Re: password-encryption problem

From: Mark Lasarko (mlasarko@co.ba.md.us)
Date: Thu May 19 2005 - 10:17:26 GMT-3

• Next message: Chad Hintz: "Re: ISDN-Ospf demand-circuit and dialer-group"
• Previous message: Brett Lewis: "Re: password-encryption problem"
• Maybe in reply to: TiuN Hong Leng: "password-encryption problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Greetings,

Here's a nice little stupid router trick if you need to recover passwords for
local users, lines, etc...
You can use the key chain feature to reverse the encryption for you :)

Rack1R1(config)#line aux 0
Rack1R1(config-line)#login
% Login disabled on line 65, until 'password' is set
Rack1R1(config-line)#password cisco
Rack1R1(config-line)#do sh run | i password
no service password-encryption
enable password cisco
 password cisco
Rack1R1(config-line)#service password
Rack1R1(config)#do sh run | i password
service password-encryption
enable password 7 104D000A0618
 password 7 01100F175804
Rack1R1(config)#key chain UNENCRYPT
Rack1R1(config-keychain)#key 1
Rack1R1(config-keychain-key)#key
Rack1R1(config-keychain-key)#key-string ?
  <0-7> Encryption type (0 to disable encryption, 7 for proprietary)
  LINE The key

!*** NOTE: Here's where we cut and paste the encrypted string above into our
key-string ***!

Rack1R1(config-keychain-key)#key-string 7 01100F175804
Rack1R1(config-keychain-key)#end
*Mar 2 13:22:29.442: %SYS-5-CONFIG_I: Configured from console by console
Rack1R1#sh key chain
Key-chain UNENCRYPT:
    key 1 -- text "cisco"
        accept lifetime (always valid) - (always valid) [valid now]
        send lifetime (always valid) - (always valid) [valid now]

IOS is nice enough to do the work for us, no external utilities required.
This works for all type 7 AFAIK

Type 5 is another story, as it cannot be recovered in the same way,
Per the link that Marvin offered.

HTH,
~M

>>> TiuN Hong Leng <hongleng@ms73.hinet.net> 05/18/05 10:57 PM >>>

Hi,

The initial configuration is:

no service password-encryption
line vty 0 4
password cisco

After using "service password-encryption":

service password-encryption
line vty 0 4
password 7 045802150C2E

Use "no service password-encryption":

no service password-encryption
line vty 0 4
password 7 045802150C2E

The password does no unencrypted!!! Why?

Is it a IOS bug?

Thanks a lot!
Regards,
Huang-Leng, Chang

• Next message: Chad Hintz: "Re: ISDN-Ospf demand-circuit and dialer-group"
• Previous message: Brett Lewis: "Re: password-encryption problem"
• Maybe in reply to: TiuN Hong Leng: "password-encryption problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:59 GMT-3