The built in ‘cracker’ isn’t working at the moment but the process still stands. There are plenty of other sites/tools that can decrypt this type of password.
- Connect the console cable, power on the router and hit break a few times to enter monitor mode
- At the rommon prompt type confreg 0×2142 and hit enter
- Type i and hit enter to restart the router.
- When it has started up type enable to enter privileged mode
- Type copy start run and hit enter
- Type show run and look for an entry like this password 7 0235105A19005E3244
- Put the long number string into the top box on this page (ignore password 7)
- Hit Crack Password and marvel in your newly recovered password
- Go back to the router and type conf t to switch to global configuration mode
- Type config-register 0×2102 and hit enter
- Press Ctrl-Z and type reload then hit enter and your done.
Type 5 Passwords
Don’t be fooled type 5 passwords can be cracked, it just takes a bit longer. You may have noticed an entry in your config that looked like this enable secret 5 $1$uWd7$maP6Byq6ETXegoZXG8vbZ0. This is a type 5 password.
- Get a copy of John the Ripper
- Create a text file with your hash in it, in the following format enable_secret_5:$1$uWd7$maP6Byq6ETXegoZXG8vbZ0
- Save the text file as pass.txt
- Assuming pass.txt is in the same folder as John type john-mmx.exe -inc:all pass.txt
- After a while depending on the length of the password you will/should be presented with the passwords.
Obviously that’s how to do it in Windows but the Linux version is very similar.
Note: If you recognise the type 7 password from above then one of your old routers now belongs to me. Change your passwords because you’ve been owned.