Type 7 decryption in Cisco IOS

Tim Riegert sent me an interesting hint: you don't need password crackers to decode type-7 passwords, you just need access to a router. Here's how you do it:

We'll turn on type-7 encryption for local passwords and generate a test username

R1(config)#service password-encryption
R1(config)#username test password t35t:pa55w0rd

Next we'll inspect the generated username with the show running command

R1(config)#do show run | include username
username test password 7 08351F1B1D431516475E1B54382F

Now we'll create a key chain and enter the type-7 encrypted password as the key string …

R1(config)#key chain decrypt
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string 7 08351F1B1D431516475E1B54382F

… and the show command does the decryption for us.

R1(config-keychain-key)#do show key chain decrypt
Key-chain decrypt:
    key 1 -- text "t35t:pa55w0rd"
        accept lifetime (always valid) - (always valid) [valid now]
        send lifetime (always valid) - (always valid) [valid now]

Recent posts in the same categories

12 comments:

  1. Anonymous 14 November 2007 13:44
    This is so interesting and cool. Thanks!
  2. Anonymous 14 November 2007 19:40
    Seconded. Very neat!
  3. Anonymous 18 December 2007 13:40
    That...I didn't know. Easier than with a C based tool ;)
  4. Anonymous 13 August 2008 11:10
    wow! this is super cool...impressive! any more tricks?
  5. Anonymous 12 January 2009 14:49
    hi,
    sure it is interesting, but if you have config privilege (you can configure key chain) you don't need to know old passwords to recover it, you can change it .. :-)
  6. Ivan Pepelnjak 12 January 2009 17:07
    How about this scenario: you have a router configuration (including passwords) and another router on which you can enter the key-chain command (even Dynamips would do).
  7. ppici 24 October 2009 19:44
    This is cool ! However I tried to decrypt an 128bit encrypted 7 WEP key (Aironet 1130AG), no success...

    is it possible to decrypt it somehow?
  8. ed 28 October 2009 18:54
    re<<to know old passwords to recover it, you can change it>>

    but what if you had a encrypted pre-share key that was the same an loaded on MANY routers... if you changed it you would break your vpn

    or also encrypted key for a WAP...

    with this you can read it if you have some how lost it

    i.e. its not JUST for passwords
  9. csiebert 11 February 2011 20:14
    Hi!

    On Nexus the 'password 7' method seems to be a different one.
    Here a password of 'cisco123' encrypts to 'fewhg123'.

    password required 7 fewhg123

    Any idea how this can be decrypted? Or what algorithm is used?
    It's interesting, that the numeric values are unchanged.

    Ciao,
    Chris
    Replies
    1. Jens 15 November 2013 15:09
      I know it's an old article and an old question. The NX-OS password scheme is a normal rotation cipher. This is the sequence:

      3 22 4 5 18 0 21 5 18 3 10 5 16 22 4 16 24 17 12 5 21 18 5 22 19 7

      This means for 'cisco123'

      c + 3 = f
      i + 22 - 26 (i+22 is > 26) = i - 4 = e
      s + 4 = w
      c + 5 = h
      o + 18 - 26 (o+18 is > 26) = o - 8 = g

      Numbers and other non-alphabetic characters are unchanged.
  10. Anonymous 22 May 2014 07:22
    Hi,

    I would like to know if it exist similar command on IOS-XR.

    Thanks in advances.
Add comment
Home
Sidebar