There are three common password types in use on Cisco network appliances: Type 7, Type 5 and PIX-MD5. Type 7 passwords are reversible using simple online sites or with a "Cisco Type 7" App from the Apple App store or Google Play Store. The Packetlife page is here Cisco Type 7 Reverser
Type 5 and PIX-MD5 are both hashes of the password and are much more challenging to recover. Hashcat is a free open source tool for “Advanced Password Recovery”. It can be downloaded from http://hashcat.net/hashcat/. Native binaries are included for Windows and Linux. I haven't had any issues running it on OSX 10.9.
There is also a much faster version called OCLHashCat but it requires either an NVIDIA Quadra or AMD Catalyst capable video card. It supports up to 128 GPUs so it is amazingly fast. Here is an ArsTechnica article on using it in more advanced modes for password recovery - http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/
Type 5 and PIX-MD5 are both hashes of the password and are much more challenging to recover. Hashcat is a free open source tool for “Advanced Password Recovery”. It can be downloaded from http://hashcat.net/hashcat/. Native binaries are included for Windows and Linux. I haven't had any issues running it on OSX 10.9.
There is also a much faster version called OCLHashCat but it requires either an NVIDIA Quadra or AMD Catalyst capable video card. It supports up to 128 GPUs so it is amazingly fast. Here is an ArsTechnica article on using it in more advanced modes for password recovery - http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/
This article doesn’t discuss type 4 hashes. You can read more here if you are interested - http://hashcat.net/forum/thread-3803-post-21661.html#pid21661
What you need:
- An MD5 hash from a router/switch/firewall config with a password that you don’t know. The hash will look something like this: $1$IJkU$AYI23JsBY2RVGg/uVwdRp on a swtich/router and gJ1Me7ca5PXBimXV on a firewall.
- A “Dictionary” of passwords. The password of the device MUST be in the list. I keep a text file of all the passwords I come across on the Internet, default passwords (Very common to find the password is a mfg default) and any that I create. Save yours as pw4.txt. You can easily find password lists on the Internet. You can find the “RockYou” list here - rockyou. Crackstation has some larger dictionaries CrackStation's Password Cracking Dictionary. They ask for a donation to cover the bandwidth cost. I donated $10.
- I have included a small file with some common passwords as an example.
- Hashcat .49 or later
When you unpack Hashcat it creates a simple directory
structure. You can put Hashcat and your
password dictionary on a flash drive or SD card for portability.
We will store our password list in the “Examples” folder and
the dictionary in the “tables” folder.
Recovering the Password
Copy the “Hashes.txt” file to the examples folder and the
“pw4.txt” file to the tables folder.
Open a cmd prompt in the HashCat folder. In Win7 you can
hold down Shift and Right click to get a command prompt in the Hashcat folder. Paste into the command window “hashcat-cli32.exe -m 500
examples/hashes.txt tables/pw3.txt”.
On OSX use ./hashcat-cli64.app -m 500 examples/hashes.txt tables/pw3.txt.
On Linux use ./hashcat-cli64.bin -m 500 examples/hashes.txt tables/pw3.txt.
On OSX use ./hashcat-cli64.app -m 500 examples/hashes.txt tables/pw3.txt.
On Linux use ./hashcat-cli64.bin -m 500 examples/hashes.txt tables/pw3.txt.
-m tells Hashcat that the hashtype will follow, the 500 tells Hashcat that they are Cisco-IOS
MD5, use 2400 for Cisco-PIX MD5.
Press enter, hashcat will initialize and start running.
You can press enter periodically to see progress.
To see all the command line arguments use –help.
Here is the output of our little sample of hashes. Note I am
running .47 which will be deprecated on 1/1/15. The current version of HashCat
is .49.
****************************************************************
hashcat-cli32.exe -m 500 examples/hashes.txt tables/pw4.txt
This copy of hashcat will expire on 01.01.2015. Please
upgrade to continue using hashcat.
Initializing hashcat v0.47 by atom with 8 threads and
32mb segment-size...
Added hashes from file examples/hashes.txt: 3 (3 salts)
NOTE: press enter for status-screen
Caching segment, please wait...
$1$xlOE$EjlwD6cE2XMIMMWY3WBzp.:3YamyK16
$1$BBAe$35nPgwWzFTs5V5qn8DHJR0:vectorUSA!
$1$IJkU$AYI23JsBY2RVGg/uVwdRp.:cisco
All hashes have been recovered
***************************************************************
I hope this saves you some time and stress when you have a
hash but don’t know the password.
Only use this tool when you have permission to access the
device you attempting to recover the password for.
Save this as pw4.txt
123456
123456789
1qaz!QAZ
4youreyesonly
9x3kaqq
9x3kaqq!
admin4free!
aldf2ad1
C13c0
C1sc0123
Cisco
cisco
cisco1
Dr@g0nf1y
dvd0brx19x3kaqq
gUpuzEX!
Im4g1nation
Ironcl@d
ISEc0ld
Just4us
Just4us
L0ckM3DoW#^
L3tm31n
LetmeIn
MISisgr8!
P@33w0rd
password
Password
passwordcr1ny5ho
pyr4m1d
QSMadmin55#
supp0rt!
Sw1tcHPw!
This Is a Red D@y
USM622021E
USM622021G
WindowsXPPro11
Hubbard On Networking: Decrypting (Recovering) Cisco Switch/Router/Firewall Passwords >>>>> Download Now
ReplyDelete>>>>> Download Full
Hubbard On Networking: Decrypting (Recovering) Cisco Switch/Router/Firewall Passwords >>>>> Download LINK
>>>>> Download Now
Hubbard On Networking: Decrypting (Recovering) Cisco Switch/Router/Firewall Passwords >>>>> Download Full
>>>>> Download LINK
Cisco Router" refers to the availability of Cisco routers Online for purchase and configuration over the internet. These high-performance networking devices enable seamless connectivity and data transmission, making them essential for businesses and individuals seeking reliable online connectivity solutions.
ReplyDelete