Type 7 decryption in Cisco IOS

Tim Riegert sent me an interesting hint: you don't need password crackers to decode type-7 passwords, you just need access to a router. Here's how you do it:

We'll turn on type-7 encryption for local passwords and generate a test username

R1(config)#service password-encryption
R1(config)#username test password t35t:pa55w0rd

Next we'll inspect the generated username with the show running command

R1(config)#do show run | include username
username test password 7 08351F1B1D431516475E1B54382F

Now we'll create a key chain and enter the type-7 encrypted password as the key string …

R1(config)#key chain decrypt
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string 7 08351F1B1D431516475E1B54382F

… and the show command does the decryption for us.

R1(config-keychain-key)#do show key chain decrypt
Key-chain decrypt:
    key 1 -- text "t35t:pa55w0rd"
        accept lifetime (always valid) - (always valid) [valid now]
        send lifetime (always valid) - (always valid) [valid now]

12 comments:

  1. This is so interesting and cool. Thanks!

    ReplyDelete
  2. Seconded. Very neat!

    ReplyDelete
  3. That...I didn't know. Easier than with a C based tool ;)

    ReplyDelete
  4. wow! this is super cool...impressive! any more tricks?

    ReplyDelete
  5. hi,
    sure it is interesting, but if you have config privilege (you can configure key chain) you don't need to know old passwords to recover it, you can change it .. :-)

    ReplyDelete
  6. How about this scenario: you have a router configuration (including passwords) and another router on which you can enter the key-chain command (even Dynamips would do).

    ReplyDelete
  7. This is cool ! However I tried to decrypt an 128bit encrypted 7 WEP key (Aironet 1130AG), no success...

    is it possible to decrypt it somehow?

    ReplyDelete
  8. re<<to know old passwords to recover it, you can change it>>

    but what if you had a encrypted pre-share key that was the same an loaded on MANY routers... if you changed it you would break your vpn

    or also encrypted key for a WAP...

    with this you can read it if you have some how lost it

    i.e. its not JUST for passwords

    ReplyDelete
  9. Hi!

    On Nexus the 'password 7' method seems to be a different one.
    Here a password of 'cisco123' encrypts to 'fewhg123'.

    password required 7 fewhg123

    Any idea how this can be decrypted? Or what algorithm is used?
    It's interesting, that the numeric values are unchanged.

    Ciao,
    Chris

    ReplyDelete
    Replies
    1. I know it's an old article and an old question. The NX-OS password scheme is a normal rotation cipher. This is the sequence:

      3 22 4 5 18 0 21 5 18 3 10 5 16 22 4 16 24 17 12 5 21 18 5 22 19 7

      This means for 'cisco123'

      c + 3 = f
      i + 22 - 26 (i+22 is > 26) = i - 4 = e
      s + 4 = w
      c + 5 = h
      o + 18 - 26 (o+18 is > 26) = o - 8 = g

      Numbers and other non-alphabetic characters are unchanged.

      Delete
  10. Hi,

    I would like to know if it exist similar command on IOS-XR.

    Thanks in advances.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.