Cracking Cisco Type 7 passwords by hand

Although you should be using MD5 or SHA256 for password security, Type 7 passwords are still in use and so I thought this would be a fun learning exercise.

The ‘service password-encryption‘ or Type 7 password is based on a known proprietary weak encryption algorithm using XOR and can be recognized in the configuration file as,

password 7 030752180500

Note: Type 5 uses MD5 and looks similar to this,

enable secret 5 $1$OB1J$tNsFgEZ4kD1qituaAeYfa0

There are plenty of scripts or websites that can crack Type 7 passwords in less than a second, including one on Cisco’s website. This example will show how this can be done with just pen and paper.

First, an overview of the XOR operation and encryption is needed. The XOR operator returns a 1 when the value of either the first bit or the second bit is a 1 and returns a 0 when neither or both of the bits is 1. Notice the chart below,

First Bit Second Bit Result
     0      0      0
     0      1      1
     1      0      1
     1      1      0

Converting plaintext to ciphertext using XOR : Starting with the plaintext, “Go“, convert the ASCII representation into binary format.  G = 01000111   and   o = 01101111.

To convert this into ciphertext we will XOR with a key. For example, key = A = 01000001.

Plain Text : G Key : A Cipher Text
     0      0      0
     1      1      0
     0      0      0
     0      0      0
     0      0      0
     1      0      1
     1      0      1
     1      1      0
Plain Text : o Key : A Cipher Text
     0      0      0
     1      1      0
     1      0      1
     0      0      0
     1      0      1
     1      0      1
     1      0      1
     1      1      0

The Ciphertext is now represented by, 00000110 00101110, or in hex 06 2E. Decrypting the Ciphertext is just reversing the process using the same key. Work the problem yourself to prove you can get the original Plaintext.

In our example, we will try to decrypt the following cisco password,

password 7 030752180500

The first two bytes, 03 , are a randomly generated index into the known cisco key. The remaining bytes in ascii-hex represent the encrypted password. Spacing out the string, 07 52 18 05 00 , you can see the password is 5 characters long. Remember, each character consists of 8 bits. You must XOR each of these with the key in order to get the plaintext.

The key is derived from the following “Magic block” shown in hexadecimal,

0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f,
0x41, 0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72,
0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44

Each one is numbered starting with zero, so the index 03 would be the forth number in the list or 0x64. The index will be incremented by 1 each time you XOR the key against the ciphertext.

After converting the hex numbers into binary, the first computation would be,

Cipher Text : 0x07 Key : 0x64 Plain Text
     0      0      0
     0      1      1
     0      1      1
     0      0      0
     0      0      0
     1      1      0
     1      0      1
     1      0      1

The result of the Plaintext 01100011 in ascii would be the letter ‘c‘.  Incrementing the index to the next key 0x3b and XOR’ing with the next Ciphertext 52 yields,

Cipher Text : 0x52 Key : 0x3b Plain Text
     0      0      0
     1      0      1
     0      1      1
     1      1      0
     0      1      1
     0      0      0
     1      1      0
     0      1      1

The result of the Plaintext 01101001 in ascii would be the letter ‘i‘. Continuing the process and incrementing the index and XOR’ing the remaining Ciphertext reveals,

CipherText : 0x18 = 00011000     0x05 = 00000101     0x00 = 00000000
 Key       : 0x6b = 01101011     0x66 = 01100110     0x6f = 01101111
 PlainText          01110011            01100011            01101111
 Ascii                's'                 'c'                  'o'

The final results show the password string 030752180500  equals the word ‘cisco‘.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s