Options
Enable Password / Secret
satishtech
Member Posts: 243
in CCNA & CCENT
What will the following commands do ?
1.enable secret LINE
2.enable secret 0
3.enable secret 5
4.enable password 7
5.enable password LINE
when I use enable secret 0 cisco (on PT)
sh ru = enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
and
when I use enable secret 5 cisco (on PT)
sh ru = enable secret 5 cisco
shouldn't it be the other way round ?
1.enable secret LINE
2.enable secret 0
3.enable secret 5
4.enable password 7
5.enable password LINE
when I use enable secret 0 cisco (on PT)
sh ru = enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
and
when I use enable secret 5 cisco (on PT)
sh ru = enable secret 5 cisco
shouldn't it be the other way round ?
Comments
-
OptionsOctalDump
Member Posts: 1,722
Have you tried them? Or tried enable secret ? or enable password ??
Otherwise, this might help:
Cisco IOS Security Command Reference: Commands D to L - E [Support] - Cisco
Cisco IOS Security Command Reference: Commands D to L - E [Support] - Cisco
I'll give you a hint: although enable secret and enable password can take multiple parameters, you only have 1 parameter in those examples. So you are looking for the effect where only one parameter is given.2017 Goals - Something Cisco, Something Linux, Agile PM -
Options
EdTheLad
Member Posts: 2,111 ■■■■□□□□□□
"enable secret 0 cisco" means the password that follows 0 is unencrypted i.e. the password is "cisco"
If you do a show runn, you will see the encrypted version of the password i.e. $jhjhukyky
"enable secret 5 cisco" means the password that fallows 5 is encrypted i.e. to find the password the system will unencrypt "cisco" to "hggkhkjhkhkjhkh"
To login as enable, you will need to enter password "hggkhkjhkhkjhkh"
Both will show in the config in encrypted format, the reason for this is so you can copy and paste a config with encrypted keys, with 0 or 7 option you are telling the router if the password is plain text or has already been encrypted.Networking, sometimes i love it, mostly i hate it.Its all about the $$$$ -
Options
Simrid
Member Posts: 327
The new CCNA security exam topics can be found here:
https://learningnetwork.cisco.com/community/certifications/security_ccna/iins-v3/exam-topicsNetwork Engineer | London, UK | Currently working on: CCIE Routing & Switching
sriddle.co.uk
uk.linkedin.com/in/simonriddle -
Optionssatishtech
Member Posts: 243
are the questions I asked related to ccna security and not ccent icnd1
-
OptionsOctalDump
Member Posts: 1,722
No. This is correct behaviour.
When you use the command
enable secret 0 cisco
you are saying what I am giving after the 0 is not encrypted. Then when you do a show run, the password is encrypted (because you used "secret" which has the effect of storing the MD5 hash of the password and not the password). The "5" when you do a show running-config indicates that what follows in encrypted (or rather hashed) using MD5.
when you use the command
enable secret 5 cisco
you are saying what I am giving you after the 5 is the hash of the password. Then when you do a show run, the hashed password is shown. The problem is that the actual enable secret (what you need to give to enter privileged mode) is not cisco, it is whatever encrypts to give you the output cisco. I suspect that this will not actually work, since MD5 hashes need to be a certain length, and normally start with $1. Possibly it will be interpreted as being padded by NULLs.
Why use enable secret 5 at all? Well, if you need to copy a config across, then you can easily do this and not need to reveal the actual password. It enables you to effectively keep the password (reasonably) secret.2017 Goals - Something Cisco, Something Linux, Agile PM -
Options
TWX
Member Posts: 275 ■■■□□□□□□□
The way they teach the use of enable password versus enable secret is a bit confusing.
enable password is a legacy command. Back in the day, it was the only command that Cisco supported for setting a password to go from user-exec mode (ie, user-level access) to privileged-exec mode (ie, administrator-level access). It was originally plain-text only. Later, they added a feature to switches that obfuscates the password, but only to casual view, as the algorithm used by the command that does this (service password-encryption) is weak and can be reversed though as little complexity as a Perl script.
The better command, in lieu of enable password, is enable secret. This stores the password in a much more secure (theoretically) way that cannot be easily reversed. If someone gets ahold of your config file with enable secret and service password-encryption they can figure out your passwords. If they get ahold of your config file with enable secret they're not going to be able to readily reverse-engineer your credentials.
enable password is still present because of legacy installations, and because companies are hesitant to remove commands even when they've been superseded. There is no reason to use enable password anymore unless the site or installation has some obscure need for it.
That said, there is a vulnerability in enable secret in some versions of IOS 15; Cisco attempted to go beyond the MD5 algorithm that they had used in IOS 12 to a SHA algorithm, but they screwed up and it was easier to brute-force the SHA passwords than the MD5 passwords. They've since migrated back to MD5. Even the broken SHA implementation of enable secret is more secure than enable password though.
Learn enable password because they put it on the curriculum, but understand that it's not somewhere you want to go, kind of like how they want you to learn using telnet to connect from device to device, when in reality this is a horrible idea and you should use ssh exclusively, and disable telnet.
