Actually you have it backwards. The type 5 passwords are derived from a
one-way hash function using the MD5 hashing algorithm. The router takes the
password you give and run the password through the same algorithm. If the
hash value matches what is in the configuration, the password is accepted.
The algorithm is sufficiently complicated that even knowing the hashed
value, it would be computationally hard (but not impossible) to generate a
password that would create the value. But a corollary to all of this is
that the Cisco router does not "know" the original password! So this
encryption scheme can not be used where the Cisco Router needs to present
the original password (such as when the router initiates an ISND call using
chap authentication.)
The other two types of encryption are type 0 and type 7. Type 0 is no
encryption and the password is stored using plain-text in the configuration.
Someone looking over the configuration will quickly learn the password.
Type 7 is only moderately better as the password is XOR against a constant.
So the hacker would need run the same computation to derive the password.
Ok so what about the enable password and enable secret. Originally we only
had the enable password that was using the type 7 encryption. This password
could be quickly compromised by dumpster divers that know the constant value
(not very hard to find).
Therefore, Cisco came up with the new format using the MD5 hashing
algorithm. This new password was called "enable secret" to keep the "enable
password" available in the configuration for backwards compatibility. If
both are maintained in a configuration, the enable secret is used and enable
password is ignored. Only if the router is using a version of the IOS (now
very old) that does not understand the enable secret will the enable
password be used.
This is also why when you run the interactive setup command the program
complains if you use the same password for enable secret and enable
password. Using the same password for both allows dumpster divers to gain
access to your router.
Hope this helps!
Take care,
Paul Borghese
----- Original Message -----
From: "Leonard Ong" <[EMAIL PROTECTED]>
Newsgroups: groupstudy.cisco
Sent: Tuesday, October 10, 2000 5:11 PM
Subject: Re: Password encryption decoder
> Hello,
>
> Boson doesn't work most of the time if you have multiple components
> type 5 password ( like a char, a punctuation, and a number ). It gives
> wrong one or two char.
>
> For type 7 (secret) password, it's to my believe it's hashed, meaning
> one-way encryption, you can't decode it back, unless you brute force it.
>
> Please correct me if i'm wrong.
>
> At 03:21 11/10/2000, you wrote:
> >The Boson software works great for most password decryption. Do you know
of
> >any software that will decrypt enable secret passwords? The Boson
software
> >will not do it.
> >
> >Daniel
**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
