Password setup commands

[leegold2]

Hi,

Very basic question. What's the difference between the following:

Set a console password
vs.
Set a telnet password
vs.
Set the enable password
vs.
Set the enable secret password

You could explain or link me to an explanation - either way I appreciate it.

Lee G.

 

[CiscoGuy33]

Lee,

Cisco has many different passwords so that different things and people can do different tasks, it also adds "layers" of security.

Set a console password - this sets a password so if anyone connects to the console port on the router they are asked for a password

line con 0
password xxxxxx
login

Set an AUX password - this sets a password so if anyone connects to the AUX port on the router they are asked for a password

line aux 0
password xxxxxx
login

Set a telnet password - this sets a password so if anyone telnets to the router they are asked for a password

line vty 0 4
password xxxxxx
login

Set the enable password - this sets the enable password for getting into privledged mode that tends to be for legacy purposes, if you have an "enable secret" password it will superseade the "enable password"

enable password xxxxxx

Set the enable secret password - this sets the password for getting into privledged mode which is a "administrative" mode where things can be CHANGED on the router. Without privledged mode a tech can look at lots of stuff on the router for troubleshooting but can not change things, so your "tech" may have the console and AUX password but not the enable secret password.

enable secret 5 $1$WBOH$6iZOu4CqmpyVyN67BTGiw1
(above hash was "hashed" so it is not one of the passwords on my router )

Hope this helps!


E.A. Broda
CCNA, CCDA, CCAI, Network +

 

[burtsbees]

Console password is the password you must enter when you console in. Telnet password is the password the router prompts for when you telnet in. More specifically, and more accurately, it is the vty password, because it is also used for ssh. Enable password is MD7 encryption, or "level 7" passwords---they are insecure because they are easily cracked...see this link...

http://www.ifm.net.nz/cookbooks/passwordcracker.html

Enable secret is an MD5 encrypted password, which is one-way, so therefore NOT crackable. Enable and enable secrets are the passwords that the router prompts when you enter privileged exec mode, like so...

router>en
router#

The enable secret password takes precedence over the enable password.

There is also a regular username/password combo, called the local password...many can be configured with different privilege levels, like so...

username user priv 15 password bla
or
username user priv 15 secret bla

the secret being the uncrackable encrypted password. The priv levels go from 0 to 15, 15 being the most privileged and 0 having only show access. I believe the privilege levels only work when AAA is configured, which is another topic altogether.

HTH

Burt

 

[leegold2]

Thanks. All this is something I took for granted - how the internet works...

I'm at the point where I think I need to actually see the hardware and cables, get some connectivity, and try some commands. So I'm going to get some used gear.

 

[silverhairb]

Enable secret is an MD5 encrypted password, which is one-way, so therefore NOT crackable."

I'm not even going to touch that.

 

[CiscoGuy33]

Bill,

PLEASE share what you know!!

I know Burt has a better than average understanding of security then most but others reading may not and MIGHT just take something for granted!!

I love this site because the REAL WORLD experience that WE ALL bring to the table

E.A. Broda
CCNA, CCDA, CCAI, Network +

 

[silverhairb]

In order to do this, I'll need to write a short white paper explaining the algorithms and the attacks. It'll be a little longer so that it can be understood by someone with a less-than-casual understanding of security and cryptography. It'll also propose a possible solution.

This will take a little time, might be ready tonight or tomorrow.

Bill

 

[CiscoGuy33]

Bill,

No rush - always a good idea to share your vast background with us. You will find what you are strong in we are not and vice versa

I love the inside look at things - hearing how it is from those in the trenches!!!

Thanks!!

E.A. Broda
CCNA, CCDA, CCAI, Network +

 

[silverhairb]

I wouldn't exactly call it vast, but I have some understanding of crypto and how its applied and misapplied in the real world.

 

[burtsbees]

I never said MD5 was not vulnerable to attacks...but is it crackable? An MD5 hash?

Burt

 

[silverhairb]

You're right, its not reversible. But passwords stored as hashes are vulnerable to dictionary and brute force attacks. IMO, they are not secured except from casual observation, not serious attacks.

 

[maczen]

Burt,
I thought that I sent you the TechRepublic link discussing this last week? Here is a short quip regarding MD5!

http://www.evilgeniuschronicles.org/wordpress/2008/12/30/md5-broken/

Check your email!

B Haines
CCNA R&S, ETA FOI

 

[burtsbees]

I have kids, remember? I might have time to read that when they graduate highschool...lol

Burt

 

[maczen]

LoL! At that point you will probably have emails from me regarding 3DES, AES, RC2 through 6, IDEA, SEAL and pretty much everything currently in use! LoL

Just kidding.. DES has been out there for 36 years now!

B Haines
CCNA R&S, ETA FOI

 

[silverhairb]

I have kids, remember? I might have time to read that when they graduate highschool...lol"

No. It only gets worse with age. And just because they graduate from high school or even college doesn't mean an end to their constant distracting activities. But I wouldn't trade them.

 

[maczen]

Bill and the Gang,
You said that MD5 is susceptible to brute force and dictionary attacks. I just wanted to mention the various collision based attacks like the link above.. Most of the crypto articles that I have read list these as the real threat since they exploit a vulnerability in the hashing algorithm.

Where a brute force attack may not be feasible without extensive resources and a dictionary could be thwarted with salting (correct?) that would leave the collision based methods that often target passwords but by try to create a collision. Am I on the right track here?

B Haines
CCNA R&S, ETA FOI

 

[silverhairb]

IIRC, and its been a LONG time since I really looked hard, collision attacks use plaintext/cyphertext comparison targets. That means that the attacker needs to know what data went into creating a given hash to figure out what data can be substituted to yield the same value. So the password and its hash would be needed to figure out what (or even if) a collision could be generated. Certificates are easy targets since the data is in the clear. Passwords are harder since their cleartext value is protected.

BTW, the attack on certificates is to substitute a different public key and then change the rest of the certificate data (at least the data used to generate the hash and/or tweak the indicators showing what data was used in generating the hash) to match the hash contained in the valid certificate. That way, the digital signatures stay the same.

Dictionary attacks may provide a hash that is the same as that of the password even though that hash is generated from different data.

A real risk for spoofing MD5-based certificates that is not mentioned in any of the literature I've seen is associated with a technique that uses SSL as a secure access control tool. That explanation will require another paper, probably under the heading of "Private Certification Authorities" or something like that. That's for later today.

 

[Cluebird]

Hashing is considered a one-way process that cannot (theoretically) be reversed. Think of a common chemical reaction such as baking a cake. I can't take the final cake and easily return the cake to it's original ingredients; however, someone with identical ingredients, processes, and equipment can recreate an identical cake for comparison. Encryption is a two-way process to hide and unhide something. Think of trail-mix. I can mix all the ingredients together and someone with the understanding of my mixtures can restore the original ingredients.

First rule of security is NOTHING IS TOTALLY SECURE!!!

For cracking hashes, I carry a command line utility called tomas that uses brute force dictionary attacks to "break" hashes. Works on Cisco routers and switches and firewalls up to 7.x code or above. There are others.

I use it for demo purposes and penetration testing (with permission!!!!) when I consult.

 

[lerdalt]

Has anyone done anything with Rainbow Tables? I think the concept is pretty cool, but have not had the time to really do anything with it.

 

[Cluebird]

OOPS! I said,
"For cracking hashes, I carry a command line utility called tomas that uses brute force dictionary attacks to "break" hashes. Works on Cisco routers and switches and firewalls up to 7.x code or above."

Should be below 7.x code on PIX/ASA.