Pages

network cisco ccna gns3 certification arteq

network cisco ccna gns3 certification arteq
a network runs through it

Search insearchofthecert

Thursday, December 8, 2011

CHAP crap...

i read somewhere that global service password-encryption would not encrypt a CHAP password... this is false... proof below...

r2620_03#sh run
Building configuration...

Current configuration : 1241 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
 then:
username r2620_01 password 0 cisco
ok... 


r2620_03#config t
Enter configuration commands, one per line.  End with CNTL/Z.
r2620_03(config)#service password-encry
r2620_03(config)#end
r2620_03#

 then show run reveals:

username r2620_01 password 7 0822455D0A16

 CHAP still works and the username password is encrypted, however, from the horses mouth:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml


 The service password-encryption global configuration command directs the Cisco IOS software to encrypt the passwords, Challenge Handshake Authentication Protocol (CHAP) secrets, and similar data that are saved in its configuration file. Such encryption is useful in order to prevent casual observers from reading passwords, such as when they look at the screen over the muster of an administrator. However, the algorithm used by the service password-encryption command is a simple Vigenère cipher. The algorithm is not designed to protect configuration files against serious analysis by even slightly sophisticated attackers and must not be used for this purpose. Any Cisco IOS configuration file that contains encrypted passwords must be treated with the same care that is used for a cleartext list of those same passwords.

Cisco's advice is:

The feature Enhanced Password Security, introduced in Cisco IOS Software Release 12.2(8)T, allows an administrator to configure MD5 hashing of passwords for the username command. Prior to this feature, there were two types of passwords: Type 0, which is a cleartext password, and Type 7, which uses the algorithm from the Vigenère cipher. The Enhanced Password Security feature cannot be used with protocols that require the cleartext password to be retrievable, such as CHAP.
In order to encrypt a user password with MD5 hashing, issue the username secret global configuration command.

username  secret
the debugs below (debug ppp authenti, debug ppp negotiation) deserve a look... i switched from hdlc to ppp to force this...

r2620_03(config)#int s0/0
r2620_03(config-if)#encap ppp
r2620_03(config-if)#
*Mar  8 07:26:55.435: Se0/0 PPP: Phase is DOWN, Setup
*Mar  8 07:26:55.435: Se0/0 PPP: Using default call direction
*Mar  8 07:26:55.435: Se0/0 PPP: Treating connection as a dedicated line
*Mar  8 07:26:55.435: Se0/0 PPP: Session handle[7F00000B] Session id[0]
*Mar  8 07:26:55.435: Se0/0 PPP: Phase is ESTABLISHING, Active Open
*Mar  8 07:26:55.435: Se0/0 PPP: Authorization required
*Mar  8 07:26:55.439: Se0/0 LCP: O CONFREQ [Closed] id 1 len 15
*Mar  8 07:26:55.439: Se0/0 LCP:    AuthProto CHAP (0x0305C22305)
*Mar  8 07:26:55.439: Se0/0 LCP:    MagicNumber 0x265EC040 (0x0506265EC040)
*Mar  8 07:26:55.443: Se0/0 LCP: I CONFACK [REQsent] id 1 len 15
r2620_03(config-if)#
*Mar  8 07:26:55.443: Se0/0 LCP:    AuthProto CHAP (0x0305C22305)
*Mar  8 07:26:55.447: Se0/0 LCP:    MagicNumber 0x265EC040 (0x0506265EC040)
r2620_03(config-if)#
*Mar  8 07:26:56.479: Se0/0 LCP: I CONFREQ [ACKrcvd] id 218 len 15
*Mar  8 07:26:56.483: Se0/0 LCP:    AuthProto CHAP (0x0305C22305)
*Mar  8 07:26:56.483: Se0/0 LCP:    MagicNumber 0x18E6ABAE (0x050618E6ABAE)
*Mar  8 07:26:56.483: Se0/0 LCP: O CONFACK [ACKrcvd] id 218 len 15
*Mar  8 07:26:56.483: Se0/0 LCP:    AuthProto CHAP (0x0305C22305)
*Mar  8 07:26:56.483: Se0/0 LCP:    MagicNumber 0x18E6ABAE (0x050618E6ABAE)
*Mar  8 07:26:56.483: Se0/0 LCP: State is Open
*Mar  8 07:26:56.483: Se0/0 PPP: Phase is AUTHENTICATING, by both
*Mar  8 07:26:56.487: Se0/0 CHAP: O CHALLENGE id 1 len 29 from "r2620_03"
*Mar  8 07:26:56.491: Se0/0 CHAP: I CHALLENGE id 5 len 29 from "r2620_01"
*Mar  8 07:26:56.491: Se0/0 CHAP: Using hostname from unknown source
*Mar  8 07:26:56.495: Se0/0 CHAP: Using password from AAA
*Mar  8 07:26:56.495: Se0/0 CHAP: O RESPONSE id 5 len 29 from "r2620_03"
*Mar  8 07:26:56.495: Se0/0 CHAP: I RESPONSE id 1 len 29 from "r2620_01"
*Mar  8 07:26:56.495: Se0/0 PPP
r2620_03(confi: Phase is FORWARDING, Attempting Forward
*Mar  8 07:26:56.495: Se0/0 PPP: Phase is AUTHENTICATING, Unauthenticated User
*Mar  8 07:26:56.499: Se0/0 PPP: Sent CHAP LOGIN Request
*Mar  8 07:26:56.499: Se0/0 PPP: Received LOGIN Response PASS
*Mar  8 07:26:56.503: Se0/0 PPP: Phase is FORWARDING, Attempting Forward
*Mar  8 07:26:56.503: Se0/0 PPP: Phase is AUTHENTICATING, Authenticated User
*Mar  8 07:26:56.503: Se0/0 PPP: Sent LCP AUTHOR Request
*Mar  8 07:26:56.503: Se0/0 PPP: Sent IPCP AUTHOR Request
*Mar  8 07:26:56.507: Se0/0 LCP: Received AAA AUTHOR Response PASS
*Mar  8 07:26:56.507: Se0/0 IPCP: Received AAA AUTHOR Response PASS
*Mar  8 07:26:56.507: Se0/0 CHAP: O SUCCESS id 1 len 4
*Mar  8 07:26:56.511: Se0/0 CHAP: I SUCCESS id 5 len 4
*Mar  8 07:26:56.511: Se0/0 PPP: Phase is UP
*Mar  8 07:26:56.511: Se0/0 IPCP: O CONFREQ [Closed] id 1 len 10
*Mar  8 07:26:56.515: Se0/0 IPCP:    Address 10.0.30.2 (0x03060A001E02)
*Mar  8 07:26:56.515: Se0/0 PPP: Sent CDPCP AUTHOR Request
*Mar  8 07:26:56.515: Se0/0 PPP: Process pending ncp packets
*Mar  8 07:26:56.515: Se0/0 IPCP: I CONFREQ [REQsent] id 1 len 10
*Mar  8 07:26:56.519: Se0/0 IPCP:    Address 10.0.30.1 (0x03060A001E01)
*Mar  8 07:26:56.519: Se0/0 AAA/AUTHOR/IPCP: Start.  Her address 10.0.30.1, we w
ant 0.0.0.0
*Mar  8 07:26:56.519: Se0/0 PPP: Sent IPCP AUTHOR Request
*Mar  8 07:26:56.523: Se0/0 AAA/AUTHOR/IPCP: Reject 10.0.30.1, using 0.0.0.0
*Mar  8 07:26:56.523: Se0/0 AAA/AUTHOR/IPCP: Done.  Her address 10.0.30.1, we wa
nt 0.0.0.0
*Mar  8 07:26:56.523: Se0/0 IPCP: O CONFACK [REQsent] id 1 len 10
*Mar  8 07:26:56.523: Se0/0 IPCP:    Address 10.0.30.1 (0x03060A001E01)
*Mar  8 07:26:56.523: Se0/0 CDPCP: Received AAA AUTHOR Response PASS
*Mar  8 07:26:56.527: Se0/0 CDPCP: O CONFREQ [Closed] id 1 len 4
*Mar  8 07:26:56.527: Se0/0 IPCP: I CONFACK [ACKsent] id 1 len 10
*Mar  8 07:26:56.527: Se0/0 IPCP:    Address 10.0.30.2 (0x03060A001E02)
*Mar  8 07:26:56.527: Se0/0 IPCP: State is Open
*Mar  8 07:26:56.531: Se0/0 IPCP: Install route to 10.0.30.1
*Mar  8 07:26:56.531: Se0/0 CDPCP: I CONFREQ [REQsent] id 1 len 4
*Mar  8 07:26:56.535: Se0/0 CDPCP: O CONFACK [REQsent] id 1 len 4
*Mar  8 07:26:56.535: Se0/0 CDPCP: I CONFACK [ACKsent] id 1 len 4
*Mar  8 07:26:56.535: Se0/0 CDPCP: State is Open
*Mar  8 07:26:57.431: Se0/0 IPCP: Install route to 10.0.30.1
*Mar  8 07:26:58.375: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.0.30.1 (Seri
al0/0) is up: new adjacency
*Mar  8 07:26:58.431: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0,
 changed state to upg-if)#
r2620_03(config-if)#

so there...




Posted by arteq at Thursday, December 08, 2011
Labels: , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)