setting strong encrypted passwords configuring password
play

Setting Strong Encrypted Passwords Configuring Password Encryption - PowerPoint PPT Presentation

Setting Strong Encrypted Passwords Configuring Password Encryption for Clear Text Passwords Cisco IOS stores passwords in clear text in network device configuration files for several features such as passwords for local and remote CLI sessions,


  1. Setting Strong Encrypted Passwords

  2. Configuring Password Encryption for Clear Text Passwords Cisco IOS stores passwords in clear text in network device configuration files for several features such as passwords for local and remote CLI sessions, and passwords for neighbor authentication for routing protocols. Clear text passwords are a security risk because anybody with access to archived copies of the configuration files can discover the passwords that are stored as clear text. The service password-encryption command can be used to encrypt clear text commands in the configuration files of networking devices.

  3. Passwords On Cisco Devices You can configure passwords to protect access to many different aspects of IOS. Some common access passwords are: Console Password: line con 0 password PACKETLABCON VTY Password: line vty 0 4 password PACKETLABVTY AUX Password: line aux 0 password PACKETLABAUX Enable Password: enable password PACKETLAB Enable Secret Password: enable secret packetlab Local Username Database: username packetlab password PACKETLAB

  4. Passwords On Cisco Devices Some other Cisco IOS passwords (there are a ton more): OSPF authentication-key: interface Serial0/0 ip address 10.1.12.1 255.255.255.0 ip ospf authentication-key OSPFPASS BGP (neighbor) Password: router bgp 100 neighbor 2.2.2.2 remote-as 100 neighbor 2.2.2.2 password BGPPASS Key Chains: key chain OSPFCHAIN key 1 key-string KEYSTRING

  5. Passwords On Cisco Devices By default, all passwords (with the exception of ‘secret passwords’ which are discussed later) are stored in the running configuration in cleartext: enable password PACKETLAB username packetlab password 0 PACKETLAB ! key chain OSPFCHAIN key 1 key-string KEYSTRING ! interface Serial0/0 ip ospf authentication-key OSPFPASS ! router bgp 100 neighbor 2.2.2.2 password BGPPASS ! line con 0 password PACKETLABCON line aux 0 password PACKETLABAUX line vty 0 4 password PACKETLABVTY

  6. ‘service password - encryption’ Command service password-encryption To encrypt passwords, use the service password-encryption command in global configuration mode. To restore the default, use the no form of this command. service password-encryption no service password-encryption Usage Guidelines The actual encryption process occurs when the current configuration is written or when a password is configured. Password encryption is applied to all passwords, including username passwords, authentication key passwords, the privileged command password, console and virtual terminal line access passwords, and Border Gateway Protocol neighbor passwords. This command is primarily useful for keeping unauthorized individuals from viewing your password in your configuration file. When password encryption is enabled, the encrypted form of the passwords is displayed when a more system:running-config command is entered. Caution This command does not provide a high level of network security. If you use this command, you should also take additional network security measures. Note You cannot recover a lost encrypted password. You must clear NVRAM and set a new password.

  7. ‘service password - encryption’ Command Before configuring ‘service password - encryption’: After configuring ‘service password - encryption’: enable password PACKETLAB enable password 7 053B272C0A697A253827 username packetlab password 0 PACKETLAB username packetlab password 7 097C6F2A3220233E2A2E ! ! key chain OSPFCHAIN key chain OSPFCHAIN key 1 key 1 key-string KEYSTRING key-string 7 0520233612787C203722 ! ! interface Serial0/0 interface Serial0/0 ip ospf authentication-key OSPFPASS ip ospf authentication-key 7 0474383629116D7D3A ! ! router bgp 100 router bgp 100 neighbor 2.2.2.2 password BGPPASS neighbor 2.2.2.2 password 7 106C2E2935362138 ! ! line con 0 line con 0 password PACKETLABCON password 7 03347A282D2A15606F2B3A2A39 line aux 0 line aux 0 password PACKETLABAUX password 7 113938263C373F2025080A1110 line vty 0 4 line vty 0 4 password PACKETLABVTY password 7 046B2A2524047862283B33232B

  8. What does 0, 5, 7 mean? 0 - Specifies that an unencrypted password follows (cleartext). 5 - Specifies that a hidden secret follows (MD5 encryption). 7 - Specifies that a hidden password follows (Vigenère cipher encryption*). Type 0 passwords are stored in cleartext. This is the default. Once service password-encryption has been enabled, IOS converts all Type 0 passwords into Type 7 (Vigenère cipher encryption*). This encryption is easily broken (as we’ll soon see) but it prevents ‘over -the- shoulder’ password theft. MD5 is a very secure (although technically broken) encryption method. MD5 is used whenever you specify a ‘secret’ password. username packetlab password 0 packetlab username packetlab password 7 097C6F2A3220233E2A2E username packetsecret secret 5 $1$KVpy$JhrCgVprm1FGWWLPABaAN/ * Not technically ‘encryption’ as there is no encryption key. If you want to be technically correct, the Cisco Vigenère cipher algorithm obfuscates a password. Let’s not even explore the hashing versus encrypting argument. 

  9. What does 0, 5, 7 mean? When entering configuring a password, do not use 5 or 7 unless you are pasting in an already encrypted password (generally from a saved configuration): r1(config)# username FAKEUSER password ? 0 Specifies an UNENCRYPTED password will follow 7 Specifies a HIDDEN password will follow LINE The UNENCRYPTED (cleartext) user password r1(config)#username FAKEUSER password 7 DONOTDOTHIS Invalid encrypted password: DONOTDOTHIS r1(config)#username FAKEUSER password 5 DONOTDOTHIS ERROR: Can not use MD5 secrets for passwords. Use "username FAKEUSER secret" instead. r1(config)# username FAKEUSER secret ? 0 Specifies an UNENCRYPTED secret will follow 5 Specifies a HIDDEN secret will follow LINE The UNENCRYPTED (cleartext) user secret r1(config)#username FAKEUSER secret 5 DONOTDOTHIS ERROR: The secret you entered is not a valid encrypted secret. To enter an UNENCRYPTED secret, do not specify type 5 encryption. When you properly enter an UNENCRYPTED secret, it will be encrypted.

  10. Decrypting Cisco Type 7 Passwords line con 0 password 7 03347A282D2A15606F2B3A2A39

  11. Decrypting Cisco Type 7 Passwords It’s probably not a good idea to use online type 7 password decryption for your corporate passwords as you never know what the code behind the page might be doing. There’s a trick you can do on your Cisco device to decode Type 7 passwords: 1) Create a key chain: r1(config)#key chain DECRYPT7 r1(config-keychain)#key 1 2) Paste in the Type 7 password (make sure to include the ‘7’) as the key -string value: r1(config-keychain-key)#key-string 7 03347A282D2A15606F2B3A2A39 3) From privileged EXEC mode, issue the show key chain command: r1#show key chain DECRYPT7 Key-chain DECRYPT7: key 1 -- text "PACKETLABCON" accept lifetime (always valid) - (always valid) [valid now] send lifetime (always valid) - (always valid) [valid now] 4) (Optional) Delete key chain after decryption completed: r1(config)#no key chain DECRYPT7

  12. ‘no service password - encryption’ Command One thing to note is that issuing the no password-encryption command does NOT decrypt the already encrypted passwords: r3#sh run | i pass no service password-encryption username packetlab password 0 packetlab username vendor privilege 15 one-time password 0 cisco r3(config)# service password-encryption r3(config)#do sh run | i pass service password-encryption username packetlab password 7 06160E22474B1D150415 username vendor privilege 15 one-time password 7 060506324F41 r3(config)#no service password-encryption r3(config)#do sh run | i pass no service password-encryption username packetlab password 7 06160E22474B1D150415 username vendor privilege 15 one-time password 7 060506324F41 r3(config)#username packetlab2 password PACKETLAB2 r3(config)#do sh run | i pass no service password-encryption username packetlab password 7 06160E22474B1D150415 username vendor privilege 15 one-time password 7 060506324F41 username packetlab2 password 0 PACKETLAB2

  13. Summary There are a number of different Cisco IOS features that use passwords. By default, Cisco IOS stores all password values (except those specified as ‘secret’) in the configuration as cleartext. This is a security issue as anyone can do an ‘over -the- shoulder’ attack when passwords are not encrypted. By enabling the service password-encryption global configuration command, Cisco IOS obfuscates all cleartext passwords (Type 0) with a Vigenère cipher (Type 7). While Type 7 passwords are easily decrypted, this feature greatly reduces the effectiveness of the ‘over -the- shoulder’ attack. Certain passwords allow you the option to designate them as ‘secret’ passwords. The best known example of this is the enable secret password. Cisco IOS stores secret passwords in the form of an MD5 hash. (Type 5). While MD5 can technically be cracked, it’s not something that can be done easily (if at all). Type 5 passwords are very secure. You can quickly tell whether a password is stored in cleartext (Type 0), MD5 hash (Type 5), or Vigenère cipher (Type 7) by looking at the number that precedes the password when viewing the configuration.

Recommend


More recommend