Friday, May 22, 2009

python script to find cisco routers with default password

While I was doing my work (No options...have to do some to earn) in recent days
I was busy auding lots of cisco routers. As hacker mind I just went ahead hacking my way in to nearly all routers getting full access. But when I had completed my work I suddenly remember that some of the routers used default passwords and others I had extracted password from config of already accessed routers. But I just didnt remember for which routers I found using default password. As usual the programmer in me wake up (My colleague said he would check out manualy in 1 hour) I said I would better use half hour to write a script to find out those. This script will be use full in finding out routers with default password in future also.
So I did write a python script (you must be knowing by now python is my fav language) to check out routers with default passwords.
This script is still in its early stages. So looking forward for some good or bad feedbacks.

You can find script at

Decrypting...No..Deobfuscating Cisco IOS Passwords

Why I said not decrypt but Deobfuscating ???

The level 7 password is not actually encrypted . The Vigenere algorithm is used to obfuscate the passwords (there is not key used in this algo)

Cisco IOS uses this level-7 encryption when the "service password-encryption" command is used. 

I found some interesting info while I was getting tools to decrypt cisco level 7 password. Yes you might know that there are Lots of softwares available on net whcih decrypt cisco 7 secrete. But this method got my attention since it uses cisco commands to obtain cleartext password from the secret.

Here it goes...
The show key-chain command executed on Cisco IOS displays the password configured in a key chain in cleartext even when the same password is stored as type-7 obfuscated password in the router configuration. 

For example, if you want to get the cleartext password corresponding to string 04480E051A33490E, enter the following lines into the router configuration (any routers configuration it can be your router not necessary victims router :D) :- 

R1(config)#key chain test
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string 7 04480E051A33490E

When you execute show key chain test command, the cleartext value of the password is displayed: 

R1#show key chain test
Key-chain decrypt:
key 1 -- text "secure"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]

Walla Cleartext without using any tools

I also have found perl code by Bostjan Sustar to do the same task.
The perl code is uploaded at