- It's the applications, stupid
- Will a whitelist save personal computing?
- Thousands of Web sites under attack
- To solve the unsolvable problem
- Re-thinking the security of virtual machines
- Security Development Lifecycle trumps code complexity
- Is your Web site FIPS compliant?
- Computer security: Why have least privilege?
- Strategic security: Get a handle on authentication
- Control user installs of software
March 06, 2006 | Comments: (0)
Anyone up for Cisco password cracking?
Can you crack a Cisco IOS MD5 password hash?
[I'm in beautiful Ottawa this week. All the locals kept telling me how beautiful it was today, since it was nearly Spring like with temps almost at 0 degrees. Last week it was -22F with the wind chill factor.]
Besides teaching and writing about computer security for a living, I also do penetration testing. Frequently my teams are able to capture plaintext Cisco configuration files, which usually include Cisco password hashes for Cisco routers, Pix firewalls, etc.
Cisco IOS telnet logon password hashes come in two flavors: Type 7 and MD5.
A Cisco config file with both password hashes might look something like this:
enable secret 5 $1$0Z4m$jsbSzU.vYSsZFISdJtbQI4.
enable password 7 062E0A1B38411F1D5C
The line beginning with enable password 7 is Type 7 password hash. The line with enable secret 5 is the newer MD5 style.
The Type 7 password hashes aren't really hashes (I think I read that they are Vigniere ciphers-polyalphabetic substitution ciphers), and can easily be cracked by many tools. That I have confirmed many times.
Cisco updated their password hash protection years ago with what they call the MD5 password hash. Per Cisco, it makes the password hash non-trivial to crack, even though there are a lot of brute force and dictionary password hash cracking tools available, such as Cain (www.oxid.it).
I come across lots of Cisco IOS MD5 password hashes, but I've yet to crack one. I've even used dictionary tools that are supposed to break Cisco MD5 password hashs, using a dictionary file that only contained the exact symbols in the password (i.e. my password dictionary contained the word frog for a Cisco password of frog), and still my crack attacks did not work.
If you're up to the challenge, try to crack your own Cisco password hash. No money, no challenge, just see if you can do it.
I'm especially interested in if anyone can demonstrate cracking their MD5 password hash. If you do, let me know how you did it? Don't send me your password or hash (unless you use a dummy one for the test).
If I'm having this problem, I'm sure there are a least a few other pen testers with the same questions as I have.
_________________
Related discussion
I was confused as to why Cisco called their new password hash method an MD5 hash (http://www.cisco.com/warp/public/701/64.html).
Even this Wiki article (http://en.wikipedia.org/wiki/Cisco_IOS), which talks about the Cisco MD5 hash uses an example cleartext password of stupidpass, but the resulting MD5 hash looks nothing like an MD5 hash.
It's certainly not a pure MD5 hash (http://en.wikipedia.org/wiki/Md5). It's not long enough for one thing and it always begins with the $1...not something you would see in an MD5 hash every time. An MD5 hash is always 128-bits (16 double-byte characters). If I include all the characters in the Cisco "MD5" hash, including the $1, it's only 15-double byte characters (or 120-bits).
With further research, I found out that the Cisco "MD5" password hash isn't a pure MD5 hash. Per Cain's creator, the Cisco MD5 password hash is a Base64 encoded MD5 password hash (http://www.oxid.it/downloads/pix_passwd.txt), after the original password has been truncated to 16 characters, and been MD5'd a 1000 times. Cisco then uses FreeBSD's _crypt_to64() libcrypt library function to Base64 encode the hash. But every Base64 encoding I do on a pure MD5 hash results in an even longer result than the original value (not shorter as in the Cisco result). Maybe he means that the resulting MD5 hash is truncated to 16 bytes??
I haven't seen Cisco's MD5 password hash code to see how the original cleartext password is treated exactly, but Cain's creator, and other Cisco password cracker authors apparently have.
I'm only a crypto hobbyist, so I'm sure I don't really know what I'm talking about as I get into the nuts and bolts. But if anyone can actually demonstrate a Cisco MD5 password hash crack, let me know.
All the Mac and iTunes users can write back and explain it too me, since they've been spending all day telling me how stupid I am.
Posted by Roger Grimes on March 6, 2006 04:31 PM
RATE THIS ARTICLE:
-
- COMMENTS
Wouldn't you know it? About an hour after my post, I was able to break a very simple Cisco IOS MD5 password hash in both Cain and John the Ripper. After trying dozens of times over many months, I just tried it again, and it worked. I swear I did the same thing I did the other times...but this time it worked. Has that ever happened to you? Computers!
I was going to remove this blog entry, so people didn't see my idiot trials and tribulations, but I decided to leave it to introduce some people to the possibility of their Cisco password being hacked, and to make sure they know the difference between Type 7 and the newer, better MD5 solution.
I cracked a Cisco MD5 password hash that resulted from the word frog123. On my traveling laptop, Cain was able to take about 1100 guesses per second. John was able to do about 10x that.
If I only used the letters of the password as my character set (i.e. frog123 were the only letters I told the crackers to use) and told both crackers that the password was 7 characters long, Cain could crack it in 15 minutes, and John the Ripper in 1-2 minutes. Cain is an incredible all around tool, but John the Ripper is fast.
If I put John or Cain on their defaults, using the normal character set, and set password size to 16 (the Cisco max.), both calculated that it would take billions and billions of years to hack. If the password is an easy dictionary word, it can probably be done in 1-2 days on a single PC.
Lesson? Make sure your Cisco passwords are all MD5 hashs. Make sure your passwords are long and complex. If long enough or complex enough, most password crackers will not be able to crack them. Personally, I would use at least a 10 character password, and make sure it's complex enough to prevent hybrid substitution attacks. Frog123 is good enough to prevent most dictionary and hybrid attacks, but should probably be longer than 7 characters. Still both Cain and John said that Frog123 would take billions of years to crack...so who knows...maybe it is good enough.
The last thing is to change Cisco passwords on a thoughtful regular basis, and to store those passwords securely.
Posted by: Roger A. Grimes at March 7, 2006 04:41 AMNot sure if you're still interested, but the MD5 password hashes you list above appear to be standard crypt() salted hashes. In the example you give above, $1$0Z4m$jsbSzU.vYSsZFISdJtbQI4. The salt is 0Z4m and the hash is jsbSzU.vYSsZFISdJtbQI4. It is base 64 encoded, so each character has 64 values (6 bits), so the 22 character hash represents up to 132 bits (slightly more than MD5 128 bits). I imagine they take either the lowest or highest 128 bits of the 132 and use them.
Posted by: Nope at December 11, 2007 09:51 AM
