No more Password Misery!!!(tm)

Useful Cisco Password Utilities, or Uk! Pooh! for short

All sorts of clever people have come up with these lovely utilities for converting Cisco passwords into plain text. Here is a handy little resource for those crucial moments when you just simply forgot to bring your Unix box to the party...

What am I saying??? What I really meant was, some criminally insane sociopaths have abused their positions of power/knowledge to subvert the very fabric of society by wantonly spreading their evil lies and dangerous propaganda, corrupting the innocent in droves along the way, causing mass hysteria, chaos, panic in the streets, flood, famine, pestilence, unwanted pregnancies etc. etc...

It falls to me, therefore, to expose their underground activities, for the world to see, because only be learning their devious tricks can we hope to ever get the better of them...

OK. So what are we actually talking about here? Well... A Cisco router is one of those funny black boxes that sits in your server room, and connects you to that Internet thingy. Cisco sell a *lot* of these boxes, and a large percentage of the Internet is made up of them... They turn over getting on for 8 Billion dollars, selling little black boxes, and, since the security of your network is in part (and often completely) dependant on them, they have taken careful steps to ensure that your router is safe from that world of uninvited guests queuing at your netstep... One of the ways they've protected you is by the use of passwords. It is possible to provide a password to stop any Harry, Dick or Tom from logging into your router and tweaking it's configuration... Since this password contains the keys to your netdom, they encrypt it for added security. Again, since this key is so important, they spent several minutes, possibly even hours, devising an encryption scheme that makes your password completely safe from prying eyes (rather than spending any of those nice dollars on licencing some strong crpyto)... This encryption scheme is so secure that it was reputedly cracked during a casual conversation over a cup of coffee in a fast-food restaurant, and the algorithm noted down on a napkin. The algorithm is now widely known, and several versions of the cracker have been published. In addition to the cracker itself, you will also need to know how to get the encrypted password out of the Cisco in the first place, and that is what we are going to look at now:

As every little schoolthang knows, every good adventure starts with a map/secret message/tunnel/high class hooker/etc., and this is no exception... We have a secret message AND a back door... First we must obtain the secret message - to do this, you'll need to have physical access to the Cisco. The simplest way is to phone your ISP and tell him/her/geek that you are moving some stuff around in the server room, and need to power it off for a bit. Once it's powered off, follow these steps very carefully...

(Note: This procedure will only work on Motorola based cisco's, ie. 17xx, 2xxx, and SOME of the 43xx's (4300's are weird). The 7000's and above have some different ways of changing the memory registers, namely "confreg"... if in doubt, read Asmodeous' text on the subject BEFORE trying this).

1. Disconnect the network connection (you wouldn't want your ISPBitch logging in to see what you were up to, now would you...?)
2. Connect your notebook/pc/Cray/aleph to the 'Console' port. This is an RJ45 style connecter on the back of your Cisco providing Serial (RS232) data. Don't plug anything else into it! I have blown up perfectly good Ciscos by accidentally plugging ISDN/Network into these (still not sure which - and I can't afford to find out!).
3. Fire up HyperTerm or your favourite comms proggy (at 9600,n,8,1), switch logging on, and power up the Cisco.
You should see it booting up:

System Bootstrap, Version 5.2(5), RELEASE SOFTWARE
Copyright (c) 1986-1994 by cisco Systems
2500 processor with 1024 Kbytes of main memory


Send an ESC or BREAK signal (CTL-Break in Hyperterm), and you should see something like:

Abort at 0x10E7EBA (PC)

Followed by a '>' prompt...

4. type O/R 0x2142
5. type i

The system should now boot again, only this time it won't load it's normal startup configuration... It will come up in 'configuration' mode, and start asking questions... Just say 'no' until you get to the 'Router>' prompt (Note: If you find that it still boots up as normal, you probably didn't hit 'Break' fast enough... You have to catch it good and early before it's copied the stored configuration into boot RAM).

6. type enable

The 'Router>' prompt should now change to 'Router#', and you've rooted your router!

7. type sh conf

You'll now get some pages of configuration... just hit the space bar whenever you get a '--More--' prompt, until you get back to the 'Router#' prompt.
You've now got all the data you need, so we can put the router back how we found it:

8. type conf term
9. type config-register 0x2102
10. type exit
11. disconnect from the Cisco, reconnect the network and power cycle it (switch it off and on, dummy!).
Your log file should now contain a complete dump of the Cisco... simply find the encrypted entries (they will look something like ' enable password 7 14341B180F0B187875212766'), cut and paste them into the field below and hit the Cisco logo, or process them yourself using the programs provided. Enjoy.



Original source code/programs:

SPHiXe's 'C' version: ciscocrack.c
Riku Meskanen's perl version: ios7decrypt.pl
BigDog's Psion 3/5 OPL version: cisco.opl
Major Malfunction's Palm-Pilot 'C' port: ciscopw_1-0.zip
Mudge's description of what's going on (and some credits): mudge.txt
Boson's Windows GetPass: GetPass
L0pht's Palm Pilot version: Cisco Type 7 Password Decryptor

Cisco's Inphos:

Extremely easy to find Cisco paper hinting that you might want to use 'secrets' instead of 'passwords'.


BobbyRite (b) 1997,8,9, Major Malfunction , All Writes Reversed, all Wrongs degneveR.