MD5 encrypted passwords with user accounts

Answered Question

Hi All


I have a question about setting up user accounts on a Cisco router.


I have seen a statement like the following on a Cisco router


username cisco privilege 15 secret 5 $1$s4bl$Lb.b/v/HgWKTdfP/h9


However if I try and enter the command "username <myname> privilege 15 secret 5 <password in plain text> I get the following error


BETE_R1-3640(config)#username michael privilege 15 secret 5 password

ERROR: The secret you entered is not a valid encrypted secret.

To enter an UNENCRYPTED secret, do not specify type 5 encryption.

When you properly enter an UNENCRYPTED secret, it will be encrypted.


Which seems to suggest that I have to enter the password in MD5 encrypted fashion. Is this the case?


If yes, is there some way that you can create a MD5 encrypted password to enter on your router?



Best Regards,


Michael


Correct Answer by Mark Yeates about 8 years 11 months ago

Michael,


You will only specify 5 if the password has been previously encrypted. If you are entering a password and it is not encrypted it not accept it because it is not a valid MD5 string. Below is how to configure a username/password that will use the MD5 encryption.


username privelige 15 secret


in the config it will show an encrypted MD5 password.



Mark

Correct Answer by royalblues about 8 years 11 months ago

Michael,


As per my experience you need to always discard the "5" when you want to encrypt the password. The secret keyword ensures that the password is md5 protected


The converted MD5 password can then be seen using the show run command. The line can then be entered as it is (including the 5) on other routers for similar configuration



Narayan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
royalblues Thu, 07/03/2008 - 03:59
User Badges:
  • Green, 3000 points or more

Michael,


As per my experience you need to always discard the "5" when you want to encrypt the password. The secret keyword ensures that the password is md5 protected


The converted MD5 password can then be seen using the show run command. The line can then be entered as it is (including the 5) on other routers for similar configuration



Narayan

Correct Answer
Mark Yeates Thu, 07/03/2008 - 04:06
User Badges:
  • Gold, 750 points or more

Michael,


You will only specify 5 if the password has been previously encrypted. If you are entering a password and it is not encrypted it not accept it because it is not a valid MD5 string. Below is how to configure a username/password that will use the MD5 encryption.


username privelige 15 secret


in the config it will show an encrypted MD5 password.



Mark

Hi There


Cheers for the response and information.


As per your posts, I entered "username michael privilege 15 secret password" and the show run shows


"username michael privilege 15 secret xxx."


When I initially seen this I thought that the command entered by who ever configured this router was "username provilege 15 secret 5 " (with the 5 after the keyword "secret") and could not understand why when I tried this command I got the error.


However thinking a little more about this and it now makes sense. As if this configuration was being loaded back in from say a tftp server after some problem, then the password is indeed in it's MD5 hashed format, hence the requirement for the number "5" after the word secret.


Can I just ask if either of you guys are aware of a tool which would generate a MD5 hashed password, suitable to be entered as ".... secret 5 " or is this not the done thing?


I tried using another Cisco router and taking the MD5 hashed enable secret password and using it in my "username ...." command. And although the command is accepted without any error, when I try to then log in using this password, I get "Login invalid".



Best Regards,


Michael


Mark Yeates Thu, 07/03/2008 - 04:37
User Badges:
  • Gold, 750 points or more

The only way I know a MD5 password can be cracked is by brute force or dictionary attack. I have not seen any applications that you can copy and paste the encrypted password and display the password. The 7 type passwords on the other hand can easily be broken.



Mark

Hi Mark


I don't mean to crack the password. What I mean is, if there is any tool which you could use to GENERATE an MD5 hashed version of a password which a Cisco router would accept and would be usable.


Say that you are paranoid about the password being seen by someone looking over your shoulder while you enter it into the router. So you have a tool/application into which you could enter a plain text string and have an MD5 hash password, suitable for use with a Cisco device generated. Of course if the plain text password can be seen while you configure the router, it can be seen as you enter it in to a 3rd party tool/application.


I was really just curious, as it seems that you can enter an MD5 hashed password if you use the number "5" after the "secret" keyword. But as I mentioned above, I believe this is purely only used in the case where a routers configuration has to be restored from a backup.


Again, thanks for the response and information.



Best Regards,


Michael

royalblues Thu, 07/03/2008 - 05:26
User Badges:
  • Green, 3000 points or more

Though you will find many MD5 generators on the web when you google, they never work with the secret command and u will still get the same error.


Its best to configure the unencypted string and leave it to the router to do the encyption. Try to configure the command when no one is looking around :-)


Narayan

I realized this was answered but I wanted to add to this another solution.

In certain versions of 15 ios code if you enter the enable secret unencrypted by default the OS will encrypt it but with a type 4 password which is weaker than a type 5. To fix this you can either upgrade the code to correct the bug or you can manually enter a type 5. To generate a type 5 password simply:

Copy a type 5 password from an IOS platform that does not support type 4. 

Log on to a cisco device running a version 12 IOS. enter your command "enable secret <password>"

Then show run | in enable secret

copy and paste the output into your 15 code device that exhibits this bug.

This article helped me find the answer for this. It explains it in great detail.


https://tools.cisco.com/security/center/content/CiscoSecurityResponse/ci...



grafchristian Thu, 07/03/2008 - 04:56
User Badges:

One of the most challenging ways to crack an md5 Hash is the use of rainbow tables. There are some online Tools available to get a vision of what is possible with that (http://md5.thekaine.de).

Especially ophcrack (not for md5, but windows passwords) is an amazing prove on how weak those mechanisms are.

Actions

This Discussion