Decrypting Cisco type 7 passwords on a router

It is common knowledge that Cisco type 7 passwords are not secure.
A quick search on Google brings up plenty of websites that will crack the passwords for you, and a few scripts\tools you can run locally to get the type 7 password.
You can also decrypt the password on the router.
The aim of this blog is to describe the process for decrypting a type 7 password on router using just IOS commands.
First create a password on your router which you want to crack.
For my example I have created the password "cisco".
So the running configuration looks like this;

password 7 1511021F0725

To decrypt you password, first enter global configuration, then enter the command "key chain test" followed by "key 1" then enter "key-string 7 1511021F0725" as shown below;

As you can see from the screen shot above, to show the password use the "show key chain test" command which will decrypt your type 7 password key-string.

Remember when creating password on a router to use the "secret" keyword to ensure MD5 is used as type 7 passwords are not designed to be secure!
For further information, please refer to www.cisco.com

Reading a pgp encrypted message from Linux CLI

If you've been following my PGP\GPG blogs, you should now have PGPGPG installed on your Linux PC.
You will also have generated a PGP key and exported the Public Key, and then created an encrypted message for "Your Mate"

 If not, please read the previous blogs installing pgpgpg, exporting public key  and Encrypting a message.


All that remains is to read an encrypted message. That is the objective of this blog.
First you need to recieve an encrypted message. For this blog, I have created a message which was encrypted using "Your Name's" public key.
The message was placed in my home folder and was called "secretmessage.txt.asc" as shown below.
Check the contents of the file with the cat command.

 
As you can see, the content of the file are encrypted.
To decrypt the file use the "gpg --decrypt secretmessage.txt.asc" command.
You will be prompted for the passphrase. Then the encrypted message will be displayed.
Of course this is fine for a short message as shown, but if your message is larger you may want to extract it as a file.
This can be done using the "--output <filename>" command.
I have decrypted the "secretmessage.txt.asc" file again below, but this time I've saved the output to a file called secretmessage.txt.

 
Notice in the second "ls" there is a new file called "secretmessage.txt".
This is the content of the encrypted file. You can check this using the cat command as shown below.

 
Remember that this file may contain sensitive information, so storing it as a plain text file might not be a great idea.
I hope these blogs have been of use.

Importing a public key to your keyring and creating an encrypted message in Linux CLI

If you've been following my PGP\GPG blogs, you should now have PGPGPG installed on your Linux PC.
You will also have generated a PGP key and exported the Public Key.
If not, please read the previous blogs installing pgpgpg and exporting public key

This blog aims to explain how to import someone else's key, and then send them an encrypted message.
Before we progress any further, you need to have someones Public Key. This can be acquired by email, downloading of a website, or passed via any means, but it is important that you trust the public key you have is from who you think it is from.
I have acquired a public key from "Your Mate" and have it in my home folder.

I first check the contents of my Key ring using the "gpg --list-key" command as shown below.
If you've been following my blogs in order, you should find the only key you have is the one you've generated.
Import the public key for the person you wish to send the encrypted message to with the "gpg --import keyname" command as shown below. As you can see, the key I imported was called "YourMate.asc"

You can confirm the key is now on your keyring by repeating the "gpg --list-key" command as shown above. Notice you now have the "Your Mate" key.
You can check that you have imported the correct public key by asking the owner to confirm the keys finger print.
This can be done using the "gpg --fingerprint" command to see all your keys fingerprints, or an individual key using any of the variables shown below.

Obviously, if someone wishes to confirm your public key's fingerprint, you can complete the same command on your own key as shown below.

"Your Name" keys fingerprint has been highlighted above.
If you now trust you have the correct public key you can sign the key to show that you trust the key to belong to "Your Mate". The command to sign a key is "gpg --sign-key Your.Mate@email.com"
By signing other peoples keys, you can set up a ring of trust. Other people may choose to trust a key on the basis of your signiture.
So now for the fun part. We have installed gpg, created our own key, exported our public key to some one, and now we have imported "Your Mate" public key. We are finally ready to encrypted our first message.
 In order to remain in CLI, I have created a short text message using "cat" as shown below.

When using a "cat >" to create a text file, you need to press "CTRL+D" to exit the redirect.
You could use a text editor like gedit or Vi if you prefer.
You can also use "cat" to check the contents of your file as shown below.

We now have a text file called message.txt in our home directory.
This file can be encrypted using gpg, but lets first consider what we need.
1) the text file
2) the public key of the recipient
3) to make the file ASCII we need to include the "--armor" command.
The required command should look something like this;
"gpg --recipient Your.Mate@email.com --armor --encrypt message.txt"
 So with this information we can encrypt the file as shown below

Notice we now have a "message.txt.asc" file. This is the encrypted file.
Also notice the orginal "message.txt" file still exists! If this contains sensitive data, it should be removed.
Check the contents of your encrypted file using the cat command as shown below.

You can now send this information via email, or any other method safe in the knowledge that it will only be read by its intended recipient/s
You can encrypt a message to more than one recipient including yourself.
That concludes this blog.

Exporting a GPG public key in linux CLI

If you read my previous blog pgp using gpg , your probably thinking... "Well now what do I do with my key..?"
If so, this blog is for you!
First, a little bit about PGP usage. You have two keys, the secret key and the public key.
The public key is the one you can share freely, the secret key you should protect.
If someone wants to send you an encrypted message, they first need to get your public key.
If you want to send someone an encrypted message, you first need to get there public key.
To display you key in ASCII type the "gpg --export -armor <key name>"  command. This will display the key in the CLI session, but you would need to cut and paste the contents to a text file. This process can be completed quicker by redirecting the output of the command direct to a text file using the ">" meta character as shown below.

 
Now when we type "ls" to list the files in our home directory we see a file called "YourName.asc" which is a text file containing your public key.
Incidently, I chose ".asc" as I know this is what PGP uses to identify public keys.
You can check the contents of the file by opening it in a text editor like gedit, but if we want to stay in CLI we could use "cat filename" or to enable scrolling you can type "less filename" as shown below.

To exit less, use the ":Q" command as you would in Vi.

The contents of the file look like this;
 

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.10 (GNU/Linux)

mQENBE90JBkBCADEaja/iOtuN0eI/ZNchzxgmOBsHUhcPwl/ndAifQfAgCbU/Ld+
toLgkuVHtocDq98XOyS77QDTSrDyMG66sVcr3Ok+Lg8KOZJLoGjp67H2gIymFbRp
0Tkv2K3sfJJ8eqwF+5fkKP2FFjOBDqE6gioOKF1EZpNJkdhFlrYviwjnmYxGP2N7
po45N7UGthUJyD1gE3AzALcWc1QJWyLMBLRsItNgBcrjvUCMg/gSP+AtZViwfMAj
4WtinhQ0KIV5Wi8rMf9eQEquV2PEX1edM0+GE0dHSYst3kcmvl0hm7/yGsSUcEt+
Gb9YhYa3biJ9WY6A7Pod1+YO3Zb3lcJYLWsNABEBAAG0L1lvdXIgTmFtZSAoWW91
ciBOaWNrbmFtZSkgPFlvdXIuTmFtZUBlbWFpbC5jb20+iQE4BBMBAgAiBQJPdCQZ
AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAO/fSWlRUP1UZ0B/9YymIu
gEoGBOeJ2QdUpOzxFFPTnv9xD2D8Lu5XQZaR2fXXXhCIUsOtwOnbp6AWo74VKkoU
a0oDPbB34A42mcQODoCsHfJubgqYFHbkon0AG9THaH2f5OQ1Q0Ka2U74PioKal1P
Yqzek4gyGcOUniYXol9v7I/AAzlNidiFl2nHGGmvv90lidT4tO6R6eGI/b4Zpvlc
8gBZMt/H2+ZMSCiICZfI2d4jUm0pr7Zna6JfTBR8QMQBbieNq0o/uyxkYLmexffC
RXpEAVnvCKRLjJPeag9jZyjg7kvosJIJdKBo7cOV9jHVjmyQjsSUFYZT4KxVxFH3
P70/Pr8Trm+Ctx+RuQENBE90JBkBCADqB01wfMCgqmdPWsOHm61kc1UMV7puaqNl
id/VHwkRk8XXqgN1wSInA8BpY+MGommqieoEJdp7XtPRQkrMgS+m3B2NRpFPoGq3
ehsW+LaKTXHAWeIquNLXI8BCvPrSQDSm6WLIBjiywPOID3+5vbHmFAKq3+On6ial
ZrAlVj4CE7jPb7iqLAfG95KCiBQZto+0cYTilMRs4XcKKCoXT2JOxl5G4kUxp9Jq
IHEHZnePMc9KYaTG74dUehimyoyKbBriLrQjB2qwzoMf9jCJRJBYdpUvjqMIdFOO
IeLTOHUvNXDFWIb9ZioOEQTSc75vHvFsJeS6M2SfWp1lO8V7i6gdABEBAAGJAR8E
GAECAAkFAk90JBkCGwwACgkQDv30lpUVD9VMiAgAwx27TgKHBW0Ofv4a64vBBGDu
u8JL4/wX7BYa+uBHvbMYoqZMpzzcEwIbwGXuISRqufcFt85VtwhbNGsFeuoMNJcx
ggWjniQ6z4nTU+0ppAoovmvNhQIqs+45iQ0qDDMFTQSUX4kRnMeV3peT/gqAfXjG
iS7tlj6wK0pAjyPsme2JxiRTt1CB7kiSkqEoQsHoTPBejt7AlKmbR5lfnmZP6yRp
Bj5JSMlj+0FZqNFcLFEgRXNR7SGhR2VQWTzIg9pwek6QaWRi7M0sLzGVDpka08Xo
mPKlCboX6p3ZN1io6hKywi/9498PR1oBamz9md4GB7B+aAQ/c5QYDjEbUnCwJQ==
=MgSk
-----END PGP PUBLIC KEY BLOCK-----

This is the public key for "YourName" and can be distributed in any way you choose, including email.

This also achieves my objective for this blog. In my next blog I hope to demonstrate how to use other peoples public keys to encrypt a message.

PGP using GPG.... ;o)

Gpg is stands for Gnu Privacy Guard and is a free alternative to the PGP cryptographic software.
GnuPG (or GPG) follows the RFC 4880 which is the standard specification of OpenPGP. The most important thing GPG is interoperable with PGP. GPG is build as a command line utility but also have several front-ends for KDE, Gnome and other Linux desktops, but also is directly integrated in other software like: Email Clients as Mozilla Thunderbird, Evolution, Kmail, Instant Messaging as PSI, Fire, Browsers as Mozilla Firefox etc.

GnuPG encrypts messages using asymmetric keys. This keys are generated by the users and are exchanged with others through TRUSTED key servers.GPG also knows symmetric key cryptography.

Installing GPG
sudo apt-get install pgpgpg

Generating key pairs

The basis of PGP encryption is you generate a key pair. This comes in two parts, a Secret Key and a Public Key. The Public Key you can upload to key servers or distribute via any means you like. (I have a copy of one of my keys on the public space of my Dropbox account)

Run “gpg –gen-key” and just follow the steps. An example of output is presented on following lines

 

You now need to select your key type. RSA is the default, to select RSA type "1" and press enter.

Then choose your key size. The default key size is 2048. Many people think a larger key is more secure than a smaller key, there is some truth in this, but it will also be larger, making your encrypted files larger.

Statistically, you are far better off having a 2048 bit key with a strong and longer pass phrase than a 4096 bit key with a poor pass phrase. I sit firmly in the stronger pass phrase camp, and just generate 2048 bit keys.

 Next you will be asked how long you want the key to remain valid. This is a nice feature if you want your keys to expire after a fixed time. For the purposes of this blog, I'm going to create a key which won't expire as shown above.

Next you will be asked some details about the key! In order for people to be able to find your key on a key server, GPG ask for "Real name". I like to think that people could get your key via your email address, and if I want to send something to someone encrypted, i would prefer to get there current public key direct from them.Supply the details required, I have generated the key above to show you what format the key will take. When complete, press "O" and enter to generate the key.

Your key will now be generated. At this stage I like to run my mouse around the screen to generate as much random data as I can...The time taken for the key generation varies depending on the key size, and how much random data you generate.

When your key is finished generating the key fingerprint will be displayed as shown above.You can also check the keys on your keyring with the "gpg --list-key" command as shown below.

 You can also check your keys fingerprint with the "gpg --fingerprint <name>" command.
As you can see from my screenshot below, I have found the key on all three sections of the name.

The first command was looking for the nickname (Your Nickname)
The second was searching on the Key name (Your Name)
The last command used the email address supplied (Your.Name@email.com)
I have also highlighted the keys fingerprint.

This concludes my fist blog on PGP. At this stage all we have done is installed the packaged and generated our own key in Linux and from the command line (CLI).

If you have any further questions, please feel free to ask Google! ;o)

%Error opening tftp://255.255.255.255/network-confg (Socket error)

Occasionally, during bootup of Cisco hardware through Cisco IOS software, error messages similar to these are displayed:

• %Error opening tftp://255.255.255.255/network-confg (Socket error)
• %Error opening tftp://255.255.255.255/cisconet.cfg (Socket error)
• %Error opening tftp://255.255.255.255/3620-confg (Socket error)
• %Error opening tftp://255.255.255.255/3620.cfg (Socket error)

These error messages are related to the default service configuration option built into Cisco IOS software, which attempts to access the service configuration files from a network Trivial File Transfer Protocol (TFTP) server.

In order to disable this feature, issue the no service config global command.

Router#config terminal
Enter configuration commands, one per line.  

Router(config)#no service config

Router(config)#exit

Router#copy running-config startup-config

These error messages no longer appear at the next bootup of the router.

A quick guide to setting up a TFTP server in Ubuntu

The aim of this guide is to describe the process required to setup a TFTP server on a Linux PC. The main reason I require a TFTP server is for backing up configuration files and IOS's from Cisco devices.

Trivial File Transfer Protocol (TFTP) is a simple protocol to transfer files. It has been implemented on top of the User Datagram Protocol (UDP) using port number 69. TFTP is designed to be small and easy to implement, therefore, lacks most of the features of a regular FTP. TFTP only reads and writes files (or mail) from/to a remote server. It cannot list directories, and currently has no provisions for user authentication.

There are plenty of free TFTP server daemons available for download for Windows machines, but at home I run Linux, and wanted to setup a dedicated machine just for copying Cisco IOS's and configs onto.

TFTP is far from secure, so I do NOT recommend leaving this port open on a machine which has access to the Internet.

Also it should be noted that this guide is intentionally command line as that is where the magic happens!

I normally sudo su which will log you in with root privileges and prevent you from continually entering your password.

This is not best practice, but its my guide and I'm lazy. If you prefer, insert a “sudo” in front of every command and skip the sudo su command.

sudo su
apt-get update && apt-get install tftp-hpa tftpd-hpa

This will install the server

The default location for for TFTP files is /var/lib/tftpboot. You can set a different location later if you'd like, but you must chmod and chown the directory you choose.

sudo mkdir /var/lib/tftpboot
sudo chown nobody.nogroup /var/lib/tftpboot
sudo chmod 777 /var/lib/tftpboot

Edit the TFTP server configuration file to put the service in daemon mode and set a custom directory you may have chosen above.
You can do this using command line text editors like Vi or Emacs but I just use Gedit

gedit /etc/default/tftpd-hpa

 

This is where you can customise you TFTP server.

I chose to create my servers root directory in my home directory.

In my case that is /home/anon/
I called my root directory TFTProot.

So my tftpd-hpa file looks like this;

# /etc/default/tftpd-hpa

RUN_DAEMON="yes"
OPTIONS="-l -s /home/anon/TFTProot"

TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/home/anon/TFTProot"
TFTP_ADDRESS="0.0.0.0:69"
TFTP_OPTIONS="--secure

Save the file and then be sure to create the directory required;

mkdir /home/anon/TFTProot
chown anon.anon /home/anon/TFTProot
chmod 777 /home/anon/TFTProot

As your logged in as root, the directory will also belong to root so chown the directory to your login account and group.

I also made the directory world rightable.. (probably not best practice, but it worked for me and avoided the dreaded “TFTP error 1”)

Once my directory structure was in place I restarted the daemon;

/etc/init.d/tftpd-hpa restart

You should now have a working TFTP server up and running.

Don't take my word for it, check...

netstat -a |grep tftp

udp 0 0 *:tftp *:*

Or another way to check would be to scan your PC. You can scan the loopback IP address using nmap like this;

nmap -sU 127.0.0.1

Starting Nmap 5.21 ( http://nmap.org ) at 2012-01-31 21:17 GMT

Nmap scan report for localhost.localdomain (127.0.0.1)

Host is up (0.13s latency).

Not shown: 994 closed ports

PORT STATE SERVICE

68/udp open|filtered dhcpc

69/udp open|filtered tftp

135/udp open|filtered msrpc

A few notes about usage.

Before you can send a file to the tftp server, it needs to exist in the tftp directory.
I'm not sure why, or if I'm doing something wrong, but I found the secret to a successful transfer is to create a empty file first.

touch filename 
chmod 777 /home/anon/TFTProot/filename
ls -al

-rwxrwxrwx  1 root   root        0 2012-01-31 21:37 filename 

Incidentally, if anyone reading this knows of a better way, I would be intrigued to know how?

It is at this point we are ready to send the file from our Cisco device;

router#copy run tftp
Address or name of remote host[]?192.168.2.2
Destination filename [router-config]? filename
!!
3974 bytes copied in 1.492 secs (2664 bytes/sec)
router#

At this point your running-config should be in the directory you've created.