• 0

Pre-hashed Passwords


Go to solution Solved by nabz0r,

Question

Stokkolm

I am using a running switch config as a template for a new switch that I'm setting up. If service password-encryption was run on the other switch can I use the hashed passwords in my new configuration file or do I need to use plain-text?

Link to post
Share on other sites

3 answers to this question

Recommended Posts

  • 0
nabz0r

Yes, you can use your hased version password in your new switch. If it is MD5 use 5 and if it is SHA256 use 4 depending on how you configured your passwored in your current switch that you are copying from.

xxx-sw-int01(config)#username walid priv 15 sec ?
  0     Specifies an UNENCRYPTED secret will follow
  4     Specifies a SHA256 ENCRYPTED secret will follow
  5     Specifies a MD5 ENCRYPTED secret will follow
  LINE  The UNENCRYPTED (cleartext) user secret

xxx-sw-int01(config)#user                       
xxx-sw-int01(config)#usern
xxx-sw-int01(config)#username walid priv 15 sec 4 ?
  WORD  The HIDDEN user secret string

xxx-sw-int01(config)#username walid priv 15 sec 5 ?
  WORD  The HIDDEN user secret string

xxx-sw-int01(config)#username walid priv 15 sec 5
Link to post
Share on other sites
  • 0
Stokkolm

Based on my Google research as long as I TFTP the configs to flash I should be able to leave them as is as long as I keep the "5" there.

 

Example:

username myusername privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXX

Does anyone have any experience with this?

Link to post
Share on other sites
  • 0
Stokkolm

 

Yes, you can use your hased version password in your new switch. If it is MD5 use 5 and if it is SHA256 use 4 depending on how you configured your passwored in your current switch that you are copying from.

xxx-sw-int01(config)#username walid priv 15 sec ?
  0     Specifies an UNENCRYPTED secret will follow
  4     Specifies a SHA256 ENCRYPTED secret will follow
  5     Specifies a MD5 ENCRYPTED secret will follow
  LINE  The UNENCRYPTED (cleartext) user secret

xxx-sw-int01(config)#user                       
xxx-sw-int01(config)#usern
xxx-sw-int01(config)#username walid priv 15 sec 4 ?
  WORD  The HIDDEN user secret string

xxx-sw-int01(config)#username walid priv 15 sec 5 ?
  WORD  The HIDDEN user secret string

xxx-sw-int01(config)#username walid priv 15 sec 5

It's MD5. Thank you for the help!

Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By News Staff
      Save 97% off the Cybersecurity & IT Career Certification Pathway Bundle
      by Steven Parker

      Today's highlighted deal comes via our Online Courses section of the Neowin Deals store, where you can save 97% off the Ultimate Cybersecurity & IT Career Certification Pathway Training Bundle. Further your it career with 169 hours of prep content on the most in-demand Cisco and CompTIA certifications — from experts David Bombal and Total Seminars.



      This deal consists of the following courses:

      Cisco CCNA 200-301 Exam: Complete Course with Practical Labs
      Ace the Newest CCNA 200-301 Exam & Be a Cisco Certified Network Associate CompTIA IT Fundamentals ITF+ FC0-U61
      Iron Out Your IT Foundation Skills on Computer & Mobile Devices, Software, Networks, Security, and Basic Troubleshooting CompTIA A+ Certification Core 1 (220-1001)
      Kickstart Your IT Career by Acing the Industry-Standard Certification for Security to Cloud, Data Management & More CompTIA A+ Certification Core 2 (220-1002)
      Expanded Skills on Configurations, Security Software Troubleshooting & Operational Procedures CompTIA Network+ Certification N10-007
      Address the Current & Changing Networking Technologies As a CompTIA Network+ Professional CompTIA Security+ Certification SY0-501
      Ace the Globally-Recognized Exam on Network Threats & Risks Identification, Management, and Mitigation CompTIA CySA+ Cybersecurity Analyst CS0-001
      7-Hour Guide on the High-Stakes Security Analyst Certification CompTIA PenTest+ (PT0-001): Ethical Hacking
      Be Proficient in Penetration Testing & Vulnerability Management and Land a Career in One of the Fastest-Growing Job Markets Good to know
      Length of access: lifetime Certification of completion included Updates included Redemption deadline: redeem your code within 30 days of purchase For full descriptions, terms, and instructor info please click here.

      Here's the deal:
      This Ultimate Cybersecurity & IT Career Certification Pathway Training Bundle normally costs $1,592 but it can be yours for just $34.99 for a limited time, that's a saving of $1,557.01 (97%) off!

      >> Get this deal, or learn more about it <<
      See all Online Courses on offer, This is a time-limited deal, ending soon!
      Get $1 credit for every $25 spent · Give $10, Get $10 · 10% off for first-time buyers.

      Not for you?
      If this offer doesn't interest you, why not check out the following offers:



      The Win Your Dream 2020 Tesla Model 3 Giveaway Ivacy VPN - 5 year subscription for just $0.99 per month NordVPN - 2 year subscription at up to 68% off +3 months for free! Private Internet Access VPN - subscriptions at up to 71% off Unlocator VPN or SmartDNS - unblock Geoblock with 7-day free trial Subscribe to Neowin - for $14 a year, or $28 a year for Ad-Free experience Disable Sponsored posts · Neowin Deals · Free eBooks · Neowin Store

      Disclosure: This is a StackCommerce deal or giveaway in partnership with Neowin; an account at StackCommerce is required to participate in any deals or giveaways. For a full description of StackCommerce's privacy guidelines, go here. Neowin benefits from shared revenue of each sale made through our branded deals site, and it all goes toward the running costs.

    • By Usama Jawad96
      Microsoft declares war on Israeli surveillance company NSO Group
      by Usama Jawad

      Back in 2019, Israeli technology company NSO Group found itself embroiled in controversy when it was alleged that its Pegasus program was used to hack WhatsApp. The sophisticated attack technique allowed attackers to inject spyware into Android and iOS devices by simply calling them. The victim is not even required to attend the call in order for the attack to be successful.

      While WhatsApp plugged the vulnerability, it later took NSO Group to court for its malicious actions. The surveillance company has denied wrongdoing multiple times using the defense of immunity since it claims that Pegasus is used on behalf of governments. Following recent reports of Al Jazeera journalists being hacked using software developed by NSO Group, Microsoft and various other corporations have now joined the fight against the Israeli firm.

      Group of anonymous hackers in black costumes working with computers in office image via ShutterstockIn a sternly worded blog post, Corporate Vice President of Customer Security & Trust at Microsoft, Tom Burt has described NSO Group as the cyber mercenaries of the 21st century and stated that they should get no immunity. Together with Cisco, GitHub, Google, LinkedIn, VMWare, and the Internet Association, Microsoft has filed an amicus brief in WhatsApp's legal case against NSO Group. Simply stated, this means that the firms will be providing assistance to the court by offering technical expertise.

      Microsoft has highlighted that Pegasus infected WhatsApp on 1,400 devices last year, including those of journalists and prominent figures fighting against human rights violations. It emphasized that NSO Group's business model is very dangerous for a number of reasons. Primarily, there is no guarantee that the cyber-weapons won't fall into the wrong hands. Even if NSO Group sells Pegasus only to governments, it could be handed over to customers who lack proper defenses, resulting in highly dangerous software being stolen. Microsoft also stated that:

      Lastly, the Redmond tech giant emphasized that such tools developed by private security firms are a threat to human rights and privacy. It stated that NSO Group's clients are spread throughout the world, and they utilize cyber weapons to track journalists and other opposing groups. Microsoft indicated that even if NSO Group's own intention is not to violate human rights, its tools certainly allow its clients to do so.

      Moving forward, Microsoft has urged that private security firms such as NSO Group should be liable for any laws that are broken by using their tools, and they should not be granted immunity in any circumstances. The coalition hopes that the amicus brief will enable it to protect the rights and privacy of all its global customers.

    • By News Staff
      Black Friday lets you save an additional 70% off eLearning deals and more
      by Steven Parker

      Today's highlighted deals comes via our Online Courses section of the Neowin Deals store, where you can save an extra 70% off eLearning deals. That's not all we also have a promo code for 40% off all Apps + Software deals, and a site wide coupon for 20% off everything else.



      The Premium Learn to Code 2021 Certification Bundle
      Use code BFSAVE70 for additional 70% The All-In-One AWS, Cisco & CompTIA Super Certification Bundle 2021
      Use code BFSAVE70 for additional 70% The Premium DJing & Music Production Bootcamp Ft. Ableton + Logic Pro X
      Use code BFSAVE70 for additional 70% off The 2020 Adobe Graphic Design Certification School
      Use code BFSAVE70 for additional 70% off The Wall Street Survival & Stock Trading Guide Bundle
      Use code BFSAVE70 for additional 70% off Good to know
      Length of time users can access the courses: lifetime Redemption deadline: redeem your code within 30 days of purchase For terms, certification and instructor info, please click on the course title.

      Black Friday Coupons:
      Use code BFSAVE20 for an additional 20% off site wide with what's not covered below. Use code BFSAVE40 for an additional 40% off all Apps + Software Use code BFSAVE70 for an additional 70% off all Online Courses Apply any one of the above coupons when checking out to save!

      >> Shop now at Neowin Deals <<
      See all Online Courses on offer. This is a time limited deal.
      Get $1 credit for every $25 spent · Give $10, Get $10 · 10% off for first-time buyers.

      Not for you?
      That's OK, there are other deals on offer you can check out here, but be aware that these are all time-limited offers. If you are uncomfortable sharing your details with a third-party sponsor, we understand. Check out the Neowin Store for our preferred partners.



      The Win Your Dream 2020 Tesla Model 3 Giveaway Ivacy VPN - 5 year subscription for just $1 per month NordVPN - 2 year subscription at up to 68% off Private Internet Access VPN - subscriptions at up to 71% off Unlocator VPN or SmartDNS - unblock Geoblock with 7-day free trial Subscribe to Neowin - for $14 a year, or $28 a year for Ad-Free experience Disable Sponsored posts · Neowin Deals · Free eBooks · Neowin Store

      Disclosure: This is a StackCommerce deal or giveaway in partnership with Neowin; an account at StackCommerce is required to participate in any deals or giveaways. For a full description of StackCommerce's privacy guidelines, go here. Neowin benefits from shared revenue of each sale made through our branded deals site, and it all goes toward the running costs.

    • By zikalify
      IBM, Red Hat and others want inclusive language in software
      by Paul Hill



      IBM, Red Hat and VMWare are among several companies that have come together to create the Inclusive Naming Initiative which aims to eliminate problematic language from projects and replace them with an agreed set of neutral terms. To do this, the initiative will define processes and tools to remove harmful language from projects.

      Some of the processes and tools which the Inclusive Naming Initiative will be creating include a comprehensive list of terms with replacements, language evaluation frameworks and templates, and infrastructure to aid the transition.

      Explaining the need for more inclusive words, the initiative says:

      Initially, attention will be aimed at replacing the terms ‘master’, ‘slave’, ‘whitelist’ and ‘blacklist’ because these are the most visible and problematic across the industry. Over time, it will expand its scope to find replacements for other terms that reference mental health, gender, physical handicaps, and several other categories. In the future, it might also give tips to avoid colloquialisms that don’t translate into other languages very well or are a barrier to understanding.

      While some people may be against the changing of these terms, the Inclusive Naming Initiative argues that the neutral terms are more descriptive, for example, it says that ‘Denylist’ is more precise and more accurate than ‘blacklist’.

      Source: Inclusive Naming Initiative via Phoronix

    • By Abhay V
      Cisco Webex vulnerabilities allowed "ghost" users to go undetected in meetings, fixed
      by Abhay Venkatesh

      With the COVID-19 pandemic forcing more employees into remote work and collaboration, video conferencing services have seen a huge increase in adoption. The increase in usage also brings the question of security and data privacy. Researchers at IBM analyzed one such popular offering, Cisco’s Webex, and discovered three vulnerabilities in the service that could let attackers join a meeting as a “ghost” without being detected.

      The bugs resulted in such bad actors being able to not just joining a meeting secretly, but also stay in a meeting as an audio participant even after being “expelled”. The attacker could also gain details about meeting attendees from the lobby without even entering the call. Even when such an actor enters the call, the only indication is in the form of a connection beep, something that could be ignored in meetings with many attendees. IBM says that it found that the vulnerabilities affect both scheduled meetings and unique meetings with specific URLs.

      The researchers explain in the post (spotted by ZDNet) that the vulnerabilities work when attackers exploit the “handshake” process between Webex client at the user’s end and the server. Attackers could manipulate the request sent over the WebSocket – a connection between the client and the server – due to “improper input validation and sanitization” and inject specially designed values into the request to join as a ghost host. The researchers successfully tested the scenarios and could join the meeting without being present in the participants’ list and without being detected.

      IBM’s researchers have also put together a video of the findings:

      IBM says that it immediately shared the details of its finding with Cisco owing to the severity and urgency of the issues. The networking company worked on a fix for the said vulnerabilities, for which it released security advisories today. The three bugs are labeled CVE-2020-3441, CVE-2020-3471, CVE-2020-3419 and have been successfully fixed. Since the issue affected Webex clients on most platforms, the firm recommends that users update their apps to the latest versions.