O’Reilly members endure live online training, to add books, videos, and also digital contents from 200+ publishers.

You are watching: Which command is used to manually encrypt passwords on a cisco router?


Passwords room the core of Cisco routers’ accessibility control methods. Chapter 3 addressed simple access control and using passwords locally and from accessibility control servers. This thing talks around how Cisco routers save passwords, how crucial it is the the passwords preferred are solid passwords, and also how come make sure that your routers usage the most secure approaches for storing and also handling passwords. It then discusses privilege levels and also how come implement them.


Cisco routers have three approaches of representing passwords in the construction file. Native weakest to strongest, they include clear text, Vigenere encryption, and also MD5 hash algorithm. Clear-text passwords are stood for in human-readable format. Both the Vigenere and also MD5 encryption approaches obscure passwords, however each has its own strengths and weaknesses.


The main difference between Vigenere and also MD5 is the Vigenere is reversible, if MD5 is not. Being reversible renders it much easier for an attacker to rest the encryption and also obtain the passwords. Gift unreversible method that an attacker have to use much slower brute force guessing attacks in an effort to acquire the passwords.

Ideally, all router passwords would use strong MD5 encryption, yet the means certain protocols, such together CHAP and PAP, work, routers must be able to decode the original password to do authentication. This need to decode particular passwords way that Cisco routers will continue to usage reversible encryption for some passwords—at least until together authentication protocols are rewritten or replaced.


Chapter 3 set passwords using line passwords, neighborhood username passwords, and the enable secret command. A show run offers the following:

enable mystery 5 $1$Guks$Ct2/uAcSKHkcxNKyavE1i1enable password enable-password!username jdoe password 0 jdoe-passwordusername rsmith password 0 rsmith-password!line con 0 exec-timeout 5 0 password console-password login local transport input noneline aux 0 exec-timeout 5 0 password aux-password login tacacs move input noneline vty 0 4 exec-timeout 5 0 password vty-password login move input sshThe highlighted parts of the configuration space the passwords. An alert that every passwords, except the enable secret password, space in clear text. This clear message poses a far-ranging security risk. Everyone who have the right to view a copy that the construction file—whether v shoulder surfing or turn off a back-up server—can check out the router passwords. We need a way to make certain that all passwords in the router configuration record are encrypted.


The very first method of encryption that Cisco gives is v the command service password-encryption. This command obscures every clear-text passwords in the configuration utilizing a Vigenere cipher. You allow this feature from an international configuration mode.

Router#config terminalEnter configuration commands, one per line. Finish with CNTL/Z.Router(config)#service password-encryptionRouter(config)#^ZNow a show run command no longer display screens the password in humanly readable format.

when the service password-encryption command is beneficial and also should be allowed on all routers, remember the the command provides an conveniently reversible cipher. Some commercial programs and also freely easily accessible Perl script instantly decode any kind of passwords encrypted with this cipher. This way that the service password-encryption command protects only against casual viewers—someone looking over your shoulder—and not versus someone that obtains a copy the the configuration file and operation a decoder versus the encrypted passwords. Finally, service password-encryption does not defend all an enig values such as SNMP community strings and RADIUS or TACACS keys.


The enable, or privileged, password has second level that encryption that should always be used. The privileged-level password should always use the MD5 encryption scheme.

In early on IOS configurations, the privileged password was set with the enable password command and was represented in the configuration file in clear text:

enable password ena-passwordFor added security, Cisco added the service password-encryption command to obscure every clear-text passwords:

service password-encryptionenable password 7 02030A5A46160E325F59060B01 However, as defined earlier, this provides the weak Vigenere cipher. Because of the importance of the privileged-level password and also the reality that the doesn’t need to be reversible, Cisco added the enable secret command the uses solid MD5 encryption:

Router#config terminalEnter configuration commands, one every line. End with CNTL/Z.Router(config)#enable secret my-secret-passwordRouter(config)#^ZA show run now displays:

enable mystery 5 $1$Guks$Ct2/uAcSKHkcxNKyavE1i1eThis kind of encryption cannot be reversed. The only method to strike it is though brute pressure methods.

You should always use the enable secret command instead of enable password. The enable password command is noted only because that backward compatibility. If both space set, because that example:

enable password 7 02030A5A46160E325F59060B01enable an enig 5 $1$Guks$Ct2/uAcSKHkcxNKyavE1i1ethe enable secret password take away precedence and the enable password command is ignored.


Warning

Many organizations begin using the insecure enable password command, and then migrate to using the enable secret command. Often, however, they use the same passwords because that both the enable password and enable secret commands. Using the same passwords defeats the objective of the stronger encryption detailed by the enable secret command. Attackers have the right to simply decode the weak encryption indigenous the enable password command to gain the router’s password. To protect against this weakness, be sure to use various passwords because that each command—or far better yet, don’t use the enable password command in ~ all.


In enhancement to using encryption to store passwords from appearing in human-readable form, secure password security requires the use of strong passwords. There are two requirements for solid passwords. First, castle are complicated to guess: v or crack. Second, lock are simple to remember. If the password is based upon a word discovered in a dictionary—a name, a place, and also so on—the password is weak. If the password is a complete random string of letters and numbers, the password is strong, yet users end up creating the password down because they can’t remember it. To show how easy it is to cracked weak passwords, the following passwords to be encrypted v the solid MD5 encryption:


A brute force password-cracking regimen was used to see how long that would require to guess each password.

On a sunlight Ultra 5 with 512MB the RAM and also a 333MHz processor, the an initial password, hello, took less than 5 seconds come crack. This is the very same amount that time that would take to guess many words in the English language (or a word in any kind of other language, if the attacker included foreign language dictionaries). After four hours, the password cracker has guessed the following three passwords as well. Any kind of password based on a word—English or foreign—is fragile to brute pressure attacks.

The critical password look at random and was still no cracked as soon as the password cracker stopped running 3 days later. The problem is mental a password like this one. Watch the upcoming sidebar, Choosing and Remembering solid Passwords because that tips on choosing an proper password.


The best way to produce a password the is easy to psychic but daunting to crack is to usage pass phrases. Cisco routers support passwords of approximately 25 characters. So develop a sentence and use that instead of just a password. When you can’t usage a sentence, pick memorable, yet strong, six- come eight-character passwords.

When trial and error the sample passwords hello, Enter0, 9spot, 8twelve8, and also ilcic4l, the just password that wasn’t cracked to be ilcic4l. The difficulty is exactly how to mental a password like this. The secret is the this password watch random, yet it is not. To develop this password, an quickly remembered sentence to be created. In this case, the sentence was, “I like chocolate ice cream because that lunch.” climate the very first letter of every word was provided to create the base of the password: ilcicfl. Next, the number 4 was put in location of the word for. This gives ilcic4l—a password that is straightforward to remember, but an overwhelming to crack.

This method can be modified in any way you like. Take the second letter of every word rather of the first. Readjust every e come a 3, every a come an
, or every t come a +. Add numbers to the beginning or the end of the password—whatever you have the right to think of.

Finally, another an essential to creating solid passwords is using a different password on every system. That way, if someone guesses or steals one of your password, castle can’t usage that password to access every system you have an account on. Currently there is a problem of psychic a different password because that every device you access. There is a systems to this together well. You have the right to modify the preceding technique to aid you remember different passwords for every system. For example, take it the password supplied previously, ilcic4l, and also modify it for each mechanism that friend access. First come up v a formula. A basic one would certainly be to take it the very first letter that the mechanism name you space connecting to and replace the very first letter of the password with that letter. Then do the very same for the critical letter. If connecting to a system called Router1, the password because that that device would be Rlcic41. If connecting come Firewall-One, the password is Flcic4e. These simple examples create numerous solid passwords the are straightforward to remember but challenging to crack. Girlfriend can obtain as creative as you desire in coming up through sentences and also formulas. In fact, the more creative you get, the more powerful your passwords will certainly be.


except for the enable secret password, all passwords save on computer on Cisco routers room weakly encrypted. If someone were to obtain a copy of a router construction file, it would certainly take only a couple of seconds to run it with a regimen to decode all weakly encrypted passwords. The very first protection is to save the configuration files secured.

girlfriend should always have a backup of each router’s construction file. You have to probably have actually multiple backups. However, each of this backups must be kept in a for sure location. This means that they room not save on computer on a publicly server or on every network administrator’s desktop. Additionally, backups of all routers space usually preserved on the exact same system. If this system is insecure, and also an attacker can get access, he has actually hit the jackpot—the complete configuration the your whole network, all accessibility list setups, weak passwords, SNMP ar strings, and also so on. To prevent this problem, wherever back-up configuration papers are kept, that is best to save them encrypted. The way, also if an attacker gains accessibility to the back-up files, they space useless.

Encryption on an insecure system, however, gives a false feeling of security. If attackers deserve to break right into the insecure system, lock can set up a key logger and also capture every little thing that is typed on that system. This has the passwords come decrypt the construction files. In this case, one attacker just has to wait until the administrator species in the password, and also your encryption is compromised.

Another choice is come make sure your back-up configuration documents don’t contain any passwords. This needs that you eliminate the password native your back-up configurations manually or develop scripts that strip out this info automatically.


Warning

Administrators should be an extremely careful no to access routers from insecure or untrusted systems. Encryption or SSH walk no good if one attacker has compromised the device you’re functioning on and also can use a crucial logger come record everything you type.


Finally, stop storing her configuration records on her TFTP server. TFTP provides no authentication, so you have to move documents out that the TFTP download brochure as easily as possible to limit her exposure.


By default, Cisco routers have three levels of privilege—zero, user, and also privileged. Zero-level accessibility allows only 5 commands—logout, enable, disable, help, and also exit. User level (level 1) gives very minimal read-only access to the router, and also privileged level (level 15) provides complete control end the router. This all-or-nothing setting can job-related in tiny networks through one or 2 routers and also one administrator, yet larger networks require additional flexibility. To carry out this flexibility, Cisco routers can be configured to usage 16 various privilege level from 0 come 15.


Displaying your current privilege level is done with the show privilege command, and changing privilege levels can be done utilizing the enable and disable commands. Without any kind of arguments, enable will certainly attempt to adjust to level 15 and also disable will adjust to level 1. Both commands take a single argument that specifies the level you desire to readjust to. The enable command is used to gain more access by moving up levels:

Router>show privilegeCurrent privilege level is 1Router>enable 5Password: level-5-passwordRouter#show privilegeCurrent privilege level is 5Router#The disable command is supplied to offer up accessibility by moving down levels:

Router#show privilegeCurrent privilege level is 5Router#disable 2Router#show privilegeCurrent privilege level is 2Router#Notice the a password is compelled to gain an ext access; no password is required when lowering her level of access. The router requires reauthentication every time you effort to gain more privileges, but nothing is required to provide up privileges.


The bottom and least privileged level is level 0. This is the only other level as well as 1 and also 15 that is configured by default top top Cisco routers. This level has only five regulates that allow you to log out or effort to get in a higher level:

Router#disable 0Router>?Exec commands: disable rotate off privileged commands permit Turn on privileged commands exit departure from the EXEC help Description the the interactive help system logout leave from the EXECRouter>Next is level 1, the default user level. This level gives the user v many much more commands that permit the user to display router information, telnet to other systems, and also test network connectivity v ping and also traceroute. Level 2, which is not enabled by default, to add a few additional show and also clear commands, yet provides no opportunity for a user to reconfigure the router. Finally, level 15 allows full access to all router commands.


To use the enable command to access a privilege level, a password should be collection for the level. If you shot to get in a level v no password, you acquire the error article No password set. Setup privilege-level passwords can be done with the enable mystery level command. The adhering to example allows and set a password for privilege level 5:

Router#config terminalEnter configuration commands, one every line. End with CNTL/Z.Router(config)#enable mystery level 5 level5-passwordRouter(config)#^ZRouter#Now we can enter level 5 v the enable 5 command.


Warning

Just as default passwords can be collection with either the enable secret or the enable password command, passwords for various other privilege levels can be set with the enable password level or enable secret level commands. However, the enable password level command is listed for behind compatibility and should no be used.


lines (CON, AUX, VTY) default come level 1 privileges. This can be readjusted using the privilege level command under every line. To adjust the default privilege level of the AUX port, friend would type the following:

Router#config terminalEnter configuration commands, one every line. Finish with CNTL/Z.Router(config)#line aux 0Router(config-line)#privilege level 4Router(config-line)#^ZRouter#Or, to readjust the default privilege level of all VTY access to level 12:

Router#config terminalEnter construction commands, one per line. Finish with CNTL/Z.Router(config)#line vty 0 4Router(config-line)#privilege level 12Router(config-line)#^ZRouter#
Finally, a username deserve to have a privilege level linked with it. This is advantageous when girlfriend want certain users to default to greater privileges. The username privilege command is used to collection the privilege level because that a user:

Router#config terminalEnter construction commands, one every line. End with CNTL/Z.Router(config)#username jdoe privilege 5Router(config)#username rsmith privilege 12Router(config)#^ZRouter#
through default, all router commands fall under levels 1 or 15. Creating additional privilege level isn’t an extremely useful unless the default privilege level of some router regulates is likewise changed. When the default privilege level that a command is changed, only those who have that level access or above are permitted to run that command. These changes are made through the privilege command. The complying with example alters the default level that the telnet command come level 2:

Router#config terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)#privilege exec level 2 telnetRouter(config)#^ZRouter#Now no one with user-level (level 1) accessibility can operation the telnet command. Level 2 accessibility is required.


right here is an example of exactly how an organization might use privilege level to accessibility the router without giving everyone the level 15 password.

Assume that the organization has actually a couple of highly payment network administrators, a couple of junior network administrators, and also a computer operations facility for troubleshooting problems. This organization wants the very paid network administrators to be the just ones with complete (level 15) access to the routers, but also wants the junior administrators have actually more minimal access come the router the will permit them to help with debugging and also troubleshooting. Finally, the computer operations facility needs to have the ability to run the clear line command for this reason they can reset the modem dial-up link for the administrators if needed; however, castle shouldn’t have the ability to telnet from the router to various other systems.

The very paid administrators will have complete level 15 access. A level 10 will certainly be produced for the junior administrators to provide them access to the debug and telnet commands. Finally, a level 2 will be created for the operations facility to give them accessibility to the clear line command, yet not the telnet command:

Router#config terminalEnter construction commands, one every line. End with CNTL/Z.Router(config)#username admin-joe privilege 15 password joes-passwordRouter(config)#username admin-carl privilege 15 password carls-passwordRouter(config)#username junior-jeff privilege 10 password jeffs-passwordRouter(config)#username junior-jay privilege 10 password jays-passwordRouter(config)#username ops-fred privilege 2 password freds-passwordRouter(config)#username ops-pat privilege 2 password pats-passwordRouter(config)#privilege exec level 10 telnetRouter(config)#privilege exec level 10 debugRouter(config)#privilege exec level 2 clean lineRouter(config)#^ZRouter#
The NSA overview to Cisco router protection recommends the the following regulates be relocated from their default privilege level 1 to privilege level 15—connect, telnet, rlogin, show ip access-lists, show access-lists, and also show logging. Transforming these levels boundaries the usefulness the the router come an attacker that compromises a user-level account.

To adjust the privilege level of this commands, you would:

RouterOne#config terminalEnter construction commands, one every line. End with CNTL/Z.RouterOne(config)#privilege exec level 15 connectRouterOne(config)#privilege exec level 15 telnet RouterOne(config)#privilege exec level 15 rloginRouterOne(config)#privilege exec level 15 display ip access-listsRouterOne(config)#privilege exec level 15 present access-lists RouterOne(config)#privilege exec level 15 show logging RouterOne(config)#privilege exec level 1 display ip RouterOne(config)#^ZThe last privilege exec level 1 display ip returns the show and show ip commands to level 1, permitting all other default level 1 regulates to tho function.


This checklist summarizes the crucial security details presented in this chapter. A finish security checklist is provided in postposition A.


Enable service password-encryption on all routers.

Set the privileged-level (level 15) password with the enable secret command and also not v the enable password command.

Make certain all passwords are strong passwords that are not based on English or international words.

Make certain each router has actually different allow and user passwords.

Keep backup configuration papers encrypted top top a for sure server.

Access routers just from secure or reliable systems.

In huge organizations with many personnel with router access, use added privilege levels to restrict accessibility to unnecessary commands.

Reconfigure the connect, telnet, rlogin, show ip access-lists, show access-lists, and also show logging commands to privilege level 15.


Get Hardening Cisco Routers currently with O’Reilly digital learning.

O’Reilly members suffer live virtual training, add to books, videos, and digital content from 200+ publishers.


begin your free trial

About O’Reilly


Support

facebook-logo linkedin-logo youtube-logo

Download the O’Reilly App

take O’Reilly through you and also learn anywhere, at any time on your phone and tablet.

See more: Kenmore 80 Series Super Capacity Plus, Kenmore 80 Series Top Load Washer Super Capacity


*
*

Watch ~ above your huge screen

View every O’Reilly videos, Superstream events, and Meet the expert sessions on your home TV.