Cisco :: MD5 Password Cracking with Kali Linux

In this article, I would like to highlight the importance of using complex passwords when hashed with the MD5 128-bit algorithm. I will demonstrate the cracking of MD5 salted passwords using Kali Linux and a password cracking tool, John the Ripper.

Cisco IOS devices use the MD5 algorithm to hash username passwords created by administrators. When weak password strings are used that are protected with MD5 they become susceptible to attacks. MD5 passwords use something called salted hash, this is a four-character phrase that is generated and combined with the password.

Extracts of the following demonstration are taken from a CCNA Security lab I have been working on. It was such an informative lab, I decided to document it and share it with the SYNACK community. To carry out MD5 cracking we will use John the Ripper to crack a weak hashed password and then we will use a custom dictionary to carry out the second attack.

Step 1. Produce a one-way transform (MD5 hash) using Kali Linux

Open Terminal and ensuring you are in root enter openssl passwd -1 yvQJ cisco and press enter

You should be presented with a one-way transform of the password ‘cisco

Example: $1$yvQJ$SK2/1KIZXwUY/7/P36C4I0

Let me just take a moment to explain the task we have just performed and what the output means.

Openssl passwd = Command used to hash the password, on Cisco IOS this would be enable secret

-1 = The hasing method, in our case we are using the MD5 hashing algorithm

yvQJ = A salt phrase used for this demonstration

synack = The password we have used for this demonstration

So, if we look at the transform that was produced we can see the following

Transform = $1$yvQJ$SK2/1KIZXwUY/7/P36C4I0

$1 = Indicates that an MD5 transformation is used

$yvQJ = Indicates the four-character salt phrase we specified earlier

$SK2/1KIZXwUY/7/P36C4I0 = Indicates the MD5 hash of the secret password cisco combined with the salt ‘yvQJ

Step 2. Cracking the password ‘cisco’ with the given hash

We will now use John the Ripper to crack our password using the hash that was computed for us in the first step.

Open a text document by typing leafpad in terminal and press enter

Once leafpad is open type secretone:$1$yvQJ$SK2/1KIZXwUY/7/P36C4I0

Save the document to the root directory as secrets.txt

Execute John the Ripper by typing john secrets.txt

Example of the execution is shown in the image below. John the Ripper was successfully executed and it only took one guess to crack the MD5 hash and better yet, it only took 4 seconds.

Step 3. Perform a dictionary attack with John the Ripper

We will now create another MD5 transform and use a dictionary attack to crack the hash.

Open terminal and create another transform with the password ‘synack(see step 1)

Take the hash and open leafpad – enter the following newsecret:MD5_hash_here Where it says MD5_hash_here enter the MD5 hash you were presented with when creating the secret password.

Save the file to root directory as secrets1.txt and close the document

Open leafpad again and type on one line synack

Save this file to the root directory as words.txt and close the document

The words.txt file is our dictionary, although in our example we have only specified one word, we could have a much bigger dictionary of keywords. We will now tell John the Ripper to use our words.txt file to crack the MD5 hash.

In terminal enter john –wordlist=words.txt –rules secrets1.txt and press enter

John the Ripper should be able to crack the password, your output should look like the image below.


In this demonstration, you have seen how we can use John the Ripper to crack MD5 passwords. When using the enable secret command on Cisco IOS devices it is important to use complex passwords that are not based on any string of text and include letters, numbers and special characters.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: