-

In this article, I would like to highlight the importance of using complex passwords when hashed with the MD5 128-bit algorithm. I will demonstrate the cracking of MD5 salted passwords using Kali Linux and a password cracking tool, John the Ripper.

Cisco IOS devices use the MD5 algorithm to hash username passwords created by administrators. When weak password strings are used that are protected with MD5 they become susceptible to attacks. MD5 passwords use something called salted hash, this is a four-character phrase that is generated and combined with the password.
Extracts of the following demonstration are taken from a CCNA Security lab I have been working on. It was such an informative lab, I decided to document it and share it with the SYNACK community. To carry out MD5 cracking we will use John the Ripper to crack a weak hashed password and then we will use a custom dictionary to carry out the second attack.

Step 1. Produce a one-way transform (MD5 hash) using Kali Linux

Open Terminal and ensuring you are in root enter openssl passwd -1 yvQJ cisco and press enter
You should be presented with a one-way transform of the password ‘cisco
Example: $1$yvQJ$SK2/1KIZXwUY/7/P36C4I0
 
Let me just take a moment to explain the task we have just performed and what the output means.
Openssl passwd = Command used to hash the password, on Cisco IOS this would be enable secret
-1 = The hasing method, in our case we are using the MD5 hashing algorithm
yvQJ = A salt phrase used for this demonstration
synack = The password we have used for this demonstration
So, if we look at the transform that was produced we can see the following
Transform = $1$yvQJ$SK2/1KIZXwUY/7/P36C4I0
$1 = Indicates that an MD5 transformation is used
$yvQJ = Indicates the four-character salt phrase we specified earlier
$SK2/1KIZXwUY/7/P36C4I0 = Indicates the MD5 hash of the secret password cisco combined with the salt ‘yvQJ

Step 2. Cracking the password ‘cisco’ with the given hash

We will now use John the Ripper to crack our password using the hash that was computed for us in the first step.
 
Open a text document by typing leafpad in terminal and press enter
Once leafpad is open type secretone:$1$yvQJ$SK2/1KIZXwUY/7/P36C4I0
Save the document to the root directory as secrets.txt
Execute John the Ripper by typing john secrets.txt
Example of the execution is shown in the image below. John the Ripper was successfully executed and it only took one guess to crack the MD5 hash and better yet, it only took 4 seconds.

Step 3. Perform a dictionary attack with John the Ripper

We will now create another MD5 transform and use a dictionary attack to crack the hash.
Open terminal and create another transform with the password ‘synack(see step 1)
Take the hash and open leafpad – enter the following newsecret:MD5_hash_here Where it says MD5_hash_here enter the MD5 hash you were presented with when creating the secret password.
Save the file to root directory as secrets1.txt and close the document
Open leafpad again and type on one line synack
Save this file to the root directory as words.txt and close the document
The words.txt file is our dictionary, although in our example we have only specified one word, we could have a much bigger dictionary of keywords. We will now tell John the Ripper to use our words.txt file to crack the MD5 hash.
In terminal enter john –wordlist=words.txt –rules secrets1.txt and press enter
John the Ripper should be able to crack the password, your output should look like the image below.

Conclusion

In this demonstration, you have seen how we can use John the Ripper to crack MD5 passwords. When using the enable secret command on Cisco IOS devices it is important to use complex passwords that are not based on any string of text and include letters, numbers and special characters.
#hacking #MD5Hashcracking #johntheRipper #kalilinux #md5cracking #Dictionaryattack #ciscoios
Kelvin Charles - Network and Cyber Security Professional.

Popular Posts

Capturing EAPOL and RADIUS Using Wireshark

-
Image
In this article we are going to take a look at how to capture Extensible Authentication Protocol Over LAN (EAPOL) and Remote Authentication Dial-In User Service (RADIUS) packets using Wireshark. This article can be useful for troubleshooting 802.1x within your environment and can also be used for learning purposes. The following topology has been used to gather the required output for this article. Note: This article will only cover the switch configurations that are required to gather EAPOL and RADIUS configuration. Overview of the Topology The supplicant is configured to perform 802.1x using EAP-TLS as the authentication method The user certificate on the supplicant will be used for authentication The supplicant has Wireshark installed Cisco ISE is used for authentication and authorisation The supplicant is assigned to VLAN 10 upon authentication and all other endpoint ports are assigned to VLAN 99 Sniffer device is running Wireshark in order to capture RADIUS flows via SPAN 802.1x
Read more

Configuring Cisco Smart License Software

-
In this article, I would like to demonstrate how to configure Cisco Smart Licensing on the virtual Cisco Adaptive Security Appliance (ASAv). This post assumes that readers already have access to there own Smart Account and would like to know the process of applying licenses. Step 1: Generate ID Token Sign into your Cisco Software Portal: software.cisco.com and navigate to “Smart Software Licensing” You will now need to create an ID token for your device, this is required for communication between the device and the licensing authority. Follow the steps below to create a new token. Click Inventory >>> General >>> New Token and select your preferred options and enter a description for your token. Once you are happy with your token settings click Create Token . You should now have a token created which can be copied over to the device you wish to license. All commands and output from this point will be related to the ASA so please seek out further advice if you wish
Read more

Cisco :: FXOS Authentication Using TACACS

-
In this article, I will describe how to enable authentication and authorization for Firepower eXtensible Operating System (FXOS) devices. The use case presented in this document illustrates how Cisco Identity Services Engine (ISE) can be utilised with attribute-value pairs (AV-Pairs) to authenticate and authorize users accessing the Firepower Chassis Manager (FCM) or FXOS platforms via TACACS+. At the time of writing this post, I found that limited documentation existed and of that documentation that did exist, the examples given weren’t as straightforward. In an effort to make this process easier for my colleagues and customers to understand I have put together the following instructions based on a previous use case given to me. Extracts of this document have been taken from a wider document I am currently creating. I will update this article with the complete document when it has been finalized. Requirements A ‘Device Administration’ license is required in order to use TACACS+ with
Read more

Configuring Remote Access VPN on Firepower

-
Image
In this article we are going to take a look at how to configure remote access VPN's on Firepower devices. This demonstration is based on the following lab environment: Cisco Virtual Firepower Management Center Cisco Virtual Firepower Threat Defense Cisco ISE 2.6 Windows host with AnyConnect VPN Windows Server 2019 (CA Server) All Firepower devices are running version 6.5 Note: ISE is used for authentication and authorization in the following lab however the configuration elements of ISE are out of scope for this demonstration. Generate a CSR for Remote Access VPN's Those accessing your network remotely need to trust the service you're running. Without the correct trust users could face issues connecting via VPN. With access to the FMC navigate to Objects > Object Management > PKI > Cert Enrollment Assuming you are opting for manual enrollment, select 'Manual' in Enrollment Type and copy the CA Certificate BASE-64 into the field. Now select the 'Certifi
Read more

Kali Linux :: CAM Table Overflow Attack Demonstration

-
Image
As part of my on-going studying for the CCNA Security 210 – 260 certification I have been exploring different types of network attacks, one of which is CAM table overflow attacks. In this article I would like to share what I have learnt and provide a demonstration of the attack carried out in a lab environment. To understand my demonstration, you first need to understand how a CAM table overflow attack works and what happens as a result of the attack.   Switches build Content Addressable Memory (CAM) tables based on mac-addresses and port numbers. When a switch receives a frame it checks the table to see if the source mac-address is already known, if the source mac-address is unknown the switch will add the mac-address to the table along with the port number. The switch then checks the destination layer two frame and if no entry exists the switch broadcasts the frame out of all ports except the port in which the frame was received. Presuming the destination mac-address wants to respond
Read more