Go to the CLI to gather the UDI with show udi, compare with System Monitoring Dashboard System Information UDI and the PID and serial will match with the new license file but it is incorrect and does not match with license-scratch.cfg. Cisco Bug: CSCvk76271 - In Prime Infastructure 3.4 UDI information is incorrect. Last Modified. Jan 12, 2014. Upload the patch/upgrade files onto local FTP server & then apply it onto prime. Version: 1.4.0.45 Patch: Cisco Prime Network Control System. On primedev/admin# show udi SPID: Cisco-VM-SPID VPID: V01 Serial:.
Does anyone have a pointer to code (or just the algorithm) that Cisco uses to generate their password hashes for things like 'enable secret'?
I'm not trying to break into anything; I'm trying to generate the appropriate 'enable secret' line given a clear text password, not decode an existing 'enable secret' line with a hashed password. I need this for an automated config-file generator that I'm working on (Netomata Config Generator).
Basically, what I want is the Cisco equivalent of the 'htpasswd' command used for web servers.
For example, when I put the following command with clear-text password into a Cisco config:
then when I do a 'show config' command (assuming I have 'service password-encryption' enabled), what I see is something like this:
I want code that translates 'foobar' to '5 $1$pdQG$0WzLBXV98voWIUEdIiLm11', so that I can generate the already-hashed passwords in my config-generation tool, rather than putting cleartext passwords in the generated configs and waiting for the router to generate the hash.
I presume that the '5' in the hashed result is some sort of hash algorithm identifier. If there are other hash algorithms that Cisco currently or has historically used, then I'd like to have the code for those algorithms as well.
Brent ChapmanBrent Chapman
5 Answers
As per this website, the OpenSSL command line utility appears to provide the functionality you need:
And there is presumably an equivalent function in the library itself.
I'm not sure if IOS requires you to use specific salt values, but technically there is no reason why it should as long as the string you provide in your 'enable secret' command is a valid MD5 password digest. If you have the opportunity to test, I'd be interested to know your results.
Murali SuriarMurali Suriar
Cisco appears to require a 4-character salt. By default, without the '
-salt
salt' argument, openssl
will generate an 8-character salt. You can use
openssl
to generate a Cisco-compatible hash of 'cleartext' with an appropriate random 4-character salt, however, like so:The '
openssl rand -base64 3
' sub-command generates 3 random bytes and then encodes them in base64 format, which gives you 4 printable characters (exactly what you need for a Cisco-compatible salt).Thanks to Murali Suriar for the answer (elsewhere on this page) which got me started down the right path to this solution.
Brent ChapmanBrent Chapman
5 I believe refers to the fact that it's type 5, which uses MD5, which means you are going to need 300 playstation 3s. Type 7 is easily cracked and they even have scripts on websites for it. This might be better asked on Stackoverflow.
TerryTerry
Here's a great reference http://haxcess.com/2008/10/21/cisco-password-recovery/
Bottom line is the hash is broken down into a few parts
Here's a Perl solution that has worked wonders for me in the past. Put this baby in a loop and let it run.
ZnArKZnArK
'5' means that the clear password has been converted to cisco password type 5.Type 5 password is a MD5 based algorithm (but I can't tell you how to compute it, sorry).Type 7 that is used when you do a 'enable password' is a well know reversible algorithm.'service password-encryption' just ensure that password will not be stored in clear (type 0)
Take a look to http://en.wikipedia.org/wiki/Crypt_(Unix)#MD5-based_scheme and good luck :)
EDIT: You may also look http://www.h4x3d.com/md5-and-crypt-password-generator/, http://www.koders.com/c/fid530E8983791E1CB2AB90EAA69A68789FA2A83A6D.aspx and http://www.cryptgenerator.de/
radiusradius