hashcat Forum
Cisco IE1000 Switch - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: Cisco IE1000 Switch (/thread-8994.html)



Cisco IE1000 Switch - jud3 - 02-24-2020

Does anyone know the password encryption used for the Cisco IE1000 swtiches?

From the running config:

username admin privilege 15 password encrypted f4938f70f013e8a70bee2fc24ba411157042e4ed5cd5db72d19f8d763b7f1880bcaf71378c29ade98af6726366d1f602445f255d6ab59929968e57760155cee1

I thought it was SHA2-512 however using -m 1700 does not find the known password

Cheers


RE: Cisco IE1000 Switch - philsmd - 02-24-2020

doesn't the configuration file also tell you the type of the "password".

I guess, it's none of these https://community.cisco.com/t5/networking-documents/understanding-the-differences-between-the-cisco-password-secret/ta-p/3163238 ?

is it "enable secret" or "enable password" ?

Can you generate some example hash:password pairs with alternating/increasing password length ? Does the output length change when the password is longer ?

What type/version of OS is this ? IOS ?

it could be an encryption/reversible algorithm like mentioned here: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/16-11/configuration_guide/sec/b_1611_sec_9500_cg/controlling_switch_access_with_passwords_and_privilege_levels.html#concept_jqz_2qb_mgb

this could also be an example:
https://community.cisco.com/t5/switching/ie-1000/td-p/3335060
https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-small-business-300-series-managed-switches/smb5563-configure-password-settings-on-a-switch-through-the-command.html
not sure if this is the same algorithm (but looks similar, to problem is the "encrypted password" length, shouldn't it work with fixed size blocks): https://www.cisco.com/c/dam/en/us/td/docs/switches/metro/me1200/icli/configuration/guide/me1200-iCLI-config-guide.pdf

I see some references to "type 6" AES encryption in the documentation, but I'm still unsure if this is the algorithm used in your case. You would need to provide several examples with increasing password length etc and maybe also try if you could change the master key etc



update: this also looks interesting https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6-x/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6-x_chapter_010101.pdf

does this command work for you and if yes, what is the output ?
Code:
show encryption service stat



RE: Cisco IE1000 Switch - jud3 - 02-27-2020

Thanks Philsmd, it is not an enable password it is the user account password. The 'show encryption service stat' command is not available.

It doesn't matter what I change the password to the hash is always 128 characters


RE: Cisco IE1000 Switch - jud3 - 02-27-2020

After doing some further testing, the hash changes each time you change the password even if the password is the same...

Example password: !1Abcdef (There are password minimum complexity requirements)

4d16005dafff396d2ed7e0e84ee91fe736f8d8336d63d4d410bfbc848c0060ba3d06a76c9d25072c09c3d6ef8c7f1f6a86873209bece980fc6ff40fe83056ea0

And setting the same password again results in:

d709fb5819ada6c5e7f2652ac0aa11ff304f947b45512476bb46a8f40e348c43c7a601976b6b36131b39d67552ca85f06cbbedffefa499c29a9021df7131b9dc


RE: Cisco IE1000 Switch - philsmd - 02-27-2020

that's interesting. so it seems to be a hash indeed.

The problem is that we do not know the algorithm, Maybe that's a Cisco secret, I guess.

You could try to kindly ask some cisco support/technicians to provide more information about the security of the credentials and which algorithm is used etc.

I guess the other possibility would be to download the firmware from https://software.cisco.com/download/home/286307836 (this page unfortunately requires a login, I don't have the firmware, nor a cisco login, maybe somebody else have and can download/investigate the firmware and if anything is different between these versions etc ... maybe both 1.6 and 1.8.1 would be interesting)...
the last option would be to guess the algorithm, but it could be kind of everything e.g. salted non-iterated hashes or PBKDF2 or even more modern hashing algorithms... several parameters like the iteration count could be unknown and therefore it could be a very difficult guessing gaming (because of this "secret algorithm", obfuscation).

In my opinion the algorithm should be clearly mentioned in the manual/documentation... this is really a bad obfuscation/hiding game of secret (again, I assume that it's really not common knowledge and public what the password hashing algorithm is, I may be wrong... but it doesn't seem that there is much information available online how these 128 bytes are generated)...

I think the first step should be to reach out to some cisco staff and tell them that for compliance/security reasons you need to know how secure this algorithm is and how you can double-check the security by being able to reproduce these password hashing steps.


RE: Cisco IE1000 Switch - undeath - 02-27-2020

Tried a few things with PBKDF2-HMAC-SHA256 but no dice. Tried iteration count 1-3000, then up to 30500 in 500 steps and also 2^x, x ∈ ℕ<17. Both salt+hash and hash+salt.