Rootme Cisco Password
Root-me
CISCO Password
It’s not always a hash.
We need to find the “Enable” Password.
The challenge is a txt file that contains cisco commands. We’ll look for the enable command issued to the device.
cat ch15.txt | grep enable
enable secret 5 $1$p8Y6$MCdRLBzuGlfOs9S.hXOp0.
So we got a hash, let’s pass it to hashcat. We’ll be using the password list from SecList. The github can be found here.
https://github.com/danielmiessler/SecLists
cat "$1$p8Y6$MCdRLBzuGlfOs9S.hXOp0." > ch15passwd.txt
hashcat -m 500 ch15passwd.txt ~/Git/SecLists/Passwords/
So after passing it ALL the passwords it didn’t find a match. There much be something going on. There’s way too many passwords not to find a match for a small challenge.
The lead was in the title “It’s not always a hash”. This gave me the idea to see if there’s something else interesting in the ch15.txt file.
If we take a quick look at it, there’s other password being setup up but not
using enable 5
it uses password 7
instead. The cisco password 7
uses a
weak algorithm to encrypt the password. It uses the vigenere cipher an
algorithm that has been cracked in 1995.
I used this website to decode them.
cat ch15.txt | grep "password 7"
username hub password 7 025017705B3907344E
username admin privilege 15 password 7 10181A325528130F010D24
username guest password 7 124F163C42340B112F3830
password 7 144101205C3B29242A3B3C3927
We if we decode all 4 of them we get this.
025017705B3907344E:6sK0_hub
10181A325528130F010D24:6sK0_admin
124F163C42340B112F3830:6sK0_guest
144101205C3B29242A3B3C3927:6sK0_console
There’s a pattern in the passwords 6sK0_
. We’ll create a file containing a
rule to prepend 6sK0_
to all the passwords that hashcat will try again the
hash.
The information about the rules for hashcat are found here.
https://hashcat.net/wiki/doku.php?id=rule_based_attack
echo "^_ ^0 ^K ^s ^6" > ch15_prepend.txt
hashcat -m 500 -r ch15_prepend.txt ch15passwd.txt ~/Git/SecLists/Passwords/
hashcat (v3.30) starting...
OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 1080 Ti, 2047/11171 MB allocatable, 28MCU
*
...
$1$p8Y6$MCdRLBzuGlfOs9S.hXOp0.:6sK0_enable
Session..........: hashcat
Status...........: Cracked
Hash.Type........: md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
Hash.Target......: $1$p8Y6$MCdRLBzuGlfOs9S.hXOp0.
Time.Started.....: Mon Nov 13 17:50:24 2017 (0 secs)
Time.Estimated...: Mon Nov 13 17:50:24 2017 (0 secs)
...
We found the password. 6sK0_enable is the password.