Root-me

CISCO Password

It’s not always a hash.

We need to find the “Enable” Password.

The challenge is a txt file that contains cisco commands. We’ll look for the enable command issued to the device.

cat ch15.txt | grep enable

enable secret 5 $1$p8Y6$MCdRLBzuGlfOs9S.hXOp0.

So we got a hash, let’s pass it to hashcat. We’ll be using the password list from SecList. The github can be found here.

https://github.com/danielmiessler/SecLists

cat "$1$p8Y6$MCdRLBzuGlfOs9S.hXOp0." > ch15passwd.txt

hashcat -m 500 ch15passwd.txt ~/Git/SecLists/Passwords/

So after passing it ALL the passwords it didn’t find a match. There much be something going on. There’s way too many passwords not to find a match for a small challenge.

The lead was in the title “It’s not always a hash”. This gave me the idea to see if there’s something else interesting in the ch15.txt file.

If we take a quick look at it, there’s other password being setup up but not using enable 5 it uses password 7 instead. The cisco password 7 uses a weak algorithm to encrypt the password. It uses the vigenere cipher an algorithm that has been cracked in 1995.

I used this website to decode them.

cat ch15.txt | grep "password 7"

username hub password 7 025017705B3907344E 
username admin privilege 15 password 7 10181A325528130F010D24
username guest password 7 124F163C42340B112F3830
password 7 144101205C3B29242A3B3C3927

We if we decode all 4 of them we get this.

025017705B3907344E:6sK0_hub
10181A325528130F010D24:6sK0_admin
124F163C42340B112F3830:6sK0_guest
144101205C3B29242A3B3C3927:6sK0_console

There’s a pattern in the passwords 6sK0_. We’ll create a file containing a rule to prepend 6sK0_ to all the passwords that hashcat will try again the hash.

The information about the rules for hashcat are found here.

https://hashcat.net/wiki/doku.php?id=rule_based_attack

echo "^_ ^0 ^K ^s ^6" > ch15_prepend.txt

hashcat -m 500 -r ch15_prepend.txt ch15passwd.txt ~/Git/SecLists/Passwords/
hashcat (v3.30) starting...

OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 1080 Ti, 2047/11171 MB allocatable, 28MCU
* 
...

$1$p8Y6$MCdRLBzuGlfOs9S.hXOp0.:6sK0_enable                
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Type........: md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
Hash.Target......: $1$p8Y6$MCdRLBzuGlfOs9S.hXOp0.
Time.Started.....: Mon Nov 13 17:50:24 2017 (0 secs)
Time.Estimated...: Mon Nov 13 17:50:24 2017 (0 secs)

...

We found the password. 6sK0_enable is the password.