Sunday, November 9, 2014

Decrypting (recovering) Cisco Switch/Router/Firewall Passwords

There are three common password types in use on Cisco network appliances: Type 7, Type 5 and PIX-MD5. Type 7 passwords are reversible using simple online sites or with a "Cisco Type 7" App from the Apple App store or Google Play Store. The Packetlife page is here Cisco Type 7 Reverser

Type 5 and PIX-MD5 are both hashes of the password and are much more challenging to recover. Hashcat is a free open source tool for “Advanced Password Recovery”.  It can be downloaded from http://hashcat.net/hashcat/. Native binaries are included for Windows and Linux. I haven't had any issues running it on OSX 10.9.

There is also a much faster version called OCLHashCat but it requires either an NVIDIA Quadra or AMD Catalyst capable video card. It supports up to 128 GPUs so it is amazingly fast. Here is an ArsTechnica article on using it in more advanced modes for password recovery - http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/

This article doesn’t discuss type 4 hashes. You can read more here if you are interested - http://hashcat.net/forum/thread-3803-post-21661.html#pid21661

What you need:
  •  An MD5 hash from a router/switch/firewall config with a password that you don’t know.  The hash will look something like this: $1$IJkU$AYI23JsBY2RVGg/uVwdRp on a swtich/router and gJ1Me7ca5PXBimXV on a firewall.
  • A “Dictionary” of passwords. The password of the device MUST be in the list. I keep a text file of all the passwords I come across on the Internet, default passwords (Very common to find the password is a mfg default) and any that I create. Save yours as pw4.txt. You can easily find password lists on the Internet. You can find the “RockYou” list here - rockyou. Crackstation has some larger dictionaries CrackStation's Password Cracking Dictionary. They ask for a donation to cover the bandwidth cost. I donated $10.
  •   I have included a small file with some common passwords as an example.
  •  Hashcat .49 or later
NOTE: Hashcat supports rules and many other methods than just the dictionary method discussed here. The Hashcat wiki is a great resource if you want to use other methods. Ars Technica also has several good articles on using Hashcat with other methods.

When you unpack Hashcat it creates a simple directory structure. You can put Hashcat and your password dictionary on a flash drive or SD card for portability.

We will store our password list in the “Examples” folder and the dictionary in the “tables” folder.

 

Recovering the Password

Copy the “Hashes.txt” file to the examples folder and the “pw4.txt” file to the tables folder.
Open a cmd prompt in the HashCat folder. In Win7 you can hold down Shift and Right click to get a command prompt in the Hashcat folder. Paste into the command window “hashcat-cli32.exe -m 500 examples/hashes.txt tables/pw3.txt”.
On OSX use ./hashcat-cli64.app -m 500 examples/hashes.txt tables/pw3.txt.
On Linux use ./hashcat-cli64.bin -m 500 examples/hashes.txt tables/pw3.txt.

-m tells Hashcat that the hashtype will follow, the 500 tells Hashcat that they are Cisco-IOS MD5, use 2400 for Cisco-PIX MD5.


Press enter, hashcat will initialize and start running.
You can press enter periodically to see progress.
To see all the command line arguments use –help.
Here is the output of our little sample of hashes. Note I am running .47 which will be deprecated on 1/1/15. The current version of HashCat is .49.
****************************************************************
hashcat-cli32.exe -m 500 examples/hashes.txt tables/pw4.txt
This copy of hashcat will expire on 01.01.2015. Please upgrade to continue using hashcat.

Initializing hashcat v0.47 by atom with 8 threads and 32mb segment-size...

Added hashes from file examples/hashes.txt: 3 (3 salts)

NOTE: press enter for status-screen

Caching segment, please wait...
$1$xlOE$EjlwD6cE2XMIMMWY3WBzp.:3YamyK16
$1$BBAe$35nPgwWzFTs5V5qn8DHJR0:vectorUSA!
$1$IJkU$AYI23JsBY2RVGg/uVwdRp.:cisco

All hashes have been recovered
***************************************************************
I hope this saves you some time and stress when you have a hash but don’t know the password.

Only use this tool when you have permission to access the device you attempting to recover the password for.

Save this as pw4.txt

12345                    
123456                  
123456789            
1qaz!QAZ
4youreyesonly
9x3kaqq
9x3kaqq!
admin4free!
aldf2ad1
C13c0
C1sc0123
Cisco
cisco
cisco1
Dr@g0nf1y
dvd0brx19x3kaqq
gUpuzEX!
Im4g1nation
Ironcl@d
ISEc0ld
Just4us
Just4us
L0ckM3DoW#^
L3tm31n
LetmeIn
MISisgr8!
P@33w0rd
password
Password
passwordcr1ny5ho
pyr4m1d
QSMadmin55#
supp0rt!
Sw1tcHPw!
This Is a Red D@y
USM622021E
USM622021G
WindowsXPPro11

No comments:

Post a Comment