Bạn nghĩ sau về cách crack MD5 và MD7 sau bằng cách dùng công cụ của CISCO
Cisco Router Passwords
Cisco IOS configuration files offer the following three options for encrypting passwords:By default, IOS configuration files display passwords and other authentication strings in plain text. The service password-encryption command can conceal the password by showing it in encrypted form. However, the IOS passwords and other authentication strings are encrypted using the Cisco proprietary Vigenere-based cipher. The Vigenere algorithm, better known as the Type 7 algorithm, is reversible and simpler compared to other current encryption techniques. According to Cisco, "the encryption scheme was designed to avoid password theft via simple snooping or sniffing. It was never intended to protect against someone conducting a password-cracking effort on the configuration file."
- Plain text— Displays the configured passwords with no encryption; it is the least secure method and is not recommended.
- Type 7 encryption— Encrypts passwords using a proprietary encryption algorithm; it is better than plain text but still not recommended.
- Type 5 encryption— Encrypts passwords using the Message Digest 5 (MD5) hash mechanism. Although it is the most secure option, Type 5 passwords can be cracked with some effort.
The enable secret command encrypts the password using the one-way MD5 hash mechanism. To determine which scheme has been used to encrypt a specific password, check the digit that precedes the encrypted string in the configuration file. If that digit is a 7, the password has been encrypted using the Type 7 algorithm. If the digit is a 5, the password has been hashed using the stronger MD5 algorithm. The sample IOS configuration snippet in Example 8-1 depicts encrypted passwords. The Type 5 MD5 algorithm encrypts the enable secret password only. The remaining passwords are Type 7.
Example 8-1. Sample Router Configuration—Router-Dallas.txt
hostname Router-Dallas
service password-encryption
! enable password is encrypted using MD5 algorithm
enable secret 5 $1$rQrR$1j1XTXMbCt/1RGh7Y3BlU1
! user password is encrypted using the weaker algorithm
username user1 password 7 030752180500701E1D
!
key chain MYKEY
key 1
key-string 7 141C17125D5679
!
line vty 0 4
password 7 1511021F0725
login
!
end
Many tools are available for decrypting Cisco IOS passwords from the configuration files. Among the choices, Cain & Abel, available at http://www.oxid.it, is the most versatile and user-friendly tool for decrypting passwords. Cain & Abel can decrypt both Type 7 and Type 5 passwords. The following sections cover the steps used to recover both of these types of passwords from IOS devices.
This tool is compatible with MS-Windows NT/2000/2003/XP, and the installation process is simple. Download the .exe file from the home page and save it locally. Double-click the saved file to begin the installation procedure. The tool provides a ready-to-use graphical user interface (GUI) and requires no postinstallation configuration. The only information required is the configuration file from the target router that contains the encrypted passwords.
Note
The router configuration file can be captured by using the show running-configuration command on the router. You can also download the configuration file from the router to a Trivial File Transfer Protocol (TFTP) server using the copy runn tftp command on the router.
Decrypting Type 7 Passwords
Follow these steps to decrypt a Cisco IOS Type 7 password:
Step 1.
Start the Cain & Abel tool kit by choosing Start > Programs > Cain > Cain.
Figure 8-1 shows the main window for Cain & Abel.
Figure 8-1. Cain & Abel
[View full size image]
Step 2.
From the Cain & Abel main window, launch the Cisco Type 7 Password
Decoder by choosing Tools > Cisco Type-7 Password Decoder.
Step 3.
Paste the Type 7–encrypted password (from the router configuration file) in the Password Decoder window. The decrypted password is instantly displayed in the Decrypted password field.
Figure 8-2 shows the encrypted password string 030752180500701E1D being decrypted as cisco123. Note that the encrypted password was copied from the username user1 password 7 030752180500701E1D command in Example 8-1.
Figure 8-2. Decrypting a Type 7 Password
[View full size image]
Tip
The GetPass utility, from Boson Software Inc. (http://www.boson.com), provides a similar functionality for decrypting Type 7 passwords. But unlike Cain & Abel, GetPass does not offer any other feature.
Decrypting Type 5 Passwords
The Cain & Abel tool, discussed in the previous section of this chapter, can also recover type 5 passwords. Unlike Type 7 passwords, which are encrypted using a reversible algorithm, Type 5 passwords are encrypted using a one-way nonreversible algorithm. The encrypted password string is an MD5 hash that is created from the original password. The Type 5 password-recovery mechanism, used by tools like Cain & Abel, compares the original MD5 hash of the password with the MD5 hash of a known text string. If both the hashes are the same, the password is the same as the known text string. The password-recovery tools work by trying various combinations and lengths of characters. Depending on the length of the original password, decrypting the password can take a large amount of time.
Using Cain & Abel, the Type 5 password-recovery steps are as follows:
Step 1.
Start the Cain & Abel tool kit by choosing Start > Programs > Cain > Cain.
Step 2.
From the Cain & Abel main window, click the Cracker tab and then click the Cisco IOS-MD5 Hashes option in the left pane, as shown in Figure 8-3.
Figure 8-3. Cisco IOS-MD5 Hashes Window
[View full size image]
Step 3.
As shown in Figure 8-4, right-click in the right pane and select Add to list from the menu that appears. Follow the prompts to provide the location of the IOS configuration file that contains the MD5 hashes. This example uses the Router-Dallas.txt file from Example 8-1.
Figure 8-4. Cain & Abel—IOS Configuration File
[View full size image]
The program parses the configuration file and lists all the MD5 hashes in the Hash column.
Step 4.
Right-click the hash and select Brute-Force Attack to launch the Brute-Force Attack window, as shown in Figure 8-5. Accept the default values and click the Start button to begin the process. Depending on the length of the password and the CPU utilization, the process can take a large amount of time.
Figure 8-5. Cain & Abel—Brute-Force Attack Window
[View full size image]
The process automatically stops after cracking the hash. As shown in Figure 8-6, the process recovered the original password pal that was specified on the router using the -enable secret pal command.
Figure 8-6. Cain & Abel—Brute-Force Attack Result
[View full size image]
Tip
The short password used in this section is for illustration purposes only. Actual passwords should always be more than eight characters long, with a combination of uppercase and lowercase letters, numbers, and special characters (such as #, %, and &). An eight-character-long password composed only of numbers and uppercase and lowercase alphabetic characters can have 628 (218 trillion) possible combinations.
Simply by making that password nine characters long, the possible combinations increase to 13 quadrillion. On the other hand, an eight-character-long password that also uses special characters (such as #, %, and &) can have 6 quadrillion combinations. Using the same set of characters, a nine-character-long password increases to 572 quadrillion combinations.
To discourage password attacks, Netadmins should take the following actions:Chúc các bạn vui !!!
- Use the enable secret password command instead of the enable password password command on the router.
- Use longer passwords, with special characters such as *, %, #, $, ~, and!.
- Remove the encrypted password strings from the configuration text files before e-mailing or making offline backups. To remove password strings, open the configuration file in a text editor (such as Notepad or WordPad), delete the encrypted text, and save the file.
- Be careful when directly saving configuration files in sophisticated word processing applications such as MS-Word. These applications offer the Version feature, which records all the changes made to the original document. This feature can unintentionally disclose deleted passwords from the document.
- Avoid accessing devices from computers that belong to others because a keystroke-capture program might be in use. If you access a device in front of unauthorized users or through a third-party computer, change the password as quickly as possible, but be sure to change it in a secure environment.
Reply With Quote
