Configuring Password Encryption Service
Allowing people to see your configuration passwords in plain text is a bad idea. This lab will discuss and demonstrate the configuration of the Cisco IOS password encryption service.
Real World Application
Level 7 encryption on a Cisco device by today’s cryptographic standards is considered extremely weak. There are many websites that offer a decryption applet to allow you to copy and paste a service password encrypted hash and decrypt the hash for you to clear text. An example website being this website here.
This lab you will teach you how to configure the password encryption service to encrypt clear text passwords using to level 7 encryption on a Cisco Router and/or Switch.
There is however a good use for this encryption service which is to prevent peaking tom’s from looking over your shoulder while you have a configuration displayed on screen from viewing clear text passwords.
When posting configurations online to share be sure to remove the type 7 encrypted passwords as these passwords can be easily cracked. Type 5 passwords use a MD5 hash which is a one-way (non-reversible) 128bit algorithm. This password cannot be “decrypted” due to the nature of the algorithm. When you authenticate to a Cisco device that stores the password in MD5 format, the device encrypts the password string you provided and matches it to the string stored in configuration. If it matches then the authentication is successful, if not then authentication is not and your password is declined.
Keep in mind type 7 passwords are considered weak whereas type 5 passwords are “uncrackable” pe se.
Type 5 password hashes cannot be decrypted with rainbow tables due to the fact the Type 5 password hash is divided into 3 separate sections. Using the Type 5 password hash found in the lab instruction of this lab, $1 represents the Cisco type 5 password, the $ID2R which represents the “salt” and $2AKUK4US6yUQVkggSMkLV0 is the actual MD5 hash that is calculated with the “salt”. Cisco does not publish how the “salt” is technically used in the calculation of the md5 hash therefore it is “unknown”.
Salts are used in a manner to ensure extra security for md5 strings making them unique and proprietary to the salt function written. For example; lets say we use the password Hello123 and Cisco places the randomly generated salt after the 2nd character in the actual passphrase, the prehashed password value would than become “He”$SALT”llo123 in which case would give you a unique md5 string. Ultimately the point I’m tryign to make is that the technique in which Cisco uses the SALT function is proprietary. Keep in mind salt is randomly generated and stored with the password hash which makes it nearly impossible to even create a rainbow for every current value of the standard md5 rainbow table because you don’t know the function in how the “Salt” is used as well as you cannot write a script to set the password on a Cisco device to every possible password found in the rainbow table as the salt is randomly generated every time you use the “enable secret XXXX” command.
So when someone tells you that the type5 can be cracked by a rainbow table is completely incorrect as a standard rainbow table will NOT work because a standard rainbow table does not have MD5 hash values for every possible salted password hashed value that Cisco IOS can generate.
Lab Prerequisites
- If you are using GNS3 than load the Free CCNA Workbook GNS3 topology and start R1.
- Establish a console session with Router 1 than configure the devices respected hostname.
Lab Objectives
- Configure a user account locally using the username tom and the secret Cisco
- Configure a user account locally using the username john and the password Cisco
- Verify that the user accounts tom and john were created by viewing the running configuration.
- In global configuration mode enable the password encryption service by executing the service password-encryption
- Verify that john’s username was encrypted after enabling the password encryption service.
- Disable the password encryption service and view if type 5 encryption is removed automatically when the password-encryption service is disabled.
Lab Instruction
Step 1. – Configure a user account locally using the username tom and the secret Cisco
R1 con0 is now available Press RETURN to get started. R1>enable R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#username tom secret Cisco
Step 2. – Configure a user account locally using the username john and the password Cisco;
R1(config)#username john password Cisco
Step 3. – Verify that the user accounts tom and john were created by viewing the running configuration. TIP: You can view the user names in the running-configuration by using a regular expression as shown below;
R1(config)#do show run | inc username
username tom privilege 15 secret 5 $1$ID2R$2AKUK4US6yUQVkggSMkLV0
username john privilege 15 password 0 Cisco
R1(config)#
Step 4. – In global configuration mode enable the password encryption service by executing the service password-encryption as shown below;
R1(config)#service password-encryption
Step 5. – Verify that john’s username was encrypted after enabling the password encryption service by viewing the user names in the running-configuration as shown below;
R1(config)#do show run | inc username
username tom privilege 15 secret 5 $1$ID2R$2AKUK4US6yUQVkggSMkLV0
username john privilege 15 password 7 106D000A0618
R1(config)#
Step 6. – Disable the password encryption service and view if type 7 encryption is removed automatically when the password-encryption service is disabled.
R1(config)#no service password-encryption R1(config)#do show run | inc username username tom privilege 15 secret 5 $1$ID2R$2AKUK4US6yUQVkggSMkLV0 username john privilege 15 password 7 106D000A0618 R1(config)#
