Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

What's type of ACS v4.2 Database password hash?

What's type of ACS v4.2 Database password hash?



Name          :          ###postureuser

Password      :          0x0020 fe fc f0 11 24 dc dd bd 0f d9 78 56 b8 4a fc f4 40 d0 bd 1d 19 5b 56 7e 14 f0 4e 1a b0 83 66 24

Chap password :          0x000e 22 07 e4 28 c0 09 7f 1a b7 e6 2a 78 a1 52



Everyone's tags (3)

What's type of ACS v4.2 Database password hash?


I have been looking for an answer on this query, however, I have not been able to find the exact answer. I did find some useful information which I will include below:

1) Using "csutil -d" you will be able to extract both Usernames and Passwords from the ACS Internal Database. Usernames will be on clear text and the password will be hashed with the specified password you used when executing

"csutil -d".

C:\Program Files\CiscoSecure ACS v4.2\bin>CSUtil.exe -d

CSUtil v4.2(0.124), Copyright 1997-2008, Cisco Systems Inc

Please, provide secret key to encrypt user passwords being dumped.

This key will be asked during dump file importing.

Empty Passwords will create dumps which are not re-loadable into ACS..


2) It seems that the hash has not been revealed by Cisco ACS Developers. However, they have confirmed that the User Passwords are hashed using that password. Also, if using an "empty" password the exported user passwords will be "cisco123" or hashed: 0x0008 63 69 73 63 6f 31 32 33

If you are trying to convert the passwords to clear text in order to recreate the accounts on a different server other than ACS (AD, LDAP, 3rd Party RADIUS) it will not work as there are not any known procedures to decrypt those passwords.

Deeper investigation can be requested to TAC, however, I am not sure how accessible would it be to have a Developer share the hash method/algorithm used for Password encryption on the ACS Internal Database as it might be considered a security breach on the database of the application.

Hope this clarifies it.


CreatePlease to create content