Deobfuscating Cisco IOS Passwords

From CT3

Jump to: navigation, search

Cisco IOS uses the Vigenere algorithm to obfuscate passwords in the configuration if the service password-encryption command is used.

Contents

Deobfuscating Cisco IOS Passwords

It should be noted that many algorithms require the Cisco IOS to have access to the cleartext password. The Vigenere algorithm is used to obfuscate the passwords (not really encrypt them as there is no encryption key) in order to prevent "shoulder surfing" from exposing passwords to someone who briefly looks at a running configuration. If, however, someone gets hold of the configuration they can easily retrieve the passwords using the reverse translation of the Vigenere algorithm.

Cisco IOS uses this level-7 encryption when the "service password-encryption" command is used.

Level-5 encryption uses the one-way MD5 hash algorithm to convert passwords to a more secure form, but these passwords cannot be used for all purposes because even the router cannot convert them back to cleartext.

Perl Script for Deobfuscating Cisco IOS Level-7 Passwords

The following script can be used to retrieve the original cleartext password from the level-7 encrypted (obfuscated) password.

#!/usr/bin/perl
use File::Copy;

############################################################################
# Vigenere translation table
############################################################################
@V=(0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f, 0x41, 0x2c, 0x2e,
    0x69, 0x79, 0x65, 0x77, 0x72, 0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44,
    0x48, 0x53, 0x55, 0x42, 0x73, 0x67, 0x76, 0x63, 0x61, 0x36, 0x39,
    0x38, 0x33, 0x34, 0x6e, 0x63, 0x78, 0x76, 0x39, 0x38, 0x37, 0x33,
    0x32, 0x35, 0x34, 0x6b, 0x3b, 0x66, 0x67, 0x38, 0x37);
############################################################################

############################################################################
# Usage guidelines
############################################################################
if ($ARGV[0] eq ""){
   print "This script reveals the IOS passwords obfuscated using the Vigenere algorithm.\n";
   print "\n";
   print "Usage guidelines:\n";
   print " cdecrypt.pl 04480E051A33490E     # Reveals a single password\n";
   print " cdecrypt.pl running-config.rcf   # Changes all passwords in a file to cleartext\n";
   print "                                  # Original file stored with .bak extension\n";
}

############################################################################
# Process arguments and execute
############################################################################
if(open(F,"<$ARGV[0]")){    # If argument passed can be opened then convert a file
  open(FO,">cdcout.rcf") || die("Cannot open 'cdcout.rcf' for writing ($!)\n");
  while(<F>){
    if (/(.*password\s)(7\s)([0-9a-fA-F]{4,})/){     # Find password commands
      my $d=Decrypt($3);                             # Deobfuscate passwords
      s/(.*password\s)(7\s)([0-9a-fA-F]{4,})/$1$d/;  # Remove '7' and add cleartext password
    }
    print FO $_;
  }
  close(F);
  close(FO);
  copy($ARGV[0],"$ARGV[0].bak")||die("Cannot copy '$ARGV[0]' to '$ARGV[0].bak'");
  copy("cdcout.rcf",$ARGV[0])||die("Cannot copy '$ARGV[0]' to '$ARGV[0].bak'");
  unlink "cdcout.rcf";
}else{                      # If argument passed cannot be opened it is a single password
  print Decrypt($ARGV[0]) . "\n";
}

############################################################################
# Vigenere decryption/deobfuscation function
############################################################################
sub Decrypt{
  my $pw=shift(@_);                             # Retrieve input obfuscated password
  my $i=substr($pw,0,2);                        # Initial index into Vigenere translation table
  my $c=2;                                      # Initial pointer
  my $r="";                                     # Variable to hold cleartext password
  while ($c<length($pw)){                       # Process each pair of hex values
    $r.=chr(hex(substr($pw,$c,2))^$V[$i++]);    # Vigenere reverse translation
    $c+=2;                                      # Move pointer to next hex pair
    $i%=53;                                     # Vigenere table wrap around
  }                                             #
  return $r;                                    # Return cleartext password
}

Installation

  • Download and install ActiveState Perl.
  • Create a text file called cdecrypt.pl
  • Copy the above source code into the text file and save it.

Usage guidelines

Usage: cdecrypt.pl [file | password]

  • file: If the argument is a file, the script will deobfuscate all occurrences of "… password 7 password" and replace them with a cleartext password. The original file will be stored with the .bak extension.
  • password: If the argument is a single obfuscated password it will be deobfuscated.

Author

Bostjan Sustar, based on C code by Jared Mauch © 2008 NIL Data Communications

Deobfuscate the Type-7 passwords on a router

The show key-chain command executed on Cisco IOS displays the password configured in a key chain in cleartext even when the same password is stored as type-7 obfuscated password in the router configuration.

For example, if you want to get the cleartext password corresponding to string 04480E051A33490E, enter the following lines into the router configuration:

R1(config)#key chain test
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string 7 04480E051A33490E

When you execute show key-chain test command, the cleartext value of the password is displayed:

R1#show key chain test
Key-chain decrypt:
    key 1 -- text "secure"
        accept lifetime (always valid) - (always valid) [valid now]
        send lifetime (always valid) - (always valid) [valid now]
Personal tools

CT3

Main menu