How to crack Cisco Type 5 (MD5) Passwords

Whilst Cisco’s type 7 passwords are incredibly easy to decrypt (PacketLife Tools is my goto), Type 5 passwords are currently not reversible… that does not however mean they are not susceptible to brute force attacks.
Whilst its reasonably impractical to brute force a router’s login due to the amount of time it would take for each combination and the likelihood of being discovered, if you have access to a routers configuration then you can obtain enough information to crack it offline (given a sufficiently large enough password list and weak enough password).

Type 5 Passwords

In this example, the username/password or enable password is hashed with MD5 and salted;

username cisco-admin secret 5 $1$.vTq$m3rHbbqITE.sxlHB0K5ca/

If we break this password down we have the following elements;
$1 = Indicates its an MD5 hash
$.vTq = the salt used to generate the password
$m3rHbbqITE.sxlHB0K5ca/ = the salted and MD5 hashed password
On your reasonably powered linux box, download a (large) wordlist and run this command ;

me@LineVTY:~# openssl passwd -1 -salt .vTq -table -in wordlist.txt | grep sxlHB

This command use’s only the salt we found in the password to generate a password hash for each entry in the wordlist.txt file. We are only interested in a full match, so we grep the output for part (or you could use all) of the salted & hashed password.
If you wait patiently and if the password is in the word list then eventually… BOOM!
me@LineVTY:~# openssl passwd -1 -salt .vTq -table -in wordlist.txt | grep sxlHB
cisco $1$.vTq$m3rHbbqITE.sxlHB0K5ca/
This method will only realistically work if the network admin has used a relatively basic password that’s going to appear in a wordlist somewhere and not generated some random 20+ character string… which we all do… right?