IOSのパスワード文字列のハッシュ化について

enable secret などで利用する暗号化を指定したいとき,クリアテキストを入力することができない。

Router(config)#enable secret ?
  0      Specifies an UNENCRYPTED password will follow
  5      Specifies a MD5 HASHED secret will follow
  8      Specifies a PBKDF2 HASHED secret will follow
  9      Specifies a SCRYPT HASHED secret will follow
  <0-9>  Encryption types not explicitly specified
  LINE   The UNENCRYPTED (cleartext) 'enable' secret
  level  Set exec level password


事前にアルゴリズムを指定すれば良いだけなのだが,では,実際にハッシュ化された文字列を予め用意するにはどうしたらよいのだろうと考えた。

Router(config)#enable algorithm-type ?
  md5     Encode the password using the MD5 algorithm
  scrypt  Encode the password using the SCRYPT hashing algorithm
  sha256  Encode the password using the PBKDF2 hashing algorithm

Type5(MD5)

MD5の場合,opensslコマンドで対応できそうだ。オプションは-1がMD5。

$ openssl passwd --help
Usage: passwd [options]
Valid options are:
 -help               Display this summary
 -in infile          Read passwords from file
 -noverify           Never verify when reading password from terminal
 -quiet              No warnings
 -table              Format output as table
 -reverse            Switch table columns
 -salt val           Use provided salt
 -stdin              Read passwords from stdin
 -6                  SHA512-based password algorithm
 -5                  SHA256-based password algorithm
 -apr1               MD5-based password algorithm, Apache variant
 -1                  MD5-based password algorithm
 -aixmd5             AIX MD5-based password algorithm
 -crypt              Standard Unix password algorithm (default)
 -rand val           Load the file(s) into the random number generator
 -writerand outfile  Write random data to the specified file

いざお試し。opensslコマンドで生成。

$ openssl passwd -1 "password"
$1$.cR/0KTx$pPUO/YlCknfEryhGL8vZ7/

ルータへ投入。


Router(config)#enable secret 5 $1$.cR/0KTx$pPUO/YlCknfEryhGL8vZ7/
ERROR: The secret you entered is not a valid encrypted secret.
To enter an UNENCRYPTED secret, do not specify type 5 encryption.
When you properly enter an UNENCRYPTED secret, it will be encrypted.

エラーになる・・・。saltが必要だった。改めて生成。

$ openssl passwd -salt `openssl rand -base64 3`  -1 password
$1$tCLN$fofh2RhTlDmwzXeGUh7x4.

ルータへ投入。MD5はもはや非推奨だぞとアラートが出るが無事に行けた。

Router(config)#enable secret 5 $1$tCLN$fofh2RhTlDmwzXeGUh7x4.
 WARNING: Command has been added to the configuration using a type 5 password. However, type 5 passwords will soon be deprecated. Migrate to a supported password type
Router(config)#
*May 11 06:39:25.460: %AAAA-4-CLI_DEPRECATED: WARNING: Command has been added to the configuration using a type 5 password. However, type 5 passwords will soon be deprecated. Migrate to a supported password type

Type8(PBKDF2)

PBKDF2はSHA256で繰り返しハッシュ化するもの。

opensslではハッシュ化できなさそうなので,pythonでやってみる。Passlibというライブラリがあるのでこれを使う。

なお,Cisco Communityを見ると以下のように記載されている。

Type 8 passwords are what Type 4 was meant to be, an upgraded Type 5!  Type 8 is hashed using PBKDF2, SHA-256, 80-bit salt, 20,000 iterations. While this is good, it is still vulnerable to brute-forcing since AES is easy to implement in (GPU) graphics cards. I have not proven it but I believe it is possible that the popular tool HashCat is able to decrypt these. In the running config standard Type 8 start with $8$.

https://community.cisco.com/t5/networking-documents/understanding-the-differences-between-the-cisco-password-secret/ta-p/3163238

80バイトのSaltということは10文字,2万Iterationで試行。

$ pip install passlib
Collecting passlib
  Downloading passlib-1.7.4-py2.py3-none-any.whl (525 kB)
     |????????????????????????????????| 525 kB 21.2 MB/s
Installing collected packages: passlib
Successfully installed passlib-1.7.4
$ python
>>> from passlib.hash import pbkdf2_sha256
>>> pbkdf2_sha256.using(rounds=20000, salt_size=10).hash("password")
'$pbkdf2-sha256$20000$cm6t9T6n9L73ng$7sCcdbt9sNLWj5h7.Jd.7cdyLwYqoPlFMIWV1..hjFc'
>>> pbkdf2_sha256.verify("password", '$pbkdf2-sha256$20000$cm6t9T6n9L73ng$7sCcdbt9sNLWj5h7.Jd.7cdyLwYqoPlFMIWV1..hjFc')
True
>>>

ハッシュ化成功した模様。salt以降をCiscoに登録。

Router(config)#enable secret 8 $8$cm6t9T6n9L73ng$7sCcdbt9sNLWj5h7.Jd.7cdyLwYqoPlFMIWV1..hjFc
Router(config)#end
Router#disable
Router>en
Password:
Password:
Password:
% Bad secrets

なんでだ・・・。なんどやってもダメで,Cisco側で登録したハッシュを逆にverifyしてもダメだった(方式が違うっぽい)。そこで,こんなの(ciscoPWDhasher)があったのでこれを使ってみることにした。

$ git clone https://github.com/BrettVerney/ciscoPWDhasher.git
$ cd ciscoPWDhasher
$ pip install scrypt passlib backports.pbkdf2
$ python3 ./ciscopwdhasher.py

+------------------------------------------------------------------------+
|    ____ _                 ____                                     _   |
|   / ___(_)___  ___ ___   |  _ \ __ _ ___ _____      _____  _ __ __| |  |
|  | |   | / __|/ __/ _ \  | |_) / _` / __/ __\ \ /\ / / _ \| '__/ _` |  |
|  | |___| \__ \ (_| (_) | |  __/ (_| \__ \__ \\ V  V / (_) | | | (_| |  |
|   \____|_|___/\___\___/  |_|   \__,_|___/___/ \_/\_/ \___/|_|  \__,_|  |
|                                                                        |
|           _   _           _                                            |
|          | | | | __ _ ___| |__   ___ _ __      .--.                    |
|          | |_| |/ _` / __| '_ \ / _ \ '__|    /.-. '----------.        |
|          |  _  | (_| \__ \ | | |  __/ |       \'-' .--"--""-"-'        |
|          |_| |_|\__,_|___/_| |_|\___|_|        '--'                    |
|                                                                        |
|  by: Brett Verney (@WiFiWizardOFOz)                      version: 0.1  |
+------------------------------------------------------------------------+

Select a hashing algorithm:

[1]  Type 5 (MD5)
[2]  Type 7 (XOR Cipher)
[3]  Type 8 (PBKDF2-HMAC-SHA256)
[4]  Type 9 (Scrypt)
[5]  Exit

Your selection: 3

Enter a Plain Text Password to convert: password
Your Cisco type 7 password is:   #これ多分type 8の間違い $8$L7qc2XluRN/CzI$t34L8AK8SWb8LUFeCNVQanveK/JwKozfuAtHuIRH6vc

ルータへ設定。

Router(config)#enable secret 8 
 
Router(config)#end
Router#disa
Router#disable
Router>en
Password:
Router#

無事成功。どうやらbase64のエンコード周りでCisco形式に変換してあげないとダメみたい(良くわからない)。

Type9(Scrypt)

現在推奨の方式。

Select a hashing algorithm:

[1]  Type 5 (MD5)
[2]  Type 7 (XOR Cipher)
[3]  Type 8 (PBKDF2-HMAC-SHA256)
[4]  Type 9 (Scrypt)
[5]  Exit

Your selection: 4

Enter a Plain Text Password to convert: password
Your Cisco type 9 password is: $9$KvAkztzB8xe7Am$n3st6bOSv2hzH7qTG/9RHUInJ0DlbSmtTqOHOtn99UM

同じようにルータへ設定。

Router(config)#$qc2XluRN/CzI$t34L8AK8SWb8LUFeCNVQanveK/JwKozfuAtHuIRH6vc
Router(config)#end
Router#disa
Router#disable
Router>en
Password:
Router#

問題無し!

素直に enable algorithm-type を使えという話だけれど,たまにはこういうことを調べるのも良いね。