Cisco Password Recovery

So you have a cisco device that is password protected, perhaps it is a mission critical core device and you lost the password. It doesn’t matter why, but maybe when you recover it, take note of it this time.

So what I present here is a method for actually recovering the MD5 hashed “Enable” or user passwords through a dictionary attack (and physical access).

First, let us look at the actual password as the IOS stores it:

enable secret 5 $1$mERr$Q4J3cxRImm68KXqMDsLDs/

Wait a minute, we’re not even going to be able to get that far since we can’t do a show run on the device, because that requires privileged exec permissions and you forgot that password.

There are ways to dump the password hash.. it requires physical access and for “service password-recovery” to be enabled (the current default). You may also have archived configs or other devices that have the same password. Point is, somehow get this hashed password. Cisco has documentation on password reset/recovery. Go to your search provider.

Now lets get back to that password:
enable secret 5 $1$mERr$Q4J3cxRImm68KXqMDsLDs/

If you’re familiar with Unix, BSD, or Linux password files, then this whole thing looks familiar. That’s because Cisco uses the same FreeBSD crypto libraries as the rest of the world (except Microsoft; they invent wheels).

The 5 is Cisco IOS’ way of knowing that this is an MD5 hashed password (there are other algorithms). The rest of it is the hashed password. The $ is a field separator, like a space or tab mark except that it makes way more sense than a space (for nerd reasons – mainly that $ is not a valid character and spaces & tabs fail copy/paste interpretation in text editors). So we have THREE fields: hash type, salt and the hash itself (Here is the 342 page CryptLib manual).

So here the hash type $1$ is MD5; there are other algorithms (Blowfish, SHA256, SHA512 and Sun’s version of MD5) but we only care about MD5 for now (The others are $2$ & $2a$ – Blowfish; $md5$ – Sun MD5; $5$ – SHA256 and $6$ – SHA512). And then there’s the seed mERr which is 3 random bytes printed as Base64. And then there’s the actual hash itself, also Base64.

Base64 encoding is used so that it is at least printable, otherwise it is just random binary garbage. Base64 is the reason $ is used as a field separator. Go read Base64 if you’re so interested.

Time for ascii breakdown:

 | |    |
 | |    |> Hashed salt+password
 | |> base64 salt (3 bytes)
 |> Hash type (md5)

Now that we know the nature of this beast, lets slay it. OpenSSL is a free open source toolkit based on (you guessed it) the crypto libraries from FreeBSD. We can use the OpenSSL toolkit to generate this exact hash output.

Do this at your favorite *nix prompt:

 openssl passwd -1 -salt `openssl rand -base64 3` -1 "cleartext_password"

The output looks like:

cleartext_password      $1$bje/$Lv8yHjnbPCJraDcK69kfb.

Now generate  or find a wordlist. Make damn sure it is in Unix format and not Windows or Mac format. It needs to have normal line breaks, not 2-byte breaks. Just make sure your wordlist has any potential passwords that might have been used. Save that wordlist somewhere. We are going to feed the wordlist to OpenSSL, which will generate the hashes. Let’s just pretend for easy sake that the enable password was in fact “password”. Run your wordlist that contains “password” through openssl and feed it to grep.

Alex@server ~
$ openssl passwd -1 -salt iYxt -table -in wordlist.txt | grep O8NACOhD1
password        $1$iYxt$odjaDlIGnEOYxO8NACOhD1

So what does this mean? We used openssl to generate password hashes (passwd) of type MD5 (-1) with the specified salt (-salt iYxt) output as a table format (-table) reading in from our wordlist (-in wordlist.txt) and then we pipe it to grep searching for a known chunk of text in the hash (grep O8NACOhD1). After a few minutes of working, grep finds the line and spits it out. HOLY SHIT IT WORKS I AM AWESOME HAXXXORZ!!!1

Understand now? Does it seem all that complicated? It really isn’t.

To speed it up (say you have a few cores or CPUs), you could use the unix split tool to chop up the file into equal sized chunks and spawn N openssl processes each reading a different wordlist chunk.

And to top it off, John the Ripper works even better because it can compute in parallel and is probably optimized for speed. YAY!!


One response to “Cisco Password Recovery

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s