Does anyone have a pointer to code (or just the algorithm) that Cisco uses to generate their password hashes for things like "enable secret"?
I'm not trying to break into anything; I'm trying to generate the appropriate "enable secret" line given a clear text password, not decode an existing "enable secret" line with a hashed password. I need this for an automated config-file generator that I'm working on (Netomata Config Generator).
Basically, what I want is the Cisco equivalent of the "htpasswd" command used for web servers.
For example, when I put the following command with clear-text password into a Cisco config:
enable secret foobar
then when I do a 'show config' command (assuming I have "service password-encryption" enabled), what I see is something like this:
enable secret 5 $1$pdQG$0WzLBXV98voWIUEdIiLm11
I want code that translates "foobar" to "5 $1$pdQG$0WzLBXV98voWIUEdIiLm11", so that I can generate the already-hashed passwords in my config-generation tool, rather than putting cleartext passwords in the generated configs and waiting for the router to generate the hash.
I presume that the "5" in the hashed result is some sort of hash algorithm identifier. If there are other hash algorithms that Cisco currently or has historically used, then I'd like to have the code for those algorithms as well.
Best Answer
As per this website, the OpenSSL command line utility appears to provide the functionality you need:
And there is presumably an equivalent function in the library itself.
I'm not sure if IOS requires you to use specific salt values, but technically there is no reason why it should as long as the string you provide in your 'enable secret' command is a valid MD5 password digest. If you have the opportunity to test, I'd be interested to know your results.