Re: ASA/FWSM service password encryption from Farrukh Haroon on 2012-08-25 (Ccielab archives 08/2012)

From: Farrukh Haroon <farrukhharoon_at_gmail.com>
Date: Sat, 25 Aug 2012 23:10:18 +0300

Just to correct my previous post, they do use some sort of 'salt' for local
(database) users, but apparently they base the salt on just he first few
characters of the username, and not the complete string.

Please see these links for more details:

PIX Classic/Finesse OS:

http://www.oxid.it/downloads/pix_passwd.txt

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_security_notice09186a008027f866.html

http://www.perlmonks.org/index.pl?node_id=797623

http://www.openwall.com/lists/john-users/2010/08/09/1

Regards

Farrukh

On Sat, Aug 25, 2012 at 10:55 PM, Farrukh Haroon <farrukhharoon_at_gmail.com>wrote:

> Hello
>
> Both Cisco IOS and Cisco Firewall OS (used to be called the Finesse OS)
> use the MD5 hashing function:
>
>
> http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00809d38a7.shtml
>
> AFAIK, Cisco firewalls do not use a 'salt' value to generate the
> passwords, this is why you are seeing the same hash being repeated.
>
> http://www.freerainbowtables.com/phpBB3/viewtopic.php?f=2&t=1441
>
> But if you have a chosen a proper password, the chances of any
> dictionary-based attacks are very very low, so its still not really a big
> security risk.
>
> However starting from version 8.3, you can actually configure an
> encryption pass-phrase and the encryption logarithm (like AES), and then
> use it to encrypt your stored passwords, please see:
>
>
> http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/basic_hostname_pw.html#wp1087800
>
> Regards
>
> Farrukh
>
>
> On Sat, Aug 25, 2012 at 10:08 PM, Mohammad Moghaddas <
> moghaddas.it_at_gmail.com> wrote:
>
>> Hi.
>> Do you guys know whats the mystery behind password encryption on ASA &
>> FWSM
>> which makes the passwords one way?
>> Does its algorithm has a name?
>> Also another issue, I set "user one pass test", "user two pass test",
>> "user
>> three pass test", and all the passwords were hashed the same. But the hash
>> differed to "enable password test"
>> Then I didn't save the config, reload the device with no config, and set
>> those user/pass and enable pas again. All the hash were the same as before
>> the reload.
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sat Aug 25 2012 - 23:10:18 ART

This archive was generated by hypermail 2.2.0 : Sat Sep 01 2012 - 08:41:18 ART