Security+

Decrypting Type 7 Passwords (enable password)

Jay

19 Aug 2009 • 3 min read

Cisco passwords are often stored in hashed or encrypted format in the configuration. The different types of password encryption supported by Cisco devices are:

Type 0 (Cleartext) - The password is stored in plain text and is easily readable.
Type 5 (MD5 hash) - The password is hashed using MD5. This is a one-way hash and cannot be easily reversed.
Type 7 (Cisco proprietary) - The password is encrypted using a weak Cisco proprietary algorithm that can be easily decrypted.
Type 8 (SHA-256) - The password is hashed using SHA-256. This is a strong one-way hash.
Type 9 (Scrypt) - The password is hashed using Scrypt algorithm, which is designed to be computationally expensive.

In this post, we will focus on Type 7 passwords and how they can be decrypted. Type 7 passwords are commonly used with the enable password command and the username command when no encryption type is specified.

Understanding Type 7 Encryption

Type 7 encryption is a simple XOR-based cipher with a rotating key. The algorithm uses a static salt table and XORs each character of the password with a value from this table. The position in the salt table rotates with each character, making it a Vigenère-style cipher.

Here's how a Type 7 encrypted password appears in a Cisco configuration:

enable password 7 060506324F41

The format is: enable password 7 [encrypted_string]

The encrypted string consists of:

First 2 digits: Salt index (00-15)
Remaining digits: Encrypted password in hexadecimal

Decrypting Type 7 Passwords

Since Type 7 encryption is weak and well-documented, there are several methods to decrypt these passwords:

Method 1: Online Decryption Tools

Many online tools can decrypt Type 7 passwords instantly. Simply paste the encrypted string (without the "enable password 7" part) into these tools.

Method 2: Command Line Tools

You can use various command-line tools. For example, using a Python script:

#!/usr/bin/env python3

def decrypt_type7(encrypted_password):
    # Cisco Type 7 salt table
    salt = [0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f,
            0x41, 0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72,
            0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44, 0x48, 0x53]
    
    # Extract salt index and encrypted part
    salt_index = int(encrypted_password[:2])
    encrypted_part = encrypted_password[2:]
    
    # Decrypt the password
    decrypted = ""
    for i in range(0, len(encrypted_part), 2):
        hex_char = encrypted_part[i:i+2]
        encrypted_char = int(hex_char, 16)
        decrypted_char = chr(encrypted_char ^ salt[(salt_index + i//2) % len(salt)])
        decrypted += decrypted_char
    
    return decrypted

# Example usage
encrypted = "060506324F41"
password = decrypt_type7(encrypted)
print(f"Decrypted password: {password}")

Method 3: Cisco IOS Commands

Interestingly, newer versions of Cisco IOS include a command to decrypt Type 7 passwords:

Router# show password encryption type7 060506324F41
Decrypted password: cisco

Security Implications

Type 7 encryption provides minimal security and should not be used to protect sensitive passwords. The encryption can be broken in seconds using readily available tools. Here are the key security implications:

Weak Encryption - The algorithm is well-documented and easily reversible
No Salt Randomization - The salt values are static and predictable
Configuration Exposure - Anyone with read access to the configuration can decrypt the passwords

Best Practices

To improve password security on Cisco devices:

Use Type 5 (MD5) or better - Configure enable secret instead of enable password
Enable service password-encryption - This encrypts all passwords in the configuration using Type 7, but remember it's still weak
Use strong password policies - Implement complex passwords regardless of encryption type
Restrict configuration access - Limit who can view the device configuration
Use AAA authentication - Implement centralized authentication with TACACS+ or RADIUS

Example of secure password configuration:

! Use enable secret instead of enable password
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

! Enable password encryption service
service password-encryption

! Configure usernames with Type 5 encryption
username admin secret 5 $1$salt$qJH7.N4xYta3aEG/dfqo/0

Conclusion

Type 7 password encryption in Cisco devices is a legacy feature that provides minimal security. While it may obscure passwords from casual viewing, it should never be relied upon for actual security. Network administrators should use stronger encryption methods like Type 5 (MD5) or implement AAA authentication for better security. Understanding how Type 7 encryption works and its limitations is important for proper network security implementation.