brettverney / ciscopwdhasher Goto Github PK

At line 63 in ciscopwdhasher.py
print(f'Your Cisco type 7 password is: {hash}')
I think It would be belows
print(f'Your Cisco type 8 password is: {hash}')

I like the program and was wondering if anyone has had the opportunity to convert this program into an exe using py2exe. It would be a nice to have.

How to implement the second type 8 pwd shown in the cisco documentation?

Example :

R1(config)# username yasser algorithm-type sha256 secret cisco

R1# show running-config | inc username

username yasser secret 8 $8$dsYGNam3K1SIJO$7nv/35M/qr6t.dVc7UY9zrJDWRVqncHub1PE9UlMQFs

Cisco ASA 9.5 added a new SHA512-based pbkdf2 password hash. This one isn't technically numbered, but I think it's informally referred to as type 10?

I replied to your comment on the open issue in passlib but I'll add my comments here for visibility:

Here's what the hash typically gets serialized as:

$sha512$5000$zJZ/+1K9lmgpmVlRXjPEYQ==$9VOAeH+g4QIPkUyWfdq79w==

This follows a modular crypt syntax, which breaks down as follows:

• sha512 is cisco-ese for the pbkdf2 password format
• 5000 is the number of iterations the hash uses
• zJZ/+1K9lmgpmVlRXjPEYQ== is a 16-byte salt encoded in standard base64 (not altered)
• 9VOAeH+g4QIPkUyWfdq79w== is the first 16 bytes of a standard SHA512 digest encoded in standard base64

quick proof-of-concept for generating a password hash:

import base64
import crypt
from passlib.crypto.digest import pbkdf2_hmac

# this is maybe not the best way to generate the salt? i.e. the salt bytes encoded in the example hash above
# decodes to: 
#     cc 96 7f fb 
#     52 bd 96 68
#     29 99 59 51
#     5e 33 c4 61
# so i.e. it is not limited to 7-bit printable characters.
salt_bytes = crypt.mksalt(crypt.METHOD_SHA512)[3:].encode('utf8')
secret_bytes = 'my_password'.encode('utf8')
rounds = 5000

digest = pbkdf2_hmac('sha512', salt_bytes, secret_bytes, rounds)[0:16]

print('$sha512${rounds}${salt}${digest}'.format(
  rounds=rounds,
  salt=base64.b64encode(salt_bytes).decode('utf8'),
  digest=base64.b64encode(digest).decode('utf8')
))

I have tried this C2960X and even when the hash is created fine the SW doesn't accepts it as valid.

Cisco-2960X(config)#username test privilege 15 secret 5 $1$Oh9i$VEEjjTMjnWVl18hXNoNjR.
ERROR: The secret you entered is not a valid encrypted secret.
To enter an UNENCRYPTED secret, do not specify type 5 encryption.
When you properly enter an UNENCRYPTED secret, it will be encrypted.

Is there something on the switch configuration that could make it work for you and not for me? I cannot think of anything in particular.

Thanks

Error when installing requirements...

https://github.com/wifiwizardofoz/ciscoPWDhasher/blob/c0dacc1bfaecb49a9012cc4098129238bf5a3ba8/requirements.txt#L3

Line should be:
passlib==1.7.4

Thanks for the tool 👍

While a leading space is not allowed in the password prompt, the script still accepts passwords with spaces after a legal character has been entered. This includes TABs. This is not permitted by Cisco IOS/IOS-XE.

I think the code in this would be better if it was restructured to a package so one could install it via pip and use the hashing functions in a larger project vs having to copy the code out. This would open up the ability to publish this package on pypi and do a 'pip install ciscoPWDhasher' and import the hashing function you need to use. This would also not change the name or functionality of the 'ciscopwdhasher.py' script, only the structure of the code.

When using this python script the switch will not accept the calculated hash

# Program output
[3]  Type 8 (PBKDF2-HMAC-SHA256)
[4]  Type 9 (Scrypt)
[5]  Exit

Your selection: 4

Enter a Plain Text Password to convert: TestText

Your Cisco Type 9 password hash is: $9$icj5vfNlTumwNB$64epo7fnBl03uRLMQT0Q5VWaOvHPipqZLFFsCbYdl4Y


# Switch output
TEST(config)# username test privilege 15 secret 9 $9$icj5vfNlTumwNB$64epo7fnBl03uRLMQT0Q5VWaOvHPipqZLFFsCbYdl4Y
ERROR: The secret you entered is not a valid encrypted secret.
To enter an UNENCRYPTED secret, do not specify type 9 encryption.
When you properly enter an UNENCRYPTED secret, it will be encrypted