Service Password Encryption

Hi

Anyone managed to get the "no service password encryption" command to take off the encryption from passwords? If so what is required as it will enable ok but shows passwords as encrypted when trying to remove the encryption.

Thanks

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

LOkrasa

This is only used to encrypt the enable passwords and it does not affect the enable secret password. The secret password is encrypted already and the enable password will now be encrypted instead of plain text in the config.

Hope that helps.

dtlokee

once the passwords are encrypted, they stay encrypted. It is ver weak encryption and can be broken using many different tools. If you need to recover the PW just hunt on google for one.

Netstudent

dtlokee wrote:

once the passwords are encrypted, they stay encrypted. It is ver weak encryption and can be broken using many different tools. If you need to recover the PW just hunt on google for one.

Lokee,

I thought you said you were giving up on hacking the world.

jediknight

Are you using a SIM?

Are you in Global Config mode and typing "no password service-encryption"?

Rearden

I think it's rather dumb that the other passwords don't use MD5 or SHA or something real!

We've switched to tacacs+ here, though. I'd never use it in my lab, but it's great for production environments. Anyone that works in a production environment where there are multiple people that have to do work should check it out.

RTmarc

Running no password service-encryption does not decrypt the password. It will only stop any future passwords from being encrypted.

datchcha

LOkrasa wrote:

This is only used to encrypt the enable passwords and it does not affect the enable secret password. The secret password is encrypted already and the enable password will now be encrypted instead of plain text in the config.

Hope that helps.

LOkrasa

congrads on the CCNA

LOkrasa

datchcha wrote:

LOkrasa wrote:

This is only used to encrypt the enable passwords and it does not affect the enable secret password. The secret password is encrypted already and the enable password will now be encrypted instead of plain text in the config.

Hope that helps.

LOkrasa

congrads on the CCNA

Thanks!!!

APA

Rearden wrote:

I think it's rather dumb that the other passwords don't use MD5 or SHA or something real!

We've switched to tacacs+ here, though. I'd never use it in my lab, but it's great for production environments. Anyone that works in a production environment where there are multiple people that have to do work should check it out.

I'll second using tacacs+ in a production environment.... My only problem is that we have configured the AAA to fallback to local logins should the ACS be down......... Only thing is it fails to failover to local logins..... so if the ACS down we can't login to our devices.....

Only happens once in a blue moon but it's so annoying!!!!

geezer

Thanks for the replies - seemed to have opened a bit of a debate

! I see that it is level 7 encryption unlike level 5 for the "enable secret"

Anyway, I accept that "no service password-encryption" doesn't remove the encryption but wish the Lammle book said that as misleading from what I understand he is saying - esp given that most commands to be reversed have the "no" option in front.

mwgood

geezer wrote:

Thanks for the replies - seemed to have opened a bit of a debate ! I see that it is level 7 encryption unlike level 5 for the "enable secret"

Anyway, I accept that "no service password-encryption" doesn't remove the encryption but wish the Lammle book said that as misleading from what I understand he is saying - esp given that most commands to be reversed have the "no" option in front.

If you want to crack the "7" level encryption quickly, as dtlokee said, there are free tools to do that.

Here's one - http://www.oxid.it/cain.html

RTmarc

mwgood wrote:

geezer wrote:

Thanks for the replies - seemed to have opened a bit of a debate ! I see that it is level 7 encryption unlike level 5 for the "enable secret"

Anyway, I accept that "no service password-encryption" doesn't remove the encryption but wish the Lammle book said that as misleading from what I understand he is saying - esp given that most commands to be reversed have the "no" option in front.

If you want to crack the "7" level encryption quickly, as dtlokee said, there are free tools to do that.

Here's one - http://www.oxid.it/cain.html

Seriously, it takes less than 1 second to crack the level 7 passwords using Cain's cracking utility.

bohra_ajay

i need help regarding this command, i m using Boson Simulator to practice.

Service Password Encryption doesn't work on it any hints? i m using the right mode to give the command there.

Netstudent

are you using the right syntax? service password-encryption in global config mode

Also, this is a simulation. I doubt encryption would be programmed into Boson.

bohra_ajay

yup! i m using the right syntax,

but may be ur true that it is not supporting the encryption but, it does encrypts the "Enable Secret Password"

Netstudent

hmmm.. I think i remember something like this coming up several months ago. Maybe service password-enc is just a little to intelligent for Boson.

But they could have at least programmed a random string of alphanumeric characters just for that command. Not really doing any encryption but at least simulate it ya know. But hey i'm not a developer for boson. Thank god

gabrielbtoledo

I use Routersim Network Visualizer 4.0 and works just fine. You can even see the "enable password password" encrypted.

Router(config)#service password-encryption
Router(config)#exit
Router#show run

Building configuration...
Current configuration : 625 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
!
enable password $1$u76B$IOFVJ7VxfVXYVpGDrFTcI0
ip subnet-zero
!
!
!
!
!
interface FastEthernet0/0
  no ip address
  no ip directed-broadcast
  shutdown
!
interface Serial0/0
  no ip address
  no ip directed-broadcast
  shutdown
!
interface FastEthernet0/1
  no ip address
  no ip directed-broadcast
  shutdown
!
interface Serial0/1
  no ip address
  no ip directed-broadcast
  shutdown
!
!
ip classless
!
!
!
line con 0
line aux 0
line vty 0 4
  login
!
end

Router#

bohra_ajay

thats really good one 2day i checked the commands supported n service password-encryption is not on the list in the version i have, may be they have got in their latest release.

thanx guys