Solved: Re: ASA generates the same password hashs

viacheslav.k · ‎10-11-2010

Hi guys,

I found out that ASA (8.2 in particular) generates the same password hash for the same password every time.

So, if I enter the same password on the different ASAs the password hash will be the same. And if you decrypt one of them you will know the password for all systems. It's very strange. Moreover, Cisco Routers and Switches generate different password hashs. I understand that these devices use different ecryption algorithms.

Examples.

if I runon ASA:

(config)# username testuser1 password 12345
(config)# username testuser2 password 12345
(config)# username testuser3 password 12345
(config)# username testuser4 password 12345
(config)# username testuser5 password 12345

I get:

# sh run | in username testuser
username testuser3 password oFJjANE3QKoA206w encrypted
username testuser2 password oFJjANE3QKoA206w encrypted
username testuser1 password oFJjANE3QKoA206w encrypted
username testuser5 password oFJjANE3QKoA206w encrypted
username testuser4 password oFJjANE3QKoA206w encrypted

The same oFJjANE3QKoA206w hash.

On the Routers:

(config)# username testuser1 secret 12345
(config)# username testuser2 secret 12345
(config)# username testuser3 secret 12345
(config)# username testuser4 secret 12345
(config)# username testuser5 secret 12345

Result:

#sh run | in testuser
username testuser1 secret 5 $1$ni5I$v3Sq5TBrQ7Ty3Eyygg.Sb0
username testuser2 secret 5 $1$Ecsn$XzGSHF7knxLxskt8Wc3ku1
username testuser3 secret 5 $1$.0o5$9dZD4RkJa9FF10rMXZpPm.
username testuser4 secret 5 $1$FJVN$NtM9dY.H238dgS6tOjUzM.
username testuser5 secret 5 $1$BUAY$PHKM8ksvSOxl9r/U7Ruft/

Absolutely different hashs.

It's very strange that ASA (security device) does in this way.

Maybe do I need to turn some special service (command) or something like that? Why ASA does it?

Panos Kampanakis · ‎10-12-2010

You are right, the ASA was not using a salt to hash the passwords as in IOS. It was practically obfuscating how they showed on the running config, and not hashing them.

Though, in ASA 8.3 there is a new feature (password encryption) that practically encrypts the passwords (commands key config-key password-encryption, password encryption aes) with a passphrase that can be changed on a per box basis, so you will not face this problem.

I hope it helps.

PK

View solution in original post

Panos Kampanakis · ‎10-12-2010

You are right, the ASA was not using a salt to hash the passwords as in IOS. It was practically obfuscating how they showed on the running config, and not hashing them.

Though, in ASA 8.3 there is a new feature (password encryption) that practically encrypts the passwords (commands key config-key password-encryption, password encryption aes) with a passphrase that can be changed on a per box basis, so you will not face this problem.

I hope it helps.

PK

Pedro Rivas · ‎03-14-2017

The ASA does salt the password but it uses the first 4 characters of the username to salt the password. In the example provided, the first 4 characters of all 5 usernames are all the same. Since first 4 are the same the resulting hash is the same. Had he used usernames that had unique first 4 characters, the resulting hash for the same password would have been different.

IOS salts using the random 24 bit value in between the $ signs. Packet life has an entry about IOS hashing in more detail.