Tuesday, November 19, 2013

sending a cisco config via email but securing your passwords ( openssl and type 5 )

If you haven't been using  a type5 ( secret ) in your configurations and sending copies of your config via a unsecured channel ( aka  email ),  than your passwords are mostly likely compromised.


By using openssl, you can install type5 hashed passwords within the cisco ios configuration files for most IOS based routers. This will allow you to deliver a configuration file for installation and trust that the password is hashed and secured.

e.g

A ios configuration with the following lines in the cfg;


!
!
enable password socdude
!
enable secret socgal
!
!
!

Would not be as secured as ;
!
!
enable secret $1$6XXp$YXBalUFqXfY0Ui4mn9lZx0
!
!


btw: When I review or pass cfg files around, I typically hash out  enable password if they are present and before sending back to the originator or to another colleague if he/she is reviewing the config file. This good practices or better yet sanitized the configuration file of all confidential data ( radius/tacacs keys, snmp community, username, etc.....)


Now, with openssl we can easily replicate the same type5 hash that cisco deploys.

The following screenshot shows this function  & with two crafted  type5 hashes



Here's me using the highlight blue  hash that was generated from  openssl from the above image ;


And finally, don't forget that all username can be secured using a type5 hash. In this example, the user socpuppets has a type5 hash vrs the plain old password




Okay one might argue that you could just login into any old cisco router and generate the type5 password and then copy it down &  into the configuration file that you are sending.

Well yes you could do exactly this, but if you the need for automation script building & for generation of type5 type of hashes, don't over look the capabilities that  openssl has in regards to generation of type5 hashes.


Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
          o
       /     \

No comments:

Post a Comment