You think your ISP is dumb?

Long story short, I was working with my ISP (I won't name them, but heres a hint. They are the largest ISP in Canada...), and asked about the QoS config on a new router they installed at one of our branches. So what does the guy send me?

The entire 'show run' of the router, WITHOUT service-password encryption on...

Thats right, in clear text, the VTY, Console, SNMP, etc, passwords, that I assume are probably generic across all routers (based on the comments on the config). All their ACLs, ntp servers, syslog servers, all their MPLS traffic engineering that basically lays out their entire network for me. Honestly I could a LOT of damage with this info, and I am shocked that they just handed it over to me because the engineer didn't know better.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

stlsmoore

haha NICCCE

Bl8ckr0uter

GT-Rob wrote: »

Long story short, I was working with my ISP (I won't name them, but heres a hint. They are the largest ISP in Canada...), and asked about the QoS config on a new router they installed at one of our branches. So what does the guy send me?

The entire 'show run' of the router, WITHOUT service-password encryption on...

Thats right, in clear text, the VTY, Console, SNMP, etc, passwords, that I assume are probably generic across all routers (based on the comments on the config). All their ACLs, ntp servers, syslog servers, all their MPLS traffic engineering that basically lays out their entire network for me. Honestly I could a LOT of damage with this info, and I am shocked that they just handed it over to me because the engineer didn't know better.

Even with the service password encryption on you can go to some websites and break that pretty easily. This is all sorts of fail.

CSCOnoob

knwminus wrote: »

Even with the service password encryption on you can go to some websites and break that pretty easily.

True. Since MD5 has been cracked, there are a lot of websites that can convert it to clear text.

Bl8ckr0uter

CSCOnoob wrote: »

True. Since MD5 has been cracked, there are a lot of websites that can convert it to clear text.

The service-password encryption doesn't use MD5 it used some weak encryption. The secret password uses MD5.

Edit: Although I did find some different MD5 crackers....

CSCOnoob

knwminus wrote: »

The service-password encryption doesn't use MD5 it used some weak encryption. The secret password uses MD5.

Edit: Although I did find some different MD5 crackers....

Yes, it does not. I am just saying that MD5 has been cracked so the whole config that uses it will be vulnerable. Routing protocols and HSRP authentication are MD5 right?

Forsaken_GA

you can't crack a type 5 directly, it's just a hash, and IOS does use salted hashes. Only way to crack it is good old brute force dictionary attacks. Generate a strong password and try to actually crack it's MD5 hash, it'll probably take you longer than it's worth. Or have time to live.

As far as the ISP in question, yes, they're freaking morons.

CSCOnoob

Yes, you are right. You can't crack the MD5 directly. You can, however, can crack with two tools, IIRC. I haven't done it myself but there was one website that can convert the hash and then you need to go to use another website or a DOS program to convert it to clear text.

Forsaken_GA

hashes are one way, you can't convert them directly back into the same text. Dictionary or brute force attacks are basically hashing different combinations and comparing them to the hash you do have until you get a match. This is one reason why security folks hate people that use simple dictionary based passwords.

MD5 is vulnerable to collisions, however, where two different items can result in the same hash, and this is where the real weakness comes in.

veritas_libertas

GT-Rob wrote: »

The entire 'show run' of the router, WITHOUT service-password encryption on...

That is just shocking...

tiersten

CSCOnoob wrote: »

Yes, you are right. You can't crack the MD5 directly. You can, however, can crack with two tools, IIRC. I haven't done it myself but there was one website that can convert the hash and then you need to go to use another website or a DOS program to convert it to clear text.

The passwords are "cracked" by people generating massive tables that contains a list of likely passwords and then just looking up what plaintexts gives that hash as a result. It is a space-time tradeoff and can be done with any hashing algorithm if you have sufficient space and computational resources to generate it. Not all the available tables have every combination possible of characters and length of password so it isn't 100% guaranteed that you'll be able to recover the password from the hash if the user used some unusual characters.

The actual breaking of MD5 is that people have worked out how to generate collisions so two different plaintexts will result in the same hash value. It should be equivalent to a brute force operation to generate a collision in your hashing algorithm intentionally but in the case of MD5 it is possible to do so with a reasonable amount of effort. The two plaintexts have to be carefully chosen and crafted so give you this result. For passwords, the massive rainbow table is the better choice since the table is reusable.

If the authentication system you're trying to reverse the hashes for has a salting system that wasn't taken into account of by the people generated your table then the table is useless and won't give you a result.

Cryptologists deem an algorithm broken if you can reduce the amount of work required to break it using bruteforce by only a couple magnitudes. For some algorithms, that still means you'd be spending years doing it using large clusters. They deem it to be broken because they know that computional resources are getting faster over time and will only make it quicker to break.