If routers and switches are configured to use TACACS then both the EXEC (level7) and enable secret password are pretty much useless. For some hackers to get onto a router or a switch with EXEC and enable secret, the TACACS server must not be reachable by the router and switch. Only at that point, one would have to log onto Cisco devices with local account and go into privilege mode with enable secret password. Authentication and Authorization and Accounting will be taking place at the TACACS server under normal condition. Frankly, I wouldn't be too worry about it anyway.
>From: "Brian Whalen" >Reply-To: "Brian Whalen" >To: [EMAIL PROTECTED] >Subject: Re: OT: Enable secret hacking [7:23670] >Date: Sun, 21 Oct 2001 15:38:37 -0400 > >perhaps this is why sho run and sho conf are not level 1 commands?? > >Brian "Sonic" Whalen >Success = Preparation + Opportunity > > >On Sun, 21 Oct 2001, Gareth Hinton wrote: > > > The reason I asked was to see if other peoples impression was the same >as > > mine. I've got the tools for the level 7 passwords, but was under the > > impression that the enable secret was almost impossible. > > I do some work for a fairly large company that had some penetration >testing > > done this week by a government agency. > > One of the "hackers" told me that depending on the length and complexity >of > > the password he could crack the enable password from the MD5 hash pretty > > quickly. > > The passwords we normally use for enable secrets are over 8 character >random > > alphanumeric strings, so it was taking some time. > > Not believing him entirely, I suggested that I simplify the password a > > little to a dictionary word of 7 characters. I changed it to "kittens" >and > > it took his unix box around 5 seconds to go through the dictionary > > performing MD5 hash on every word, then comparing the result with the >real > > hash. > > > > I was quite surprised at how quick it was. Admittedly they need to see >the > > MD5 hash somehow, but I've never gone over the top to cover these up >before > > now. > > > > We also (a little carelessly) got caught out with a few switches with >"IP > > HTTP SERVER" on as default, so the weakness with http allowed level 15 > > access to the switches. Oops. > > > > Just thought I'd bring it up anyway. I think "no ip http server" and >more > > complex passwords are in order. > > > > > > Regards, > > > > Gareth > > > > ""John Neiberger"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > The enable secret would not be an easy thing to crack. The enable > > password, > > > however, can be cracked easily with a number of utilities available >for > > free > > > on the internet. > > > > > > If you have hackers attacking your network who have the capability to > > crack > > > the enable secret then you have much bigger problems. > > > > > > As I recall, the enable secret displayed when you do a show run is a > > one-way > > > hash, so the original cannot be determined from the encrypted version. > > I'll > > > have to check into that. > > > > > > A good hacker would spend his time elsewhere. Sitting at the login >prompt > > > trying to guess passwords for a few years probably isn't a wise way to > > spend > > > one's time. Hackers tend to go for the low-hanging fruit. > > > > > > Regards, > > > John > > > > > > On Sun, 21 Oct 2001 09:13:35 -0400, Gareth Hinton wrote: > > > > > > | Hi all, > > > | > > > | I'm asking this as a matter of interest after something I saw this > > week: > > > | Given the following line of config: > > > | > > > | enable secret 5 $1$32Pc$uq7Tr7gq4v22PqEG4WFF90 > > > | > > > | What are the chances of cracking the enable secret? (Without >raising > > > | suspicicion by having 40 million attempts on the box itself.) > > > | Lets say the password is an 8 character string of letters only, not > > > | necessarily a dictionary word. > > > | > > > | What's everybody's view, could it be easily hacked or not? > > > | > > > | > > > | Thanks, > > > | > > > | Gaz > > > | > > > | > > > | > > > | > > > _______________________________________________________ > > > http://inbox.excite.com _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=23711&t=23670 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
