Hello,
Personally, I strongly doubt that. The MD5 is a hash - a one-way function - and Cisco appears to implement the Unix style of the MD5 hashing in the passwords (probably they reimplemented the crypt() function as used in GLibc in Linux - any IOS coder here to confirm?). There is no way to directly "decrypt" an MD5 hash. What is possible to do is to find a collision string that produces the same hash value if that hash is computed directly from the input but the way to do this effectively has been found only recently.
The hash in Type 5 password is not a direct hash of the password, though. The passwords are "salted" - i.e. the string between the second and third $ sign is combined with the entered password in several rounds so even if you are able to find a collision string to the resulting MD5 hash, it will not be helpful because that MD5 hash is not a direct hash, rather a multiorder hash of hashes created in several rounds of the crypt() function. This is a quotation from Wikipedia's article:
http://en.wikipedia.org/wiki/Crypt_(Unix)#MD5-based_scheme
First the passphrase and salt are hashed together, yielding an MD5 message digest. Then a new digest is constructed, hashing together the passphrase, the salt, and the first digest, all in a rather complex form. Then this digest is passed through a thousand iterations of a function which rehashes it together with the passphrase and salt in a manner that varies between rounds. The output of the last of these rounds is the resulting passphrase hash.
These are reasons for which I do not believe that Cisco TAC is able to "crack" the Type 5 passwords. And, while that is certainly not helpful for you, I hope that there is not some backdoor password possibility.
I am sorry to ruin your hopes. But then again, if you cannot attend the router yourself, can you at least direct somebody to perform that password recovery procedure remotely?
Best regards,
Peter
