 password.

 

My current code is:

 
from passlib.hash import scrypt
import sys

# Illegal Cisco IOS characters
invalid_chars = r"\~?|[]<>{}:;+=/\"\'"
# Translate the Base64 table to custom Cisco table
base64chars  = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
cisco64chars = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
transtable = str.maketrans(base64chars, cisco64chars)

def main():
    while True:
        try:
            pwd = input('\n' + 'Enter a Plain Text Password to Encrypt: ')
        except KeyboardInterrupt:
            sys.exit(0)
        else:
            # Maximum characters
            if len(pwd) > 64:
                print ('Password must be between 1 and 64 characters. Try again.')
                main()
            else:
                for char in pwd:
                    if char in invalid_chars:
                        print ('Illegal characters. Try again.')
                        main()         
                else:
                    # Encrypt using - 2^14 iterations, random salt of 14 chars (80 bits/10 bytes)
                    hash = str(scrypt.using(rounds=14, salt_size=10).hash(pwd))[22:]
                    # Make the Base64 translation
                    hash = hash.translate(transtable)
                    print ('\n Your Type 9 hash is: $9$' + hash)
                    sys.exit(0)

 

 

When specifying the password 'abc123' the resulting hash is - $9$MUmVJ6dlPaphXE$y6mDuGoy.6i7lLBL9bhCOoGu/RryL3VaVL7am0uz/ko

 

When I copy and paste this on to a cisco switch with

username admin secret 9 $9$MUmVJ6dlPaphXE$y6mDuGoy.6i7lLBL9bhCOoGu/RryL3VaVL7am0uz/ko

The password of 'abc123' is incorrect.

 

I suspect it's something to do with the way I am handling the salt (do I base64 encode/decode the salt, am I supposed to encrypt the salt using scrypt at all), but I'm really not sure!

 

If anyone has an ideas, or wants to help me figure this out offline, I will be forever grateful! I am at my wits end, with this one.

 

-Brett

2 Replies 2

Brian Sak
Cisco Employee
Cisco Employee

I'm not familiar enough with the cryptographic features of the Type 9 passwords and their use of scrypt to recognize what is incorrect about your implementation. However, I was able to find some other work along these lines done in Java which you may be able to use to identify the issue.  Here is videgro's Github repo for the Java implementation and associated blog which may help.

Brian,

With that Java implementation and a Perl implementation (as well as help from someone in the community) I was able to successfully come up with some code to make this work.

I have posted the code on github - GitHub - wifiwizardofoz/ciscoPWDhasher: A Python Cisco IOS, IOS-XE and NX-OS password hashing tool.

Thanks for taking the time to reply!

-Brett

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: