Decrypt Cisco Secret 4

| 17-08-2021
[RAND-1-100] Comments

Cisco recently cautioned about a security weaknesses on some versions of IOS and IOS XE-based routers, switches and appliances. The risk is related to a certain type of password (Type 4) that could allow an authenticated remote attacker to access sensitive information on a targeted device.

Username user secret password Refer to the article ' Cisco IOS Password Encryption Facts ' for more information. Business IT and Cisco Support located on the North Shore of Auckland. Cisco has announced plans for another new type of password which should achieve the original design criteria for type 4. if you input into config mode something that is like secret 5 xxxxxx( which contains the already encrypted type 5 password) then the config will maintain and use the type 5 password. HiAny have a Cisco Router password decryption tool or url. enable secret level 5 not 7! I really need it. Unfortunately, it is impossible to reverse level 5 passwords.

Cisco recommends to check whether such passwords exist on your Cisco devices and to replace them with Type 5 passwords.

While Cisco has provided a method to test devices for existence of these problematic passwords, you may still want a way to ensure that such passwords are not introduced anytime in the future.

Decrypt Cisco Secret 4

Here's a custom device configuration test that we developed to identify any Type 4 passwords across your router inventory and also to alert if such a password is mistakenly configured in the future.

Cisco decode secret 4

Assuming your routers are defined in SecureTrack, follow these instructions to test them:

DecryptCisco secret 4 password decryptCisco enable secret 4 decrypt

Cisco Decode Secret 4

  1. Add the custom test by running this command on the SecureTrack server:
    curl -k -u <user>:<password> -X POST -d '<dcr_test_concrete><groupId>8</groupId><id/><name>Forbid Type 4 Passwords</name><isActive>true</isActive><isDefault>true</isDefault><risk>3</risk><severity>3</severity><testDef><description>Verify that Type 4 passwords are not configured.</description><expression>^(enable secret 4|username.*secret.4)[^n]*</expression><id/><input>running_config</input><isCustom>true</isCustom><mustContain>false</mustContain><name>Forbid Type 4 Passwords</name><products><device>IOS</device><id>1</id><vendor>Cisco</vendor></products><remediation>Replace Type 4 passwords with Type 5 passwords.</remediation><testDefUid>CU001</testDefUid><type>line_match</type></testDef><testUid>CU001</testUid></dcr_test_concrete>' -H 'Content-Type:application/xml' 'http://localhost:8080/securetrack/api/dcrTests/custom'
  2. Create a new device configuration report under Reports
  3. Enable the new custom test:
  4. Save and run the report
  5. A properly configured device should pass the test like this: