setting strong encrypted passwords · setting strong encrypted passwords. cisco ios stores...
TRANSCRIPT
Setting Strong Encrypted Passwords
Cisco IOS stores passwords in clear text in network device configuration files for several features such as passwords for local and remote CLI sessions, and passwords for neighbor authentication for routing protocols. Clear text passwords are a security risk because anybody with access to archived copies of the configuration files can discover the passwords that are stored as clear text. The service password-encryption command can be used to encrypt clear text commands in the configuration files of networking devices.
Configuring Password Encryption for Clear Text Passwords
You can configure passwords to protect access to many different aspects of IOS. Some common access passwords are:
Console Password:line con 0
password PACKETLABCON
VTY Password:line vty 0 4
password PACKETLABVTY
AUX Password:line aux 0
password PACKETLABAUX
Enable Password:enable password PACKETLAB
Enable Secret Password:enable secret packetlab
Local Username Database:username packetlab password PACKETLAB
Passwords On Cisco Devices
Some other Cisco IOS passwords (there are a ton more):
OSPF authentication-key:interface Serial0/0
ip address 10.1.12.1 255.255.255.0
ip ospf authentication-key OSPFPASS
BGP (neighbor) Password:router bgp 100
neighbor 2.2.2.2 remote-as 100
neighbor 2.2.2.2 password BGPPASS
Key Chains:key chain OSPFCHAINkey 1key-string KEYSTRING
Passwords On Cisco Devices
By default, all passwords (with the exception of ‘secret passwords’ which are discussed later) are stored in the running configuration in cleartext:
enable password PACKETLAB
username packetlab password 0 PACKETLAB
!
key chain OSPFCHAIN
key 1
key-string KEYSTRING
!
interface Serial0/0
ip ospf authentication-key OSPFPASS
!
router bgp 100
neighbor 2.2.2.2 password BGPPASS
!
line con 0
password PACKETLABCON
line aux 0
password PACKETLABAUX
line vty 0 4
password PACKETLABVTY
Passwords On Cisco Devices
service password-encryption To encrypt passwords, use the service password-encryption command in global configuration mode. To restore the default, use the no form of this command.
service password-encryption no service password-encryption
Usage Guidelines The actual encryption process occurs when the current configuration is written or when a password is configured. Password encryption is applied to all passwords, including username passwords, authentication key passwords, the privileged command password, console and virtual terminal line access passwords, and Border Gateway Protocol neighbor passwords. This command is primarily useful for keeping unauthorized individuals from viewing your password in your configuration file.
When password encryption is enabled, the encrypted form of the passwords is displayed when a more system:running-config command is entered.
Caution This command does not provide a high level of network security. If you use this command, you should also take additional network security measures.
Note You cannot recover a lost encrypted password. You must clear NVRAM and set a new password.
‘service password-encryption’ Command
Before configuring ‘service password-encryption’:
enable password PACKETLAB
username packetlab password 0 PACKETLAB
!
key chain OSPFCHAIN
key 1
key-string KEYSTRING
!
interface Serial0/0
ip ospf authentication-key OSPFPASS
!
router bgp 100
neighbor 2.2.2.2 password BGPPASS
!
line con 0
password PACKETLABCON
line aux 0
password PACKETLABAUX
line vty 0 4
password PACKETLABVTY
‘service password-encryption’ CommandAfter configuring ‘service password-encryption’:
enable password 7 053B272C0A697A253827
username packetlab password 7 097C6F2A3220233E2A2E
!
key chain OSPFCHAIN
key 1
key-string 7 0520233612787C203722
!
interface Serial0/0
ip ospf authentication-key 7 0474383629116D7D3A
!
router bgp 100
neighbor 2.2.2.2 password 7 106C2E2935362138
!
line con 0
password 7 03347A282D2A15606F2B3A2A39
line aux 0
password 7 113938263C373F2025080A1110
line vty 0 4
password 7 046B2A2524047862283B33232B
0 - Specifies that an unencrypted password follows (cleartext).5 - Specifies that a hidden secret follows (MD5 encryption).7 - Specifies that a hidden password follows (Vigenère cipher encryption*).
Type 0 passwords are stored in cleartext. This is the default. Once service password-encryption has been enabled, IOS converts all Type 0 passwords into Type 7 (Vigenère cipher encryption*). This encryption is easily broken (as we’ll soon see) but it prevents ‘over-the-shoulder’ password theft.
MD5 is a very secure (although technically broken) encryption method. MD5 is used whenever you specify a ‘secret’ password.
username packetlab password 0 packetlab
username packetlab password 7 097C6F2A3220233E2A2E
username packetsecret secret 5 $1$KVpy$JhrCgVprm1FGWWLPABaAN/
* Not technically ‘encryption’ as there is no encryption key. If you want to be technically correct, the Cisco Vigenère cipher algorithm obfuscates a password. Let’s not even explore the hashing versus encrypting argument.
What does 0, 5, 7 mean?
When entering configuring a password, do not use 5 or 7 unless you are pasting in an already encrypted password (generally from a saved configuration):
r1(config)#username FAKEUSER password ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) user password
r1(config)#username FAKEUSER password 7 DONOTDOTHIS
Invalid encrypted password: DONOTDOTHIS
r1(config)#username FAKEUSER password 5 DONOTDOTHIS
ERROR: Can not use MD5 secrets for passwords. Use "username FAKEUSER secret" instead.
r1(config)#username FAKEUSER secret ?
0 Specifies an UNENCRYPTED secret will follow
5 Specifies a HIDDEN secret will follow
LINE The UNENCRYPTED (cleartext) user secret
r1(config)#username FAKEUSER secret 5 DONOTDOTHIS
ERROR: The secret you entered is not a valid encrypted secret.
To enter an UNENCRYPTED secret, do not specify type 5 encryption.
When you properly enter an UNENCRYPTED secret, it will be encrypted.
What does 0, 5, 7 mean?
Decrypting Cisco Type 7 Passwordsline con 0
password 7 03347A282D2A15606F2B3A2A39
It’s probably not a good idea to use online type 7 password decryption for your corporate passwords as you never know what the code behind the page might be doing. There’s a trick you can do on your Cisco device to decode Type 7 passwords:
1) Create a key chain:r1(config)#key chain DECRYPT7
r1(config-keychain)#key 1
2) Paste in the Type 7 password (make sure to include the ‘7’) as the key-string value:r1(config-keychain-key)#key-string 7 03347A282D2A15606F2B3A2A39
3) From privileged EXEC mode, issue the show key chain command:r1#show key chain DECRYPT7
Key-chain DECRYPT7:
key 1 -- text "PACKETLABCON"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
4) (Optional) Delete key chain after decryption completed:r1(config)#no key chain DECRYPT7
Decrypting Cisco Type 7 Passwords
One thing to note is that issuing the no password-encryption command does NOT decrypt the already encrypted passwords:
r3#sh run | i pass
no service password-encryption
username packetlab password 0 packetlab
username vendor privilege 15 one-time password 0 cisco
r3(config)#service password-encryption
r3(config)#do sh run | i pass
service password-encryption
username packetlab password 7 06160E22474B1D150415
username vendor privilege 15 one-time password 7 060506324F41
r3(config)#no service password-encryption
r3(config)#do sh run | i pass
no service password-encryption
username packetlab password 7 06160E22474B1D150415
username vendor privilege 15 one-time password 7 060506324F41
r3(config)#username packetlab2 password PACKETLAB2
r3(config)#do sh run | i pass
no service password-encryption
username packetlab password 7 06160E22474B1D150415
username vendor privilege 15 one-time password 7 060506324F41
username packetlab2 password 0 PACKETLAB2
‘no service password-encryption’ Command
SummaryThere are a number of different Cisco IOS features that use passwords. By default, Cisco IOS stores all password values (except those specified as ‘secret’) in the configuration as cleartext. This is a security issue as anyone can do an ‘over-the-shoulder’ attack when passwords are not encrypted. By enabling the service password-encryption global configuration command, Cisco IOS obfuscates all cleartext passwords (Type 0) with a Vigenère cipher (Type 7). While Type 7 passwords are easily decrypted, this feature greatly reduces the effectiveness of the ‘over-the-shoulder’ attack.
Certain passwords allow you the option to designate them as ‘secret’ passwords. The best known example of this is the enable secret password. Cisco IOS stores secret passwords in the form of an MD5 hash. (Type 5). While MD5 can technically be cracked, it’s not something that can be done easily (if at all). Type 5 passwords are very secure.
You can quickly tell whether a password is stored in cleartext (Type 0), MD5 hash (Type 5), or Vigenère cipher (Type 7) by looking at the number that precedes the password when viewing the configuration.