月份: 2008 年 11 月

When you started studying for your CCNA certification exam, one of the very first things you learned was the major difference between the enable password and the enable secret – the enable secret is encrypted by default, where the enable password is just sitting there in clear text, waiting to be read!

When you look at the enable secret in a Cisco router configuration, it looks like it would be impossible to guess. 640-802:Cisco Certified Network Associate(CCNA) After setting the enable secret on this router to the word security, here’s how it appears in the configuration:enable secret 5 $1$24me$gVFxUOI4gYp0IQbhtH8Rz0.That password has been encrypted by MD5, the Message Digest 5 algorithm. The result of the MD5 algorithm being applied to the password is a 32-character hexadecimal value.

That password is hard to guess, but not terribly hard to crack. Anyone looking over your shoulder would not be able to come up with that password, but there are readily-available password cracking software devices that can crack that encryption in a matter of minutes. That’s true of any MD5-encrypted password, not just those on Cisco routers.So what can we do about this? We can add SALT to our MD5.

The salt itself is simply a string of random characters that are added to the encryption process. Salting makes it much more difficult for a hacker to come up with the password; each bit added by the salt process literally makes it twice as difficult for the password to be compromised. A recent Wikipedia entry states that if a password was one of 200,000 words, a 32-bit salt would require 800 trillion hashes for a full-blown brute force attack.

The actual creation and application of a salt is beyond the scope of the CCNA Security exam, but once you’ve earned that valuable certification – or maybe while you’re preparing for it – do a Google search on “salt md5” and read up on this powerful security tool. In the meantime, look for more CCNA Security tutorials on the site you’re on now as well as my website!

Chris Bryant, CCIE #12933, is the owner of The Bryant Advantage, home of over 100 free certification exam tutorials, including Cisco CCNA certification test prep articles. His exclusive Cisco CCNA study guide and Cisco CCNA training is also available! Visit his blog and sign up for Cisco Certification Central, a daily newsletter packed with CCNA, Network+, Security+, A+, and CCNP certification exam practice questions! A free 7-part course, “How To Pass The CCNA”, is also available, and you can attend an in-person or online CCNA boot camp with The Bryant Advantage!

#01 solara

As part of my study for CCNA Security I have been making a list of all the commands I need to be adept with. I thought I would share this list of commands with others who may be interested.

For simplicty the list doesn’t offer explanations and in most cases there are a variety of options that could be used with each command that are not shown. It is also not suitable for copy/paste into a router or switch. However, I think it is still a useful quick reference sheet.

#02 B Haines

You are running both RADIUS as well as TACACS+ servers in your example configuration. I was wondering what RAD/TACS you were running on those two servers? FreeRadius? And what Tac Plus? Just trying to determine what software you are using for your lab studies! Thanks!

By the way, thanks for sharing your config!

#03 solara

The previous example isn’t my config but rather just a list of commands to be familiar with and so I’m not actually running TACACS+ and RADIUS on the separate server addresses that I have shown.

I do my lab work using GNS3 with the C3745-ADVENTERPRISEK9_SNA-M IOS and currently I’m using the 90-day trial version of Cisco ACS 4.2 running on a Win2k3 VMWare box.

Just for interest I’ve attached a text file showing a basic config I’ve used for testing TACACS+. I have enabled debugs on aaa authentication and IP packets between the router and the ACS server and then attempted to logon to the router via SSH.