brettverney / ciscopwdhasher Goto Github PK
View Code? Open in Web Editor NEWA Python Cisco IOS, IOS-XE and NX-OS password hashing tool
License: MIT License
A Python Cisco IOS, IOS-XE and NX-OS password hashing tool
License: MIT License
Error when installing requirements...
Line should be:
passlib==1.7.4
Thanks for the tool ๐
I have tried this C2960X and even when the hash is created fine the SW doesn't accepts it as valid.
Cisco-2960X(config)#username test privilege 15 secret 5 $1$Oh9i$VEEjjTMjnWVl18hXNoNjR.
ERROR: The secret you entered is not a valid encrypted secret.
To enter an UNENCRYPTED secret, do not specify type 5 encryption.
When you properly enter an UNENCRYPTED secret, it will be encrypted.
Is there something on the switch configuration that could make it work for you and not for me? I cannot think of anything in particular.
Thanks
I think the code in this would be better if it was restructured to a package so one could install it via pip and use the hashing functions in a larger project vs having to copy the code out. This would open up the ability to publish this package on pypi and do a 'pip install ciscoPWDhasher' and import the hashing function you need to use. This would also not change the name or functionality of the 'ciscopwdhasher.py' script, only the structure of the code.
While a leading space is not allowed in the password prompt, the script still accepts passwords with spaces after a legal character has been entered. This includes TABs. This is not permitted by Cisco IOS/IOS-XE.
Cisco ASA 9.5 added a new SHA512-based pbkdf2 password hash. This one isn't technically numbered, but I think it's informally referred to as type 10?
I replied to your comment on the open issue in passlib but I'll add my comments here for visibility:
Here's what the hash typically gets serialized as:
$sha512$5000$zJZ/+1K9lmgpmVlRXjPEYQ==$9VOAeH+g4QIPkUyWfdq79w==
This follows a modular crypt syntax, which breaks down as follows:
sha512
is cisco-ese for the pbkdf2 password format5000
is the number of iterations the hash useszJZ/+1K9lmgpmVlRXjPEYQ==
is a 16-byte salt encoded in standard base64 (not altered)9VOAeH+g4QIPkUyWfdq79w==
is the first 16 bytes of a standard SHA512 digest encoded in standard base64quick proof-of-concept for generating a password hash:
import base64
import crypt
from passlib.crypto.digest import pbkdf2_hmac
# this is maybe not the best way to generate the salt? i.e. the salt bytes encoded in the example hash above
# decodes to:
# cc 96 7f fb
# 52 bd 96 68
# 29 99 59 51
# 5e 33 c4 61
# so i.e. it is not limited to 7-bit printable characters.
salt_bytes = crypt.mksalt(crypt.METHOD_SHA512)[3:].encode('utf8')
secret_bytes = 'my_password'.encode('utf8')
rounds = 5000
digest = pbkdf2_hmac('sha512', salt_bytes, secret_bytes, rounds)[0:16]
print('$sha512${rounds}${salt}${digest}'.format(
rounds=rounds,
salt=base64.b64encode(salt_bytes).decode('utf8'),
digest=base64.b64encode(digest).decode('utf8')
))
I like the program and was wondering if anyone has had the opportunity to convert this program into an exe using py2exe. It would be a nice to have.
How to implement the second type 8 pwd shown in the cisco documentation?
Example :
R1(config)# username yasser algorithm-type sha256 secret cisco
R1# show running-config | inc username
username yasser secret 8 $8$dsYGNam3K1SIJO$7nv/35M/qr6t.dVc7UY9zrJDWRVqncHub1PE9UlMQFs
When using this python script the switch will not accept the calculated hash
# Program output
[3] Type 8 (PBKDF2-HMAC-SHA256)
[4] Type 9 (Scrypt)
[5] Exit
Your selection: 4
Enter a Plain Text Password to convert: TestText
Your Cisco Type 9 password hash is: $9$icj5vfNlTumwNB$64epo7fnBl03uRLMQT0Q5VWaOvHPipqZLFFsCbYdl4Y
# Switch output
TEST(config)# username test privilege 15 secret 9 $9$icj5vfNlTumwNB$64epo7fnBl03uRLMQT0Q5VWaOvHPipqZLFFsCbYdl4Y
ERROR: The secret you entered is not a valid encrypted secret.
To enter an UNENCRYPTED secret, do not specify type 9 encryption.
When you properly enter an UNENCRYPTED secret, it will be encrypted
At line 63 in ciscopwdhasher.py
print(f'Your Cisco type 7 password is: {hash}')
I think It would be belows
print(f'Your Cisco type 8 password is: {hash}')
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.