Amin Shaikh Fri, 08/28/2009 - 00:48


For MD5 there is no procedure or tool to decrypt.

As well I dont have physical access to router.

Leo Laohoo Sun, 08/30/2009 - 14:45

Now I don't have first-hand experience on this but I was told by someone who contacted Cisco and (after lengthy procedure to verify identification) was given the unencrypted MD5 values.

Try raising a TAC request.

Peter Paluch Sun, 08/30/2009 - 19:01


Personally, I strongly doubt that. The MD5 is a hash - a one-way function - and Cisco appears to implement the Unix style of the MD5 hashing in the passwords (probably they reimplemented the crypt() function as used in GLibc in Linux - any IOS coder here to confirm?). There is no way to directly "decrypt" an MD5 hash. What is possible to do is to find a collision string that produces the same hash value if that hash is computed directly from the input but the way to do this effectively has been found only recently.

The hash in Type 5 password is not a direct hash of the password, though. The passwords are "salted" - i.e. the string between the second and third $ sign is combined with the entered password in several rounds so even if you are able to find a collision string to the resulting MD5 hash, it will not be helpful because that MD5 hash is not a direct hash, rather a multiorder hash of hashes created in several rounds of the crypt() function. This is a quotation from Wikipedia's article:

First the passphrase and salt are hashed together, yielding an MD5 message digest. Then a new digest is constructed, hashing together the passphrase, the salt, and the first digest, all in a rather complex form. Then this digest is passed through a thousand iterations of a function which rehashes it together with the passphrase and salt in a manner that varies between rounds. The output of the last of these rounds is the resulting passphrase hash.

These are reasons for which I do not believe that Cisco TAC is able to "crack" the Type 5 passwords. And, while that is certainly not helpful for you, I hope that there is not some backdoor password possibility.

I am sorry to ruin your hopes. But then again, if you cannot attend the router yourself, can you at least direct somebody to perform that password recovery procedure remotely?

Best regards,


Lucien Avramov Mon, 08/31/2009 - 00:43

TAC will not be able to provide you with such information. I wont count on this as we dont have such tools in TAC.

You are left with the password recovery and you will need physical access.

Check out an earlier post where this was discussed:


This Discussion