Solved

Regarding Encryption Type In PIX and ASA

Posted on 2009-03-31
4
1,196 Views
Last Modified: 2013-11-22
Dears,
i won't to know is hte type of  encryption when i write this command is storng and cannot be broken easily or not ?
MyFW(Config)#username abcd password test

because after using this command :
MyFW(Config)#show running-config username

the output is :
username abcd password PSAvSeHRPqajh/Vi encrypted


so if someone knows PSAvSeHRPqajh/Vi  can he figure the password ?

BR,

0
Comment
Question by:sfda_soc
  • 2
4 Comments
 
LVL 16

Expert Comment

by:2PiFL
ID: 24027902
Cisco used to offer a "tool" to de-crypt passwords so the short anwser is yes.  However, they would need access to the firewall and both passwords.  
0
 

Author Comment

by:sfda_soc
ID: 24049982
even so i would like to know what type of encryption is
because maybe my running-configuration file leaked and then anyone can take advantage of it....
0
 
LVL 16

Expert Comment

by:2PiFL
ID: 24050171
The service password-encryption global configuration command uses a simple Vigenère cipher which is designed to protect your passwords from casual observers.  It is not designed to withstand any seriuos hack attempt.

The enable secret command and the Enhanced Password Security feature use Message Digest 5 (MD5) for password hashing.  This algorithm is very secure but can be subject to a dictionary attack.

Check out the "Password management" section of this Cisco article:
 http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
0
 
LVL 5

Accepted Solution

by:
shirkan earned 500 total points
ID: 24139453
Username encryption in ASA and PIX cannot be reverse decrypted - the Tool is for routers not Firewalls

There is no tool currently available to HACK Cisco Pix and ASA Firewall PW encryption

BUT of course if someone has both, they can run a dictionary or bruteforce or rainbow table attack till it matches, so choose a pw wisely and especially a long one which then makes above mentioned attacks useless because the time it would take to run through all the possible combinations
especially avoid passwords that are in any dictionary instead choose a PW with a combination of numbers, lower case and capital letters and special symbols like !, $ etc. and use at least 16 digits

then there is no real chance someone could brutefore it - today that is, as there is not enough processor power available world wide to do just that
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

So you got the Conficker. You could go to each machine and run the eye chart test (http://www.confickerworkinggroup.org/infection_test/cfeyechart.html), but in a bigger environment, or if you prefer to work smarter and not harder, you need some …
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now