Ever had a type 5 Cisco password that you wanted to crack/break? This piece of Javascript will attempt a quick dictionary attack using a small dictionary of common passwords, followed by a partial brute force attack. Javascript is far too slow to be used for serious password breaking, so this tool will only work on weak passwords.

A non-Cisco source has released a program to decrypt user passwords (and other passwords) in Cisco configuration files. The program will not decrypt passwords set with the enable secret command. The unexpected concern that this program has caused among Cisco customers has led us to suspect that many customers are relying on Cisco password encryption for more security than it was designed to provide. This document explains the security model behind Cisco password encryption, and the security limitations of that encryption.

Program To Crack Cisco Secret 5 Password

Although Cisco does not distribute a decryption program, at least two different decryption programs for Cisco IOS passwords are available to the public on the Internet; the first public release of such a program of which Cisco is aware was in early 1995. We would expect any amateur cryptographer to be able to create a new program with little effort.

The scheme used by Cisco IOS for user passwords was never intended to resist a determined, intelligent attack. The encryption scheme was designed to avoid password theft via simple snooping or sniffing. It was never intended to protect against someone conducting a password-cracking effort on the configuration file.

The enable password command should no longer be used. Use the enable secret command for better security. The only instance in which the enable password command might be tested is when the device is running in a boot mode that does not support the enable secret command.

Note: This applies only to passwords set with enable secret, and not to passwords set with enable password. Indeed, the strength of the encryption used is the only significant difference between the two commands.

Look at your boot image using the show version command from your normal operating mode (Full Cisco IOS image) to see whether the boot image supports the enable secret command. If it does, remove enable password. If the boot image does not support enable secret, note the following caveats:

If you set enable password to a different value because the boot image doesn't support enable secret, your router administrators must remember a new password that is used infrequently on ROMs that don't support the enable secret command. By having a separate enable password, administrators may not remember the password when they are forcing downtime for a software upgrade, which is the only reason to log in to boot mode.

It is not, in the general case, possible to switch user passwords over to the MD5-based algorithm used for enable secrets, because MD5 is a one-way hash, and the password can't be recovered from the encrypted data at all. In order to support certain authentication protocols (notably CHAP), the system needs access to the clear text of user passwords, and therefore must store them using a reversible algorithm.

The last password looks random and was still not cracked when the password cracker stopped running three days later. The problem is remembering a password like this one. See the upcoming sidebar, Choosing and Remembering Strong Passwords for tips on choosing an appropriate password.

Except for the enable secret password, all passwords stored on Cisco routers are weakly encrypted. If someone were to get a copy of a router configuration file, it would take only a few seconds to run it through a program to decode all weakly encrypted passwords. The first protection is to keep the configuration files secured.

To use the enable command to access a privilege level, a password must be set for that level. If you try to enter a level with no password, you get the error message No password set. Setting privilege-level passwords can be done with the enable secret level command. The following example enables and sets a password for privilege level 5:

Just as default passwords can be set with either the enable secret or the enable password command, passwords for other privilege levels can be set with the enable password level or enable secret level commands. However, the enable password level command is provided for backward compatibility and should not be used.

In this guide we will go through Cisco password types that can be found in Cisco IOS-based network devices. We will cover all common Cisco password types (0, 4, 5, 7, 8 and 9) and provide instructions on how to decrypt them or crack them using popular open-source password crackers such as John the Ripper or Hashcat.

This password type uses Vigenère cipher which is essentially a simple alphabetical substitution encryption. The algorithm is reversible and thus it can be deciphered instantly into a plain text without any need for cracking.

From the above screenshot we can see that the average speed is around 1.14 million password attempts per second. Seems like cracking this hash with john is much faster in our case.

This password type was introduced around 1992 and it is essentially a 1,000 iteration of MD5 hash with salt. The salt is 4 characters long (32 bits). For modern computers this is not difficult enough and thus in many cases it can be successfully cracked.

This password type is a proper implementation of the failed password type 4. This time it really uses the PBKDF2 algorithm and 10 character salt (80 bits). Essentially it is 20,000 iterations of SHA256 and this makes it much harder to crack in comparison with the previous password types.

This password type uses Scrypt algorithm. Scrypt was specifically designed to make cracking very difficult even on large-scale cracking rigs with many GPUs or hardware ASICs. This is due to the fact that Scrypt requires large amount of memory to perform its function.

Type 7 encrypted passwords are weak, and it can be surprisinglyeasy to crack them. In fact, one could accomplish this using a six-line Perlscript. (You can find this script and directions on the TechFAQ Web site.)

In addition, Windows-based programs are available that allowyou to enter a decrypted password, and the program will immediately return theclear-text password. (SolarWinds sells a passworddecryptor for this purpose.)

In addition, you should always use the enable secret command rather than the enable password command. The enablepassword command uses the weaker type 7 encryption, whereas the enable secret command uses the strongertype 5 encryption.

In this article, I would like to highlight the importance of using complex passwords when hashed with the MD5 128-bit algorithm. I will demonstrate the cracking of MD5 salted passwords using Kali Linux and a password cracking tool, John the Ripper.

Extracts of the following demonstration are taken from a CCNA Security lab I have been working on. It was such an informative lab, I decided to document it and share it with the SYNACK community. To carry out MD5 cracking we will use John the Ripper to crack a weak hashed password and then we will use a custom dictionary to carry out the second attack.

In this demonstration, you have seen how we can use John the Ripper to crack MD5 passwords. When using the enable secret command on Cisco IOS devices it is important to use complex passwords that are not based on any string of text and include letters, numbers and special characters.

Hashcat enables highly-parallelized password cracking with the ability to crack multiple different passwords on multiple different devices at the same time and the ability to support a distributed hash-cracking system via overlays. Cracking is optimized with integrated performance tuning and temperature monitoring.

John the Ripper offers password cracking for a variety of different password types. It goes beyond OS passwords to include common web apps (like WordPress), compressed archives, document files (Microsoft Office files, PDFs and so on), and more.

Brutus is one of the most popular remote online password-cracking tools. It claims to be the fastest and most flexible password cracking tool. This tool is free and is only available for Windows systems. It was released back in October 2000.

Brutus has not been updated for several years. However, its support for a wide variety of authentication protocols and ability to add custom modules make it a popular tool for online password cracking attacks.

Wfuzz is a web application password-cracking tool like Brutus that tries to crack passwords via a brute-force guessing attack. It can also be used to find hidden resources like directories, servlets and scripts. Wfuzz can also identify injection vulnerabilities within an application such as SQL injection, XSS injection and LDAP injection.

Medusa is an online password-cracking tool similar to THC Hydra. It claims to be a speedy parallel, modular and login brute-forcing tool. It supports HTTP, FTP, CVS, AFP, IMAP, MS SQL, MYSQL, NCP, NNTP, POP3, PostgreSQL, pcAnywhere, rlogin, SMB, rsh, SMTP, SNMP, SSH, SVN, VNC, VmAuthd and Telnet.

Medusa is a command-line tool, so some level of command-line knowledge is necessary to use it. Password-cracking speed depends on network connectivity. On a local system, it can test 2,000 passwords per minute.

RainbowCrack is a password cracking tool designed to work using rainbow tables. It is possible to generate custom rainbow tables or take advantage of preexisting ones downloaded from the internet. RainbowCrack offers free downloads of rainbow tables for the LANMAN, NTLM, MD5 and SHA1 password systems.

OphCrack is a free rainbow table-based password cracking tool for Windows. It is the most popular Windows password cracking tool but can also be used on Linux and Mac systems. It cracks LM and NTLM hashes. For cracking Windows XP, Vista and Windows 7, free rainbow tables are also available. 2ff7e9595c