Cisco Type 7 decryption / Cracking Cisco passwords

Type 7 encryption is used within Cisco IOS to cipher some clear text passwords within the configuration output. This is a weak form of encryption and is enabled on all type zero passwords with command set "service password-encryption". There are many online resources and apps available that can immediately display the clear text value of a Cisco type 7 encrypted password. However, it’s also possible to decrypt a type 7 password from within IOS using a Key Chain and decrypt manually referencing an ASCII table as per the following info.

Decrypt Cisco Type 7 using Key Chain

Create a key chain and input type 7 password you wish to decrypt. For this example we'll be using encrypted password value 0822455D0A16.

Hostname (config)#key chain decrypt
Hostname (config-keychain)#key 1
Hostname (config-keychain-key)key-string 7 0822455D0A16

View key chain in order display clear text password value

Hostname#show key chain
Key-chain decrypt:
key 1 — text “cisco” 
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]

Manually decrypt Cisco Type 7

Notes:

In order to manually decrypt a type 7 password, it’s a good idea to have an understanding of XOR operation and ASCII tables to covert hexadecimal and decimal values to characters.

The constant value for salt creation in relation to Cisco type 7 encryption was leaked many years ago and is - tfd;kfoA,.iyewrkldJKD

The XOR string value is xorstring[n] where n is the related character in the above constant. For example xorstring[3] is d , and xorstring[7] is A.

The encrypted password string must be an even length of digits and the calculation to workout plaintext password length is - (<length of encrypted password> - 2) / 2.

Using “0822455D0A16” as an example, the calculation is: (12-2) / 2 = 5. From that, you know the cleartext value will be 5 characters long.

Reference ASCII table - http://www.asciitable.com/

Decryption:

Obtain the current salt by taking the first 2 digits of the type 7 encrypted password “0822455D0A16” and identify the related constant value. First 2 digits in our example are 08 and xorstring{08} relates to value A in the above
constant. Reference to ASCII table shows character A equals decimal value 65.

Decrypt the first character by taking the next 2 digits from the encrypted string “0822455D0A16” as a hex value. In our example this is hex value 22 and referring to ASCII table shows related decimal value of 34. Simplified XOR operation using decimal values of salt and first character is 34 XOR 65.

Decimal   Binary
34              00100010
65              01000001
99              01100011

Decimal value 99 referring to ASCII table = character “c”

Obtain the next salt by incrementing the previous index by 1 and identify corresponding value from the constant. In this example, new index is 09 and xorstring{09} which equals constant “,” and ASCII table identifies decimal value as 44.

Decrypt the second character by repeating the above process for first character decryption:

Next 2 digits “0822455D0A16” = 45 (hex) , ASCII table decimal 69.

69 XOR 44

Decimal      Binary
69                01000101
44                00101100
105              01101001

Decimal value 105 referring to ASCII table = character “i”

Obtain the next salt by incrementing the previous index by 1 and identify corresponding value from the constant. In this example, new index is 10 and xorstring{10} which equals constant “.” and ASCII table identifies decimal value as 46.

Decrypt the second character by repeating the above process for first character decryption:

Next 2 digits “0822455D0A16” = 5D (hex) , ASCII table decimal 93
93 XOR 46

Decimal      Binary
93                01011101
46                00101110
115               01110011

Decimal value 115 referring to ASCII table = character “s”

Obtain the next salt by incrementing the previous index by 1 and identify corresponding value from the constant. In this example, new index is 11 and xorstring{11} which equals constant “i” and ASCII table identifies decimal value as 105.

Decrypt the second character by repeating the above process for first character decryption:
Next 2 digits “0822455D0A16” = 0A (hex) , ASCII table decimal 10
10 XOR 105

Decimal      Binary
10                 00001010
105               01101001
99                 01100011

Decimal value 99 referring to ASCII table = character “c”

Obtain the next salt by incrementing the previous index by 1 and identify corresponding value from the constant. In this example, new index is 12 and xorstring{12} which equals constant “y” and ASCII table identifies decimal value as 121.

Decrypt the second character by repeating the above process for first character decryption:

Next 2 digits “0822455D0A16” = 16 (hex) , ASCII table decimal 22
22 XOR 121

Decimal      Binary
22                00010110
121               01111001
111                01101111

Decimal value 111 referring to ASCII table = character “o”

Combine all character references in order to view cleartext password - "cisco"