Cisco (Type 7) Passwords PHP decrypt script

Cisco devices can be configured to store weak “obfuscated” passwords, also called “Type 7 Passwords”.

This script aims to recover this type of passwords, from the obfuscated string.

Since Password Obfuscation (Type 7) is not secure, if accounts details are stored inside device configuration, it is recommended to have it crypted with MD5 algorithm.

Use this script at your own risk, there is no input checking and no warranty on the result.
This script has been published for educational purposes only.

Details of the Decrypt PHP Function:

<?
function decrypt($pass) {
 $xarr = array (0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b,
                0x66, 0x6f, 0x41, 0x2c, 0x2e, 0x69,
                0x79, 0x65, 0x77, 0x72, 0x6b, 0x6c,
                0x64, 0x4a, 0x4b, 0x44, 0x48, 0x53,
                0x55, 0x42);
 $z=0;
 $decrypted='';
 $unenc_lenght = (strlen($pass)-2)/2;
 $xorindex = (($pass[0]-0)*10)+($pass[1]-0);
 settype($xorindex, "integer");
 echo "Encrypted Password: ".$pass."<br />";
 
 for ($i = 2 ; $i <= strlen($pass); $i=$i+2) {
   $val=(hexdec($pass[$i])*16)+hexdec($pass[$i+1]);
   settype($val, "integer");
   $passdec[$z]=chr($val ^ $xarr[$xorindex]);
   $z++;
   $xorindex++;
 }
 
 for ($t=0;$t<=$unenc_lenght-1;$t++) {
   $decrypted .= $passdec[$t];
 }
 
 echo "Decrypted Password: ".$decrypted;
 return(1);
}
?>

Details of the HTML code to let the function work in a Web Environment:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
 <title>Cisco Password Recovery</title>
 <meta name="generator" content="Vim the Editor" />
 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
</head>
<body>
 <p>
  Cisco routers can be configured to store weak obfuscated passwords.<br />
  This script aims to recover Cisco &copy; Crypted (Type 7) Passwords.<br />
  Use this script at your own risk, there is no input checking and no warranty on the result.<br />
  This script has been published for educational purposes only.<br />
  <br />
  <b>The use of this script for any malice or illegal purposes is strictly prohibited!</b><br />
  <b>We decline all responsibility for any direct or indirect damage possibly arising from the use of this script.</b><br />
  <br />
 </p>
 <form action='<? $_SERVER['PHP_SELF']; ?>' method="post">
  <p>
   <input type="text" name="Password" size="40" />
   <input type="submit" name="Decrypt" value="Decrypt!" />
  </p>
 </form>
 <p>
<?
if ((isset($_POST[Decrypt])) and (strlen($_POST[Password])>0))
  decrypt($_POST[Password]);
 else
  echo " &nbsp; Please type your Crypted (Type 7) password!";
?>
 <br />
 These links on www.cisco.com may be of further use:
 </p>
 <ul>
  <li><a href="http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00809d38a7.shtml">Cisco IOS Password Encryption Facts</a> [Ref. cisco.com]</li>
  <li><a href="http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00801746e6.shtml">Password Recovery Procedures on Cisco devices</a> [Ref. cisco.com]</li>
 </ul>
 <p>
  <br />
  <a href="http://validator.w3.org/check?uri=referer"><img src="http://www.w3.org/Icons/valid-xhtml10" alt="Valid XHTML 1.0 Strict" height="31" width="88" /></a>
 </p>
</body>
</html>

Related Links:
Cisco IOS Password Encryption Facts
Password Recovery Procedures on Cisco devices


Comments are closed.