Over the years, Cisco has made improvements in storing passwords in the configuration file. As a result, securing Cisco IOS passwords is part of my checklist when hardening Cisco-based network infrastructure for clients.
This article also appeared on Art of Network Engineering.
History
Cisco IOS has always had the option to store passwords in cleartext in the configuration file. As you and I both know, storing passwords in the configuration file is a big no-no. That said, Cisco introduced an option to encrypt the password using Vigenère cipher. This reversible password type is known as Type 7.
In the early 90s, Cisco also introduced a cryptographic hash function to store passwords in the configuration file. This irreversible password type is known as Type 5, and it uses MD5 hash with salt.
Back in 1995, someone released the first program that decrypted Type 7 passwords in configuration files. Today, several tools are available to decrypt Type 7 passwords. That said, most, if not all, people in the networking field know not to use them.
Improvements
Sometime between 2009 and 2010, Cisco introduced a new hashing algorithm for user-provided cleartext passwords. They called this new algorithm Type 4 and meant to use PBKDF2. However, in March 2013, Cisco revealed an implementation issue with their Type 4 algorithm. The algorithm did not use PBKDF2 and salt, which meant weaker than Type 5.
In August 2013, Cisco fixed the implementation issue with their Type 4 algorithm and introduced two new hashing algorithms. Cisco named the proper implementation of PBKDF2 with 80-bit salt as Type 8. Then, Cisco named the other one as Type 9, which uses Scrypt.
Configuration
For completeness sake, I will cover from Type 0 to Type 9 except for Type 4 since Cisco deprecated it. However, I want to remind you that some IOS 15.x versions did change the enable secret
from Type 5 to Type 4. That said, make sure to upgrade the software on your Cisco devices or force it to use Type 5.
Cleartext – Type 0
As mentioned earlier, cleartext passwords are a big no-no. That said, you should never use it. Here are two examples that use Type 0 passwords:
R1(config)#enable password cisco R1(config)#username user1 password cisco R1(config)#do sh run | i user1 |enable password enable password cisco username user1 password 0 cisco
Since it’s cleartext, anyone that gets a hold of a configuration file that uses Type 0 will know the account’s password. I cannot reiterate it enough never to use this method.
Vigenère – Type 7
Since Type 7 decryption tools have been around for more than 25 years, it is also best practice to not use this hashing algorithm. In this day and age, the only job it provides is to obfuscate the password. Same as Type 0, never use this method if you can avoid it.
To enable Type 7 passwords, use the service password-encryption
global config command, as shown below.
R1(config)#service password-encryption R1(config)#do sh run | i user1|enable password enable password 7 00071A150754 username user1 password 7 14141B180F0B
Cracking Type 7
One of the Type 7 decryption tools I use is IFM’s password cracker. Since it uses client-side Javascript, it shouldn’t transmit the encrypted password to their site. However, some people aren’t comfortable using online tools. That said, you can use this Python tool that I found.
Here’s an example of how to decrypt the Type 7 password using the Python tool.
MacBook-Pro:~ Andrew$ python ciscot7.py -d -p 00071A150754 Decrypted password: cisco MacBook-Pro:~ Andrew$ python ciscot7.py -d -p 14141B180F0B Decrypted password: cisco
MD5 – Type 5
I think it’s safe to say that many, if not all, network professionals know and use Type 5 passwords, as they should. While you may have heard or read about MD5 collision attacks, Cisco’s MD5 implementation uses four-character salt. That means it’s time-consuming to crack a password. Additionally, it makes it infeasible to use rainbow tables.
To enable Type 5 passwords, use the following commands, as shown below.
R1(config)#enable secret !)!@carelesswhisper!(&* R1(config)#username user2 secret cisco R1(config)#do sh run | i enable secret|user2 enable secret 5 $1$Xg8x$BzRsPjkLrLCl2Z02Mp4cs1 username user2 secret 5 $1$zIVZ$bruo6YRTBssE5X/0pVmcL1
Cracking Type 5
So why change if it’s still strong enough to thwart password cracking? Well, MD5 has been around for almost 30 years. Since then, computational power has significantly increased. Nowadays, it is possible to recover simple Type 5 passwords instantaneously. Go ahead and use user2’s hash to crack it.
Note
The site is a proof of concept. It has a small dictionary of common passwords, so don’t rely on it to crack passwords.
If the password is in any of the wordlists out there, then it is possible to crack it in a reasonable time. For example, I recovered the enable secret
password in roughly seven minutes using a MacBook Pro 2016.
MacBook-Pro:~ Andrew$ hashcat -a 0 -m 500 ‘$1$Xg8x$BzRsPjkLrLCl2Z02Mp4cs1’ rockyou.txt
MacBook-Pro:~ Andrew$ hashcat -a 0 -m 500 '$1$Xg8x$BzRsPjkLrLCl2Z02Mp4cs1' rockyou.txt hashcat (v5.1.0) starting... OpenCL Platform #1: Apple ========================= * Device #1: Intel(R) Core(TM) i7-6920HQ CPU @ 2.90GHz, skipped. * Device #2: Intel(R) HD Graphics 530, 384/1536 MB allocatable, 24MCU * Device #3: AMD Radeon Pro 460 Compute Engine, 1024/4096 MB allocatable, 16MCU Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Applicable optimizers: * Zero-Byte * Single-Hash * Single-Salt Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 ATTENTION! Pure (unoptimized) OpenCL kernels selected. This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance. If you want to switch to optimized OpenCL kernels, append -O to your commandline. Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled. Dictionary cache hit: * Filename..: rockyou.txt * Passwords.: 14344385 * Bytes.....: 139921512 * Keyspace..: 14344385 Approaching final keyspace - workload adjusted. $1$Xg8x$BzRsPjkLrLCl2Z02Mp4cs1:!)!@carelesswhisper!(&* Session..........: hashcat Status...........: Cracked Hash.Type........: md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) Hash.Target......: $1$Xg8x$BzRsPjkLrLCl2Z02Mp4cs1 Time.Started.....: Wed Jan 6 11:35:02 2021 (7 mins, 20 secs) Time.Estimated...: Wed Jan 6 11:42:22 2021 (0 secs) Guess.Base.......: File (rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#2.........: 5241 H/s (7.35ms) @ Accel:32 Loops:7 Thr:8 Vec:1 Speed.#3.........: 27300 H/s (7.73ms) @ Accel:16 Loops:15 Thr:64 Vec:1 Speed.#*.........: 32541 H/s Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.........: 14343062/14344385 (99.99%) Rejected.........: 0/14343062 (0.00%) Restore.Point....: 14319616/14344385 (99.83%) Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:56-63 Restore.Sub.#3...: Salt:0 Amplifier:0-1 Iteration:990-1000 Candidates.#2....: !"34five -> Th1z#1s+53kri7 Candidates.#3....: #!goth -> !"=!=/ Started: Wed Jan 6 11:35:00 2021 Stopped: Wed Jan 6 11:42:24 2021
Note
It seems that some Cisco IOS XE versions deprecated Type 5 passwords already.
PBKDF2 – Type 8
As mentioned, Type 8 is what Type 4 was supposed to be. It uses PBKDF2, 20K iterations of SHA-256, and 80-bit salt. The 20K iterations make it computationally intensive to crack the password. With a specialized machine, there might be a possibility to recover the password using a brute force attack. However, it is going to take longer than the previous hashing algorithms.
To enable Type 8 passwords, use the following commands, as shown below.
R1(config)#enable algorithm-type sha256 secret !)!@carelesswhisper!(&* R1(config)#username user3 algorithm-type sha256 secret !)!@carelesswhisper!(&* R1(config)#do sh run | i enable secret|user3 enable secret 8 $8$t2DaByeLrdkEe9$rrmHBGlW2UeVFa8dW0NUJ2.CMAK6tSkod/AJYB6ONmE username user3 secret 8 $8$EXdd0mQVVxdZTv$jDbwo3G4JDJIWPLpIEPJlP.yykOZyz4VIn0i62XF1mY
Cracking Type 8
As mentioned, it is possible to perform a brute force or dictionary attack on Type 8. I tried to crack the hash, and it took around 42 minutes.
MacBook-Pro:~ Andrew$ hashcat -a 0 -m 9200
MacBook-Pro:~ Andrew$ hashcat -a 0 -m 9200 '$8$EXdd0mQVVxdZTv$jDbwo3G4JDJIWPLpIEPJlP.yykOZyz4VIn0i62XF1mY' rockyou.txt hashcat (v5.1.0) starting... OpenCL Platform #1: Apple ========================= * Device #1: Intel(R) Core(TM) i7-6920HQ CPU @ 2.90GHz, skipped. * Device #2: Intel(R) HD Graphics 530, 384/1536 MB allocatable, 24MCU * Device #3: AMD Radeon Pro 460 Compute Engine, 1024/4096 MB allocatable, 16MCU Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Applicable optimizers: * Zero-Byte * Single-Hash * Single-Salt * Slow-Hash-SIMD-LOOP Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled. Dictionary cache hit: * Filename..: rockyou.txt * Passwords.: 14344385 * Bytes.....: 139921512 * Keyspace..: 14344385 Approaching final keyspace - workload adjusted. $8$EXdd0mQVVxdZTv$jDbwo3G4JDJIWPLpIEPJlP.yykOZyz4VIn0i62XF1mY:!)!@carelesswhisper!(&* Session..........: hashcat Status...........: Cracked Hash.Type........: Cisco-IOS $8$ (PBKDF2-SHA256) Hash.Target......: $8$EXdd0mQVVxdZTv$jDbwo3G4JDJIWPLpIEPJlP.yykOZyz4VI...2XF1mY Time.Started.....: Wed Jan 6 13:57:47 2021 (41 mins, 47 secs) Time.Estimated...: Wed Jan 6 14:39:34 2021 (0 secs) Guess.Base.......: File (rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#2.........: 582 H/s (15.92ms) @ Accel:16 Loops:8 Thr:64 Vec:1 Speed.#3.........: 5135 H/s (1.72ms) @ Accel:64 Loops:32 Thr:64 Vec:1 Speed.#*.........: 5717 H/s Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.........: 14319809/14344385 (99.83%) Rejected.........: 0/14319809 (0.00%) Restore.Point....: 14098432/14344385 (98.29%) Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:8160-8168 Restore.Sub.#3...: Salt:0 Amplifier:0-1 Iteration:19968-19999 Candidates.#2....: *toejam* -> (Muffin) Candidates.#3....: !hummer -> Th1z#1s+53kri7 Started: Wed Jan 6 13:57:34 2021 Stopped: Wed Jan 6 14:39:34 2021
Scrypt – Type 9
Colin Percival first published Scrypt in 2009. Mr. Percival designed it to be a memory-hard algorithm, which makes it more expensive to crack passwords. According to this thread, the algorithm’s design makes it harder to crack using specialized hardware with multiple GPUs, custom ASIC or FPGA hardware.
To enable Type 9 passwords, use the following commands, as shown below.
R1(config)#enable algorithm-type scrypt secret !)!@carelesswhisper!(&* R1(config)#username user4 algorithm-type scrypt secret !)!@carelesswhisper!(&* R1(config)#do sh run | i enable secret|user3 enable secret 9 $9$Da5NG4Iu9g5TtP$Z4I6DDgc9YWfYW./o1Cmtf/Y3HNrOw1cdJJ.lrVilZI username user4 secret 9 $9$GNN13.4z9EYYg9$dAvWQTuVNFBucVb7xgz0gWtGVSyVvRvciQ9CosTtn2.
Cracking Type 9
I attempted to crack the password, but my computer became so sluggish compared to the other ones, so I decided to quit the program. But, I was able to get the estimated time. This estimate, however, is inaccurate. For example, when I was cracking Type 8, it said 22 minutes, but the process took around 42 minutes.
MacBook-Pro:~ Andrew$ hashcat -a 0 -m 9300
MacBook-Pro:~ Andrew$ hashcat -a 0 -m 9300 '$9$GNN13.4z9EYYg9$dAvWQTuVNFBucVb7xgz0gWtGVSyVvRvciQ9CosTtn2.' rockyou.txt --force hashcat (v5.1.0) starting... OpenCL Platform #1: Apple ========================= * Device #1: Intel(R) Core(TM) i7-6920HQ CPU @ 2.90GHz, skipped. * Device #2: Intel(R) HD Graphics 530, 384/1536 MB allocatable, 24MCU * Device #3: AMD Radeon Pro 460 Compute Engine, 1024/4096 MB allocatable, 16MCU Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Applicable optimizers: * Zero-Byte * Single-Hash * Single-Salt Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled. Increasing single-block device memory allocatable for --scrypt-tmto 1. Increasing total device memory allocatable for --scrypt-tmto 2. Dictionary cache hit: * Filename..: rockyou.txt * Passwords.: 14344385 * Bytes.....: 139921512 * Keyspace..: 14344385 [s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s Session..........: hashcat Status...........: Running Hash.Type........: Cisco-IOS $9$ (scrypt) Hash.Target......: $9$GNN13.4z9EYYg9$dAvWQTuVNFBucVb7xgz0gWtGVSyVvRvci...sTtn2. Time.Started.....: Wed Jan 6 15:50:48 2021 (12 secs) Time.Estimated...: Wed Jan 6 18:25:02 2021 (2 hours, 34 mins) Guess.Base.......: File (rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#2.........: 764 H/s (2536.84ms) @ Accel:16 Loops:1 Thr:8 Vec:1 Speed.#3.........: 787 H/s (3035.58ms) @ Accel:16 Loops:1 Thr:8 Vec:1 Speed.#*.........: 1553 H/s Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts Progress.........: 17408/14344385 (0.12%) Rejected.........: 0/17408 (0.00%) Restore.Point....: 14336/14344385 (0.10%) Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1 Restore.Sub.#3...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#2....: legendary -> travon Candidates.#3....: tracey1 -> 280690 [s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => q Started: Wed Jan 6 15:50:25 2021 Stopped: Wed Jan 6 15:51:29 2021
Final Thoughts
The best practice is to use AAA as much as possible. However, local accounts and passwords are useful when AAA servers are unreachable. That said, it is vital to go through the process of securing Cisco IOS passwords.
With Cisco deprecating Type 5 passwords, it is clear that the future is Type 8 or 9. While Type 5 with a secure password is still hard to crack, it’s best practice to move towards the newer and more secure hashing algorithm. That said, start thinking about your migration to Type 9.
While Type 8 and Type 9 makes it harder for the adversary to crack the passwords, it is not an excuse to use insecure passwords. With that in mind, it is essential to have an excellent password policy and must adhere to it.
You might like to read
Securing Cisco IOS SSH server
Securing Cisco ASA SSH server
Defending against SSH brute force attacks
BUY ME COFFEE ☕