ASA generates the same password hashs

Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.
Guest

ASA generates the same password hashs

Post by Guest » Fri Jan 07, 2005 10:03 pm

Hi guys, I found out that ASA 8.2 in particular generates the same password hash for the same password every time.So, if I enter the same password on the different ASAs the password hash will be the same. And if you decrypt one of them you will know the password for all systems. Its very strange. Moreover, Cisco Routers and Switches generate different password hashs. I understand that these devices use different ecryption algorithms. Examples. if I runon ASA: (config)# username testuser1 password 12345(config)# username testuser2 password 12345(config)# username testuser3 password 12345(config)# username testuser4 password 12345(config)# username testuser5 password 12345 I get:# sh run | in username testuserusername testuser3 password oFJjANE3QKoA206w encryptedusername testuser2 password oFJjANE3QKoA206w encryptedusername testuser1 password oFJjANE3QKoA206w encryptedusername testuser5 password oFJjANE3QKoA206w encryptedusername testuser4 password oFJjANE3QKoA206w encrypted The same oFJjANE3QKoA206w hash.  On the Routers:(config)# username testuser1 secret 12345(config)# username testuser2 secret 12345(config)# username testuser3 secret 12345(config)# username testuser4 secret 12345(config)# username testuser5 secret 12345 Result:#sh run | in testuserusername testuser1 secret 5 $1$ni5I$v3Sq5TBrQ7Ty3Eyygg.Sb0username testuser2 secret 5 $1$Ecsn$XzGSHF7knxLxskt8Wc3ku1username testuser3 secret 5 $1$.0o5$9dZD4RkJa9FF10rMXZpPm.username testuser4 secret 5 $1$FJVN$NtM9dY.H238dgS6tOjUzM.username testuser5 secret 5 $1$BUAY$PHKM8ksvSOxl9r/U7Ruft/ Absolutely different hashs. Its very strange that ASA (security device) does in this way.  Maybe do I need to turn some special service (command) or something like that? Why ASA does it?

Guest

Re:ASA generates the same password hashs

Post by Guest » Fri Jan 07, 2005 11:38 pm

You are right, the ASA was not using a salt to hash the passwords as in IOS. It was practically obfuscating how they showed on the running config, and not hashing them. Though, in ASA 8.3 there is a new feature (password encryption) that practically encrypts the passwords (commands key config-key password-encryption, password encryption aes) with a passphrase that can be changed on a per box basis, so you will not face this problem. I hope it helps. PK

Post Reply