Can you crack a Cisco IOS MD5 password hash? [I'm in beautiful Ottawa this week. All the locals kept telling me how beautiful it was today, since it was nearly Spring like with temps almost at 0 degrees. Last week it was -22F with the wind chill factor.] Besides teaching and writing about computer security for a living, I also do penetration testing. Frequently my teams are able to capture plaintext Cisco config Can you crack a Cisco IOS MD5 password hash?[I’m in beautiful Ottawa this week. All the locals kept telling me how beautiful it was today, since it was nearly Spring like with temps almost at 0 degrees. Last week it was -22F with the wind chill factor.]Besides teaching and writing about computer security for a living, I also do penetration testing. Frequently my teams are able to capture plaintext Cisco configuration files, which usually include Cisco password hashes for Cisco routers, Pix firewalls, etc.Cisco IOS telnet logon password hashes come in two flavors: Type 7 and MD5. A Cisco config file with both password hashes might look something like this:enable secret 5 $1$0Z4m$jsbSzU.vYSsZFISdJtbQI4. enable password 7 062E0A1B38411F1D5CThe line beginning with enable password 7 is Type 7 password hash. The line with enable secret 5 is the newer MD5 style.The Type 7 password hashes aren’t really hashes (I think I read that they are Vigniere ciphers-polyalphabetic substitution ciphers), and can easily be cracked by many tools. That I have confirmed many times.Cisco updated their password hash protection years ago with what they call the MD5 password hash. Per Cisco, it makes the password hash non-trivial to crack, even though there are a lot of brute force and dictionary password hash cracking tools available, such as Cain (www.oxid.it).I come across lots of Cisco IOS MD5 password hashes, but I’ve yet to crack one. I’ve even used dictionary tools that are supposed to break Cisco MD5 password hashs, using a dictionary file that only contained the exact symbols in the password (i.e. my password dictionary contained the word frog for a Cisco password of frog), and still my crack attacks did not work.If you’re up to the challenge, try to crack your own Cisco password hash. No money, no challenge, just see if you can do it. I’m especially interested in if anyone can demonstrate cracking their MD5 password hash. If you do, let me know how you did it? Don’t send me your password or hash (unless you use a dummy one for the test).If I’m having this problem, I’m sure there are a least a few other pen testers with the same questions as I have._________________Related discussion I was confused as to why Cisco called their new password hash method an MD5 hash (http://www.cisco.com/warp/public/701/64.html). Even this Wiki article (http://en.wikipedia.org/wiki/Cisco_IOS), which talks about the Cisco MD5 hash uses an example cleartext password of stupidpass, but the resulting MD5 hash looks nothing like an MD5 hash.It’s certainly not a pure MD5 hash (http://en.wikipedia.org/wiki/Md5). It’s not long enough for one thing and it always begins with the $1…not something you would see in an MD5 hash every time. An MD5 hash is always 128-bits (16 double-byte characters). If I include all the characters in the Cisco “MD5” hash, including the $1, it’s only 15-double byte characters (or 120-bits). With further research, I found out that the Cisco “MD5” password hash isn’t a pure MD5 hash. Per Cain’s creator, the Cisco MD5 password hash is a Base64 encoded MD5 password hash (http://www.oxid.it/downloads/pix_passwd.txt), after the original password has been truncated to 16 characters, and been MD5’d a 1000 times. Cisco then uses FreeBSD’s _crypt_to64() libcrypt library function to Base64 encode the hash. But every Base64 encoding I do on a pure MD5 hash results in an even longer result than the original value (not shorter as in the Cisco result). Maybe he means that the resulting MD5 hash is truncated to 16 bytes?? I haven’t seen Cisco’s MD5 password hash code to see how the original cleartext password is treated exactly, but Cain’s creator, and other Cisco password cracker authors apparently have.I’m only a crypto hobbyist, so I’m sure I don’t really know what I’m talking about as I get into the nuts and bolts. But if anyone can actually demonstrate a Cisco MD5 password hash crack, let me know. All the Mac and iTunes users can write back and explain it too me, since they’ve been spending all day telling me how stupid I am. Related content analysis The 5 types of cyber attack you're most likely to face Don't be distracted by the exploit of the week. Invest your time and money defending against the threats you're apt to confront By Roger Grimes Aug 21, 2017 7 mins Phishing Malware Social Engineering analysis 'Jump boxes' and SAWs improve security, if you set them up right Organizations consistently and reliably using one or both of these approaches have far less risk than those that do not. By Roger Grimes Jul 26, 2017 13 mins Authentication Access Control Data and Information Security analysis Attention, 'red team' hackers: Stay on target You hire elite hackers to break your defenses and expose vulnerabilities -- not to be distracted by the pursuit of obscure flaws By Roger Grimes Dec 08, 2015 4 mins Hacking Data and Information Security Network Security analysis 4 do's and don'ts for safer holiday computing It's the season for scams, hacks, and malware attacks. But contrary to what you've heard, you can avoid being a victim pretty easily By Roger Grimes Dec 01, 2015 4 mins Phishing Malware Patch Management Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe