Enable Password / Secret

satishtechsatishtech Member Posts: 243
What will the following commands do ?

1.enable secret LINE
2.enable secret 0
3.enable secret 5
4.enable password 7
5.enable password LINE


when I use enable secret 0 cisco (on PT)

sh ru = enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

and

when I use enable secret 5 cisco (on PT)

sh ru = enable secret 5 cisco

shouldn't it be the other way round ?

Comments

  • OctalDumpOctalDump Member Posts: 1,722
    Have you tried them? Or tried enable secret ? or enable password ??

    Otherwise, this might help:
    Cisco IOS Security Command Reference: Commands D to L - E [Support] - Cisco
    Cisco IOS Security Command Reference: Commands D to L - E [Support] - Cisco

    I'll give you a hint: although enable secret and enable password can take multiple parameters, you only have 1 parameter in those examples. So you are looking for the effect where only one parameter is given.
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • EdTheLadEdTheLad Member Posts: 2,111 ■■■■□□□□□□
    "enable secret 0 cisco" means the password that follows 0 is unencrypted i.e. the password is "cisco"
    If you do a show runn, you will see the encrypted version of the password i.e. $jhjhukyky

    "enable secret 5 cisco" means the password that fallows 5 is encrypted i.e. to find the password the system will unencrypt "cisco" to "hggkhkjhkhkjhkh"
    To login as enable, you will need to enter password "hggkhkjhkhkjhkh"

    Both will show in the config in encrypted format, the reason for this is so you can copy and paste a config with encrypted keys, with 0 or 7 option you are telling the router if the password is plain text or has already been encrypted.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
  • satishtechsatishtech Member Posts: 243
    Is this CCNA security syllabus ?
  • TWXTWX Member Posts: 275 ■■■□□□□□□□
    satishtech wrote: »
    Is this CCNA security syllabus ?

    ?

    What do you mean?
  • SimridSimrid Member Posts: 327
    Network Engineer | London, UK | Currently working on: CCIE Routing & Switching

    sriddle.co.uk
    uk.linkedin.com/in/simonriddle
  • satishtechsatishtech Member Posts: 243
    are the questions I asked related to ccna security and not ccent icnd1
  • OctalDumpOctalDump Member Posts: 1,722
    No. This is correct behaviour.

    When you use the command

    enable secret 0 cisco

    you are saying what I am giving after the 0 is not encrypted. Then when you do a show run, the password is encrypted (because you used "secret" which has the effect of storing the MD5 hash of the password and not the password). The "5" when you do a show running-config indicates that what follows in encrypted (or rather hashed) using MD5.

    when you use the command

    enable secret 5 cisco

    you are saying what I am giving you after the 5 is the hash of the password. Then when you do a show run, the hashed password is shown. The problem is that the actual enable secret (what you need to give to enter privileged mode) is not cisco, it is whatever encrypts to give you the output cisco. I suspect that this will not actually work, since MD5 hashes need to be a certain length, and normally start with $1. Possibly it will be interpreted as being padded by NULLs.

    Why use enable secret 5 at all? Well, if you need to copy a config across, then you can easily do this and not need to reveal the actual password. It enables you to effectively keep the password (reasonably) secret.
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • TWXTWX Member Posts: 275 ■■■□□□□□□□
    The way they teach the use of enable password versus enable secret is a bit confusing.

    enable password is a legacy command. Back in the day, it was the only command that Cisco supported for setting a password to go from user-exec mode (ie, user-level access) to privileged-exec mode (ie, administrator-level access). It was originally plain-text only. Later, they added a feature to switches that obfuscates the password, but only to casual view, as the algorithm used by the command that does this (service password-encryption) is weak and can be reversed though as little complexity as a Perl script.

    The better command, in lieu of enable password, is enable secret. This stores the password in a much more secure (theoretically) way that cannot be easily reversed. If someone gets ahold of your config file with enable secret and service password-encryption they can figure out your passwords. If they get ahold of your config file with enable secret they're not going to be able to readily reverse-engineer your credentials.

    enable password is still present because of legacy installations, and because companies are hesitant to remove commands even when they've been superseded. There is no reason to use enable password anymore unless the site or installation has some obscure need for it.

    That said, there is a vulnerability in enable secret in some versions of IOS 15; Cisco attempted to go beyond the MD5 algorithm that they had used in IOS 12 to a SHA algorithm, but they screwed up and it was easier to brute-force the SHA passwords than the MD5 passwords. They've since migrated back to MD5. Even the broken SHA implementation of enable secret is more secure than enable password though.

    Learn enable password because they put it on the curriculum, but understand that it's not somewhere you want to go, kind of like how they want you to learn using telnet to connect from device to device, when in reality this is a horrible idea and you should use ssh exclusively, and disable telnet.
Sign In or Register to comment.