CISCO Salted Password¶

Your company’s network administrator forgot his administration passwords. He does however have a backup of his startup-config file. Use it to recover his passwords! The flag is the concatenation of the enable and administrator passwords.

{!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
enable secret 5 $1$mERr$A419.HL58lq743wXS4kSM1
!
ip cef
no ipv6 cef
!
username administrator secret 5 $1$mERr$yhf7f2RnC74CxKANvoekD.
!
license udi pid CISCO2911/K9 sn FTX1524V4VG-
!
no ip domain-lookup
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
 ip address 10.0.0.254 255.255.255.0
 no ip proxy-arp
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 11.0.0.1 255.255.255.252
 no ip proxy-arp
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
router bgp 1
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 no synchron
 neighbor 11.0.0.2 remote-as 2
 network 10.0.0.0 mask 255.255.255.0
!
ip classless
!
ip flow-export version 9
!
no cdp run
!
line con 0
 login local
!
line aux 0
!
line vty 0 4
 login
!
!
!
}

The file contains a Cisco administrator secret 5 password username administrator secret 5 $1$mERr$yhf7f2RnC74CxKANvoekD.. Also needed to get the flag is the enable secret 5 password: enable secret 5 $1$mERr$A419.HL58lq743wXS4kSM1.

Structure:

$1$mERr$A419.HL58lq743wXS4kSM1
 ^   ^    ^
 |   |    |
 |   |    `-> Hash (salt + password)
 |   |
 |   `-> base64 salt (4 chars.)
 |
 `-> Hash type (md5)

On cracking with hashcat or John the Ripper:

Cisco	Crackability	John the Ripper	Hashcat
Type 0	instant	n/a	n/a
Type 7	instant	n/a	n/a
Type 4	easy	–format=Raw-SHA256	-m 5700
Type 5	medium	–format=md5crypt	-m 500
Type 8	hard	–format=pbkdf2-hmac-sha256	-m 9200
Type 9	very hard	–format=scrypt	-m 9300

Cracking the administrator password:

hash.txt:

administrator:$1$mERr$yhf7f2RnC74CxKANvoekD.

Using hashcat:

hashcat -m 500 --username -O -a 0 hash.txt /usr/share/wordlists/rockyou.txt

Cracking the enable password:

hash.txt:

$1$mERr$A419.HL58lq743wXS4kSM1

Using hashcat:

hashcat -m 500 -O -a 0 hash.txt /usr/share/wordlists/rockyou.txt

I also tried IFM, just to see it work:

It was extremely slow, and I broke it off after an hour.

The flag is the concatenation of the enable and administrator passwords, in that order.

Resources¶

Cisco Password Cracking and Decrypting Guide

Counter moves¶

Cisco salted hashes still fall to wordlists when passwords are weak. Strong passwords and modern hashing slow the crack. Seen from the other side, this sits in the blue notes on harvesting stored secrets.