Friday, May 22, 2009

Decrypting...No..Deobfuscating Cisco IOS Passwords

Why I said not decrypt but Deobfuscating ???

The level 7 password is not actually encrypted . The Vigenere algorithm is used to obfuscate the passwords (there is not key used in this algo)

Cisco IOS uses this level-7 encryption when the "service password-encryption" command is used. 

I found some interesting info while I was getting tools to decrypt cisco level 7 password. Yes you might know that there are Lots of softwares available on net whcih decrypt cisco 7 secrete. But this method got my attention since it uses cisco commands to obtain cleartext password from the secret.

Here it goes...
The show key-chain command executed on Cisco IOS displays the password configured in a key chain in cleartext even when the same password is stored as type-7 obfuscated password in the router configuration. 

For example, if you want to get the cleartext password corresponding to string 04480E051A33490E, enter the following lines into the router configuration (any routers configuration it can be your router not necessary victims router :D) :- 

R1(config)#key chain test
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string 7 04480E051A33490E

When you execute show key chain test command, the cleartext value of the password is displayed: 

R1#show key chain test
Key-chain decrypt:
key 1 -- text "secure"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]

Walla Cleartext without using any tools

I also have found perl code by Bostjan Sustar to do the same task.
The perl code is uploaded at

No comments: