{"id":741,"date":"2022-05-11T20:50:20","date_gmt":"2022-05-11T11:50:20","guid":{"rendered":"https:\/\/wp.zassoul.com\/?p=741"},"modified":"2024-02-29T22:36:00","modified_gmt":"2024-02-29T13:36:00","slug":"ios%e3%81%ae%e3%83%91%e3%82%b9%e3%83%af%e3%83%bc%e3%83%89%e6%96%87%e5%ad%97%e5%88%97%e3%81%ae%e3%83%8f%e3%83%83%e3%82%b7%e3%83%a5%e5%8c%96%e3%81%ab%e3%81%a4%e3%81%84%e3%81%a6","status":"publish","type":"post","link":"https:\/\/wp.zassoul.com\/?p=741","title":{"rendered":"IOS\u306e\u30d1\u30b9\u30ef\u30fc\u30c9\u6587\u5b57\u5217\u306e\u30cf\u30c3\u30b7\u30e5\u5316\u306b\u3064\u3044\u3066"},"content":{"rendered":"\n

enable secret \u306a\u3069\u3067\u5229\u7528\u3059\u308b\u6697\u53f7\u5316\u3092\u6307\u5b9a\u3057\u305f\u3044\u3068\u304d\uff0c\u30af\u30ea\u30a2\u30c6\u30ad\u30b9\u30c8\u3092\u5165\u529b\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u306a\u3044\u3002<\/p>\n\n\n\n

Router(config)#enable secret ?\n  0      Specifies an UNENCRYPTED password will follow\n  5      Specifies a MD5 HASHED secret will follow\n  8      Specifies a PBKDF2 HASHED secret will follow\n  9      Specifies a SCRYPT HASHED secret will follow\n  <0-9>  Encryption types not explicitly specified\n  LINE   The UNENCRYPTED (cleartext) 'enable' secret\n  level  Set exec level password\n\n\n<\/code><\/pre>\n\n\n\n
\u4e8b\u524d\u306b\u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u3092\u6307\u5b9a\u3059\u308c\u3070\u826f\u3044\u3060\u3051\u306a\u306e\u3060\u304c\uff0c\u3067\u306f\uff0c\u5b9f\u969b\u306b\u30cf\u30c3\u30b7\u30e5\u5316\u3055\u308c\u305f\u6587\u5b57\u5217\u3092\u4e88\u3081\u7528\u610f\u3059\u308b\u306b\u306f\u3069\u3046\u3057\u305f\u3089\u3088\u3044\u306e\u3060\u308d\u3046\u3068\u8003\u3048\u305f\u3002<\/p>\n\n\n\n
Router(config)#enable algorithm-type ?\n  md5     Encode the password using the MD5 algorithm\n  scrypt  Encode the password using the SCRYPT hashing algorithm\n  sha256  Encode the password using the PBKDF2 hashing algorithm\n<\/code><\/pre>\n\n\n\n
Type5(MD5)<\/h2>\n\n\n\n
MD5\u306e\u5834\u5408\uff0copenssl\u30b3\u30de\u30f3\u30c9\u3067\u5bfe\u5fdc\u3067\u304d\u305d\u3046\u3060\u3002\u30aa\u30d7\u30b7\u30e7\u30f3\u306f-1\u304cMD5\u3002<\/p>\n\n\n\n
$ openssl passwd --help\nUsage: passwd [options]\nValid options are:\n -help               Display this summary\n -in infile          Read passwords from file\n -noverify           Never verify when reading password from terminal\n -quiet              No warnings\n -table              Format output as table\n -reverse            Switch table columns\n -salt val           Use provided salt\n -stdin              Read passwords from stdin\n -6                  SHA512-based password algorithm\n -5                  SHA256-based password algorithm\n -apr1               MD5-based password algorithm, Apache variant\n -1                  MD5-based password algorithm\n -aixmd5             AIX MD5-based password algorithm\n -crypt              Standard Unix password algorithm (default)\n -rand val           Load the file(s) into the random number generator\n -writerand outfile  Write random data to the specified file\n<\/code><\/pre>\n\n\n\n
\u3044\u3056\u304a\u8a66\u3057\u3002openssl\u30b3\u30de\u30f3\u30c9\u3067\u751f\u6210\u3002<\/p>\n\n\n\n
$ openssl passwd -1 \"password\"\n$1$.cR\/0KTx$pPUO\/YlCknfEryhGL8vZ7\/\n\n<\/code><\/pre>\n\n\n\n
\u30eb\u30fc\u30bf\u3078\u6295\u5165\u3002<\/p>\n\n\n\n
\nRouter(config)#enable secret 5 $1$.cR\/0KTx$pPUO\/YlCknfEryhGL8vZ7\/\nERROR: The secret you entered is not a valid encrypted secret.\nTo enter an UNENCRYPTED secret, do not specify type 5 encryption.\nWhen you properly enter an UNENCRYPTED secret, it will be encrypted.<\/code><\/pre>\n\n\n\n
\u30a8\u30e9\u30fc\u306b\u306a\u308b\uff65\uff65\uff65\u3002salt\u304c\u5fc5\u8981\u3060\u3063\u305f\u3002\u6539\u3081\u3066\u751f\u6210\u3002<\/p>\n\n\n\n
$ openssl passwd -salt `openssl rand -base64 3`  -1 password\n$1$tCLN$fofh2RhTlDmwzXeGUh7x4.\n<\/code><\/pre>\n\n\n\n
\u30eb\u30fc\u30bf\u3078\u6295\u5165\u3002MD5\u306f\u3082\u306f\u3084\u975e\u63a8\u5968\u3060\u305e\u3068\u30a2\u30e9\u30fc\u30c8\u304c\u51fa\u308b\u304c\u7121\u4e8b\u306b\u884c\u3051\u305f\u3002<\/p>\n\n\n\n
Router(config)#enable secret 5 $1$tCLN$fofh2RhTlDmwzXeGUh7x4.\n WARNING: Command has been added to the configuration using a type 5 password. However, type 5 passwords will soon be deprecated. Migrate to a supported password type\nRouter(config)#\n*May 11 06:39:25.460: %AAAA-4-CLI_DEPRECATED: WARNING: Command has been added to the configuration using a type 5 password. However, type 5 passwords will soon be deprecated. Migrate to a supported password type\n<\/code><\/pre>\n\n\n\n
Type8(PBKDF2)<\/h2>\n\n\n\n
PBKDF2\u306fSHA256\u3067\u7e70\u308a\u8fd4\u3057\u30cf\u30c3\u30b7\u30e5\u5316\u3059\u308b\u3082\u306e\u3002<\/p>\n\n\n\n
openssl\u3067\u306f\u30cf\u30c3\u30b7\u30e5\u5316\u3067\u304d\u306a\u3055\u305d\u3046\u306a\u306e\u3067\uff0cpython\u3067\u3084\u3063\u3066\u307f\u308b\u3002Passlib<\/a>\u3068\u3044\u3046\u30e9\u30a4\u30d6\u30e9\u30ea\u304c\u3042\u308b\u306e\u3067\u3053\u308c\u3092\u4f7f\u3046\u3002<\/p>\n\n\n\n
\u306a\u304a\uff0cCisco Community\u3092\u898b\u308b\u3068\u4ee5\u4e0b\u306e\u3088\u3046\u306b\u8a18\u8f09\u3055\u308c\u3066\u3044\u308b\u3002<\/p>\n\n\n\n
\n
Type 8 passwords are what Type 4 was meant to be, an upgraded Type 5!  Type 8 is hashed using PBKDF2, SHA-256, 80-bit salt, 20,000 iterations<\/strong>. While this is good, it is still vulnerable to brute-forcing since AES is easy to implement in (GPU) graphics cards. I have not proven it but I believe it is possible that the popular tool HashCat is able to decrypt these. In the running config standard Type 8 start with $8$.<\/p>\nhttps:\/\/community.cisco.com\/t5\/networking-documents\/understanding-the-differences-between-the-cisco-password-secret\/ta-p\/3163238<\/cite><\/blockquote>\n\n\n\n
80\u30d0\u30a4\u30c8\u306eSalt\u3068\u3044\u3046\u3053\u3068\u306f10\u6587\u5b57\uff0c2\u4e07Iteration\u3067\u8a66\u884c\u3002<\/p>\n\n\n\n
$ pip install passlib\nCollecting passlib\n  Downloading passlib-1.7.4-py2.py3-none-any.whl (525 kB)\n     |????????????????????????????????| 525 kB 21.2 MB\/s\nInstalling collected packages: passlib\nSuccessfully installed passlib-1.7.4\n$ python\n>>> from passlib.hash import pbkdf2_sha256\n>>> pbkdf2_sha256.using(rounds=20000, salt_size=10).hash(\"password\")\n'$pbkdf2-sha256$20000$cm6t9T6n9L73ng$7sCcdbt9sNLWj5h7.Jd.7cdyLwYqoPlFMIWV1..hjFc'\n>>> pbkdf2_sha256.verify(\"password\", '$pbkdf2-sha256$20000$cm6t9T6n9L73ng$7sCcdbt9sNLWj5h7.Jd.7cdyLwYqoPlFMIWV1..hjFc')\nTrue\n>>><\/code><\/pre>\n\n\n\n
\u30cf\u30c3\u30b7\u30e5\u5316\u6210\u529f\u3057\u305f\u6a21\u69d8\u3002salt\u4ee5\u964d\u3092Cisco\u306b\u767b\u9332\u3002<\/p>\n\n\n\n
Router(config)#enable secret 8 $8$cm6t9T6n9L73ng$7sCcdbt9sNLWj5h7.Jd.7cdyLwYqoPlFMIWV1..hjFc\nRouter(config)#end\nRouter#disable\nRouter>en\nPassword:\nPassword:\nPassword:\n% Bad secrets\n<\/code><\/pre>\n\n\n\n
\u306a\u3093\u3067\u3060\uff65\uff65\uff65\u3002\u306a\u3093\u3069\u3084\u3063\u3066\u3082\u30c0\u30e1\u3067\uff0cCisco\u5074\u3067\u767b\u9332\u3057\u305f\u30cf\u30c3\u30b7\u30e5\u3092\u9006\u306bverify\u3057\u3066\u3082\u30c0\u30e1\u3060\u3063\u305f(\u65b9\u5f0f\u304c\u9055\u3046\u3063\u307d\u3044)\u3002\u305d\u3053\u3067\uff0c\u3053\u3093\u306a\u306e(ciscoPWDhasher<\/a>)\u304c\u3042\u3063\u305f\u306e\u3067\u3053\u308c\u3092\u4f7f\u3063\u3066\u307f\u308b\u3053\u3068\u306b\u3057\u305f\u3002<\/p>\n\n\n\n
$ git clone https:\/\/github.com\/BrettVerney\/ciscoPWDhasher.git\n$ cd ciscoPWDhasher\n$ pip install scrypt passlib backports.pbkdf2\n$ python3 .\/ciscopwdhasher.py\n\n+------------------------------------------------------------------------+\n|    ____ _                 ____                                     _   |\n|   \/ ___(_)___  ___ ___   |  _ \\ __ _ ___ _____      _____  _ __ __| |  |\n|  | |   | \/ __|\/ __\/ _ \\  | |_) \/ _` \/ __\/ __\\ \\ \/\\ \/ \/ _ \\| '__\/ _` |  |\n|  | |___| \\__ \\ (_| (_) | |  __\/ (_| \\__ \\__ \\\\ V  V \/ (_) | | | (_| |  |\n|   \\____|_|___\/\\___\\___\/  |_|   \\__,_|___\/___\/ \\_\/\\_\/ \\___\/|_|  \\__,_|  |\n|                                                                        |\n|           _   _           _                                            |\n|          | | | | __ _ ___| |__   ___ _ __      .--.                    |\n|          | |_| |\/ _` \/ __| '_ \\ \/ _ \\ '__|    \/.-. '----------.        |\n|          |  _  | (_| \\__ \\ | | |  __\/ |       \\'-' .--\"--\"\"-\"-'        |\n|          |_| |_|\\__,_|___\/_| |_|\\___|_|        '--'                    |\n|                                                                        |\n|  by: Brett Verney (@WiFiWizardOFOz)                      version: 0.1  |\n+------------------------------------------------------------------------+\n\nSelect a hashing algorithm:\n\n[1]  Type 5 (MD5)\n[2]  Type 7 (XOR Cipher)\n[3]  Type 8 (PBKDF2-HMAC-SHA256)\n[4]  Type 9 (Scrypt)\n[5]  Exit\n\nYour selection: 3\n\nEnter a Plain Text Password to convert: password\nYour Cisco type 7 password is:   #\u3053\u308c\u591a\u5206type 8\u306e\u9593\u9055\u3044 $8$L7qc2XluRN\/CzI$t34L8AK8SWb8LUFeCNVQanveK\/JwKozfuAtHuIRH6vc<\/code><\/pre>\n\n\n\n
\u30eb\u30fc\u30bf\u3078\u8a2d\u5b9a\u3002<\/p>\n\n\n\n
Router(config)#enable secret 8 \n \nRouter(config)#end\nRouter#disa\nRouter#disable\nRouter>en\nPassword:\nRouter#\n<\/code><\/pre>\n\n\n\n
\u7121\u4e8b\u6210\u529f\u3002\u3069\u3046\u3084\u3089base64\u306e\u30a8\u30f3\u30b3\u30fc\u30c9\u5468\u308a\u3067Cisco\u5f62\u5f0f\u306b\u5909\u63db\u3057\u3066\u3042\u3052\u306a\u3044\u3068\u30c0\u30e1\u307f\u305f\u3044(\u826f\u304f\u308f\u304b\u3089\u306a\u3044)\u3002<\/p>\n\n\n\n
— 2024\/02\/29 \u8ffd\u8a18 —
Salt\u3068\u6587\u5b57\u5217\u3092Base64\u3067\u30a8\u30f3\u30b3\u30fc\u30c9\u3057\u305f\u3082\u306e\u3092\u30cf\u30c3\u30b7\u30e5\u5316\u3057\u3066\uff0c\u305d\u308c\u3092\u3055\u3089\u306bCisco\u5f62\u5f0f\u306b\u5909\u63db\u3057\u306a\u3044\u3068\u30c0\u30e1\u3089\u3057\u3044\u3002\u3042\u3068Salt\u306f13\u6587\u5b57\u4ee5\u4e0a\u3067\u306a\u3044\u3068\u30c0\u30e1\u306a\u3088\u3046\u3067\u306f\u3058\u304b\u308c\u305f\u3002<\/p>\n\n\n\n
<\/p>\n\n\n\n
Type9(Scrypt)<\/h2>\n\n\n\n
\u73fe\u5728\u63a8\u5968\u306e\u65b9\u5f0f\u3002<\/p>\n\n\n\n
Select a hashing algorithm:\n\n[1]  Type 5 (MD5)\n[2]  Type 7 (XOR Cipher)\n[3]  Type 8 (PBKDF2-HMAC-SHA256)\n[4]  Type 9 (Scrypt)\n[5]  Exit\n\nYour selection: 4\n\nEnter a Plain Text Password to convert: password\nYour Cisco type 9 password is: $9$KvAkztzB8xe7Am$n3st6bOSv2hzH7qTG\/9RHUInJ0DlbSmtTqOHOtn99UM<\/code><\/pre>\n\n\n\n
\u540c\u3058\u3088\u3046\u306b\u30eb\u30fc\u30bf\u3078\u8a2d\u5b9a\u3002<\/p>\n\n\n\n
Router(config)#$qc2XluRN\/CzI$t34L8AK8SWb8LUFeCNVQanveK\/JwKozfuAtHuIRH6vc\nRouter(config)#end\nRouter#disa\nRouter#disable\nRouter>en\nPassword:\nRouter#<\/code><\/pre>\n\n\n\n
\u554f\u984c\u7121\u3057!<\/p>\n\n\n\n
\u7d20\u76f4\u306b enable algorithm-type <\/code>\u3092\u4f7f\u3048\u3068\u3044\u3046\u8a71\u3060\u3051\u308c\u3069\uff0c\u305f\u307e\u306b\u306f\u3053\u3046\u3044\u3046\u3053\u3068\u3092\u8abf\u3079\u308b\u306e\u3082\u826f\u3044\u306d\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
enable secret \u306a\u3069\u3067\u5229\u7528\u3059\u308b\u6697\u53f7\u5316\u3092\u6307\u5b9a\u3057\u305f\u3044\u3068\u304d\uff0c\u30af\u30ea\u30a2\u30c6\u30ad\u30b9\u30c8\u3092\u5165\u529b\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u306a\u3044\u3002 \u4e8b\u524d\u306b\u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u3092\u6307\u5b9a\u3059\u308c\u3070\u826f\u3044\u3060\u3051\u306a\u306e\u3060\u304c\uff0c\u3067\u306f\uff0c\u5b9f\u969b\u306b\u30cf\u30c3\u30b7\u30e5\u5316\u3055\u308c\u305f\u6587\u5b57\u5217\u3092\u4e88\u3081\u7528\u610f\u3059\u308b\u306b\u306f\u3069\u3046\u3057\u305f\u3089\u3088\u2026 \u7d9a\u304d\u3092\u8aad\u3080 »<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,48],"tags":[74,75],"class_list":["post-741","post","type-post","status-publish","format-standard","hentry","category-cisco","category-security","tag-cisco","tag-network"],"_links":{"self":[{"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/posts\/741","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=741"}],"version-history":[{"count":6,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/posts\/741\/revisions"}],"predecessor-version":[{"id":886,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/posts\/741\/revisions\/886"}],"wp:attachment":[{"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=741"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=741"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=741"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}