Service Password Encryption
geezer
Member Posts: 136
in CCNA & CCENT
Hi
Anyone managed to get the "no service password encryption" command to take off the encryption from passwords? If so what is required as it will enable ok but shows passwords as encrypted when trying to remove the encryption.
Thanks
Anyone managed to get the "no service password encryption" command to take off the encryption from passwords? If so what is required as it will enable ok but shows passwords as encrypted when trying to remove the encryption.
Thanks
I used to be undecided but now I'm not so sure.
There are only 10 types of people in the world: Those who understand binary, and those who don't!
There are only 10 types of people in the world: Those who understand binary, and those who don't!
Comments
-
LOkrasa
Member Posts: 343 ■■■□□□□□□□
This is only used to encrypt the enable passwords and it does not affect the enable secret password. The secret password is encrypted already and the enable password will now be encrypted instead of plain text in the config.
Hope that helps. -
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
once the passwords are encrypted, they stay encrypted. It is ver weak encryption and can be broken using many different tools. If you need to recover the PW just hunt on google for one.The only easy day was yesterday! -
Netstudent
Member Posts: 1,693 ■■■□□□□□□□
dtlokee wrote:once the passwords are encrypted, they stay encrypted. It is ver weak encryption and can be broken using many different tools. If you need to recover the PW just hunt on google for one.
Lokee,
I thought you said you were giving up on hacking the world.
There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1! -
jediknight
Member Posts: 113
Are you using a SIM?
Are you in Global Config mode and typing "no password service-encryption"? -
Rearden
Member Posts: 222
I think it's rather dumb that the other passwords don't use MD5 or SHA or something real!
We've switched to tacacs+ here, though. I'd never use it in my lab, but it's great for production environments. Anyone that works in a production environment where there are multiple people that have to do work should check it out.More systems have been wiped out by admins than any cracker could do in a lifetime. -
RTmarc
Member Posts: 1,082 ■■■□□□□□□□
Running no password service-encryption does not decrypt the password. It will only stop any future passwords from being encrypted.
-
datchcha
Member Posts: 265
LOkrasa wrote:This is only used to encrypt the enable passwords and it does not affect the enable secret password. The secret password is encrypted already and the enable password will now be encrypted instead of plain text in the config.
Hope that helps.
LOkrasa
congrads on the CCNAArrakis -
LOkrasa
Member Posts: 343 ■■■□□□□□□□
datchcha wrote:LOkrasa wrote:This is only used to encrypt the enable passwords and it does not affect the enable secret password. The secret password is encrypted already and the enable password will now be encrypted instead of plain text in the config.
Hope that helps.
LOkrasa
congrads on the CCNA
Thanks!!! -
APA
Member Posts: 959
Rearden wrote:I think it's rather dumb that the other passwords don't use MD5 or SHA or something real!
We've switched to tacacs+ here, though. I'd never use it in my lab, but it's great for production environments. Anyone that works in a production environment where there are multiple people that have to do work should check it out.
I'll second using tacacs+ in a production environment.... My only problem is that we have configured the AAA to fallback to local logins should the ACS be down......... Only thing is it fails to failover to local logins..... so if the ACS down we can't login to our devices.....
Only happens once in a blue moon but it's so annoying!!!!
CCNA | CCNA:Security | CCNP | CCIP
JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
JNCIS:SP | JNCIP:SP -
geezer
Member Posts: 136
Thanks for the replies - seemed to have opened a bit of a debate
! I see that it is level 7 encryption unlike level 5 for the "enable secret"
Anyway, I accept that "no service password-encryption" doesn't remove the encryption but wish the Lammle book said that as misleading from what I understand he is saying - esp given that most commands to be reversed have the "no" option in front.I used to be undecided but now I'm not so sure.
There are only 10 types of people in the world: Those who understand binary, and those who don't! -
mwgood
Member Posts: 293
geezer wrote:Thanks for the replies - seemed to have opened a bit of a debate ! I see that it is level 7 encryption unlike level 5 for the "enable secret"
Anyway, I accept that "no service password-encryption" doesn't remove the encryption but wish the Lammle book said that as misleading from what I understand he is saying - esp given that most commands to be reversed have the "no" option in front.
If you want to crack the "7" level encryption quickly, as dtlokee said, there are free tools to do that.
Here's one - http://www.oxid.it/cain.html -
RTmarc
Member Posts: 1,082 ■■■□□□□□□□
Seriously, it takes less than 1 second to crack the level 7 passwords using Cain's cracking utility.mwgood wrote:geezer wrote:Thanks for the replies - seemed to have opened a bit of a debate ! I see that it is level 7 encryption unlike level 5 for the "enable secret"
Anyway, I accept that "no service password-encryption" doesn't remove the encryption but wish the Lammle book said that as misleading from what I understand he is saying - esp given that most commands to be reversed have the "no" option in front.
If you want to crack the "7" level encryption quickly, as dtlokee said, there are free tools to do that.
Here's one - http://www.oxid.it/cain.html -
bohra_ajay
Member Posts: 21 ■□□□□□□□□□
i need help regarding this command, i m using Boson Simulator to practice.
Service Password Encryption doesn't work on it any hints? i m using the right mode to give the command there. -
Netstudent
Member Posts: 1,693 ■■■□□□□□□□
are you using the right syntax? service password-encryption in global config mode
Also, this is a simulation. I doubt encryption would be programmed into Boson.There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1! -
bohra_ajay
Member Posts: 21 ■□□□□□□□□□
yup! i m using the right syntax,
but may be ur true that it is not supporting the encryption but, it does encrypts the "Enable Secret Password" -
Netstudent
Member Posts: 1,693 ■■■□□□□□□□
hmmm.. I think i remember something like this coming up several months ago. Maybe service password-enc is just a little to intelligent for Boson.
But they could have at least programmed a random string of alphanumeric characters just for that command. Not really doing any encryption but at least simulate it ya know. But hey i'm not a developer for boson. Thank godThere is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1! -
gabrielbtoledo
Member Posts: 217
I use Routersim Network Visualizer 4.0 and works just fine. You can even see the "enable password password" encrypted.
Router(config)#service password-encryption Router(config)#exit Router#show run Building configuration... Current configuration : 625 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname Router ! ! enable password $1$u76B$IOFVJ7VxfVXYVpGDrFTcI0 ip subnet-zero ! ! ! ! ! interface FastEthernet0/0 no ip address no ip directed-broadcast shutdown ! interface Serial0/0 no ip address no ip directed-broadcast shutdown ! interface FastEthernet0/1 no ip address no ip directed-broadcast shutdown ! interface Serial0/1 no ip address no ip directed-broadcast shutdown ! ! ip classless ! ! ! line con 0 line aux 0 line vty 0 4 login ! end Router#
A+ Certified - Network+ - MCP (70-290)
MCSA - CCNA - Security+ (soon) -
bohra_ajay
Member Posts: 21 ■□□□□□□□□□
thats really good one 2day i checked the commands supported n service password-encryption is not on the list in the version i have, may be they have got in their latest release.
thanx guys
