Enable Password / Secret

What will the following commands do ?

1.enable secret LINE
2.enable secret 0
3.enable secret 5
4.enable password 7
5.enable password LINE

when I use enable secret 0 cisco (on PT)

sh ru = enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

and

when I use enable secret 5 cisco (on PT)

sh ru = enable secret 5 cisco

shouldn't it be the other way round ?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

OctalDump

Have you tried them? Or tried enable secret ? or enable password ??

Otherwise, this might help:
Cisco IOS Security Command Reference: Commands D to L - E [Support] - Cisco
Cisco IOS Security Command Reference: Commands D to L - E [Support] - Cisco

I'll give you a hint: although enable secret and enable password can take multiple parameters, you only have 1 parameter in those examples. So you are looking for the effect where only one parameter is given.

EdTheLad

"enable secret 0 cisco" means the password that follows 0 is unencrypted i.e. the password is "cisco"
If you do a show runn, you will see the encrypted version of the password i.e. $jhjhukyky

"enable secret 5 cisco" means the password that fallows 5 is encrypted i.e. to find the password the system will unencrypt "cisco" to "hggkhkjhkhkjhkh"
To login as enable, you will need to enter password "hggkhkjhkhkjhkh"

Both will show in the config in encrypted format, the reason for this is so you can copy and paste a config with encrypted keys, with 0 or 7 option you are telling the router if the password is plain text or has already been encrypted.

satishtech

Is this CCNA security syllabus ?

TWX

satishtech wrote: »

Is this CCNA security syllabus ?

?

What do you mean?

Simrid

The new CCNA security exam topics can be found here:

https://learningnetwork.cisco.com/community/certifications/security_ccna/iins-v3/exam-topics

satishtech

are the questions I asked related to ccna security and not ccent icnd1

OctalDump

No. This is correct behaviour.

When you use the command

enable secret 0 cisco

you are saying what I am giving after the 0 is not encrypted. Then when you do a show run, the password is encrypted (because you used "secret" which has the effect of storing the MD5 hash of the password and not the password). The "5" when you do a show running-config indicates that what follows in encrypted (or rather hashed) using MD5.

when you use the command

enable secret 5 cisco

you are saying what I am giving you after the 5 is the hash of the password. Then when you do a show run, the hashed password is shown. The problem is that the actual enable secret (what you need to give to enter privileged mode) is not cisco, it is whatever encrypts to give you the output cisco. I suspect that this will not actually work, since MD5 hashes need to be a certain length, and normally start with $1. Possibly it will be interpreted as being padded by NULLs.

Why use enable secret 5 at all? Well, if you need to copy a config across, then you can easily do this and not need to reveal the actual password. It enables you to effectively keep the password (reasonably) secret.

TWX

The way they teach the use of enable password versus enable secret is a bit confusing.

enable password is a legacy command. Back in the day, it was the only command that Cisco supported for setting a password to go from user-exec mode (ie, user-level access) to privileged-exec mode (ie, administrator-level access). It was originally plain-text only. Later, they added a feature to switches that obfuscates the password, but only to casual view, as the algorithm used by the command that does this (service password-encryption) is weak and can be reversed though as little complexity as a Perl script.

The better command, in lieu of enable password, is enable secret. This stores the password in a much more secure (theoretically) way that cannot be easily reversed. If someone gets ahold of your config file with enable secret and service password-encryption they can figure out your passwords. If they get ahold of your config file with enable secret they're not going to be able to readily reverse-engineer your credentials.

enable password is still present because of legacy installations, and because companies are hesitant to remove commands even when they've been superseded. There is no reason to use enable password anymore unless the site or installation has some obscure need for it.

That said, there is a vulnerability in enable secret in some versions of IOS 15; Cisco attempted to go beyond the MD5 algorithm that they had used in IOS 12 to a SHA algorithm, but they screwed up and it was easier to brute-force the SHA passwords than the MD5 passwords. They've since migrated back to MD5. Even the broken SHA implementation of enable secret is more secure than enable password though.

Learn enable password because they put it on the curriculum, but understand that it's not somewhere you want to go, kind of like how they want you to learn using telnet to connect from device to device, when in reality this is a horrible idea and you should use ssh exclusively, and disable telnet.