1
00:00:00,240 --> 00:00:06,210
In this video we're going to discuss the Enable and secret passwords on Cisco devices.

2
00:00:06,210 --> 00:00:13,220
In this example I have a Cisco router and when I hit Enter I'm taken to user mode and then I can type

3
00:00:13,240 --> 00:00:18,820
enable Which takes me immediately to enable or privilege mode.

4
00:00:19,620 --> 00:00:22,020
There is no authentication at all.

5
00:00:22,020 --> 00:00:27,290
I'm immediately able to start configuring the router from a security point of view.

6
00:00:27,290 --> 00:00:29,410
That's a really bad idea.

7
00:00:29,810 --> 00:00:36,680
When someone connects to the console of a router or switch you typically want to have a password configured

8
00:00:36,980 --> 00:00:45,080
so that that person is not able to go from the user mode to the Enable or privilege mode without some

9
00:00:45,080 --> 00:00:47,200
type of security.

10
00:00:47,230 --> 00:00:54,170
It's very risky to have a router configured without some type of any cation.

11
00:00:54,220 --> 00:01:01,960
Now in this example ingenius three it works a little bit differently jenius three routers take you to

12
00:01:01,990 --> 00:01:04,370
privilege mode immediately.

13
00:01:04,450 --> 00:01:11,110
So I'm going to open up a console to this Cisco router running in Janissary And I'm told that I can

14
00:01:11,260 --> 00:01:17,470
press enter to get started and I'm taken to privilege mode immediately.

15
00:01:17,600 --> 00:01:27,050
So if I type exit and hit enter notice I'm taken to privilege mode straight away on a real Cisco router.

16
00:01:27,130 --> 00:01:36,020
So a physical router you can see in this example that I'm using a 12:32 when I type exit and then hit

17
00:01:36,050 --> 00:01:43,180
Enter I'm taken to user mode not privilege mode and then I need to type be able to go to privilege mode

18
00:01:44,130 --> 00:01:44,610
now.

19
00:01:44,700 --> 00:01:52,320
Apart from that you can test the entire lab on Jena's 3 because you can type disable and then type enable

20
00:01:52,440 --> 00:01:56,260
and that takes you from user mode to privilege mode once again.

21
00:01:56,730 --> 00:02:05,700
So the issue here is that when you connect to real routers via the console you can gain access to the

22
00:02:05,700 --> 00:02:09,010
Rodda without entering a password.

23
00:02:09,030 --> 00:02:13,830
So we want to change this and add some type of security.

24
00:02:13,880 --> 00:02:21,560
So once again when I'm in user mode and I type the Enable I gain access to the router by default using

25
00:02:21,620 --> 00:02:27,790
privilege level 15 which means I have all rights to the router without a password.

26
00:02:27,860 --> 00:02:31,530
So let's change that so configured terminal Confiteor.

27
00:02:31,610 --> 00:02:38,820
There are two ways to configure passwords for the Enable mode or privilege mode when you type enable.

28
00:02:38,840 --> 00:02:45,340
You'll see that you can configure a password for Enable mode or a secret password for Enable mode.

29
00:02:45,770 --> 00:02:50,060
So both of these assign a privilege level type of password.

30
00:02:50,060 --> 00:02:57,950
Now the Enable password is still in the Cisco CCMA which is surprising because it's a very weak way

31
00:02:58,190 --> 00:03:00,440
of setting up passwords.

32
00:03:00,440 --> 00:03:04,340
The reason why is the password is unencrypted as shown over here.

33
00:03:04,790 --> 00:03:09,090
When you type in the password you either specify 0 which means that the password you're going to now

34
00:03:09,090 --> 00:03:15,950
type is in clear text or you specify 7 which means that the password is encrypted when you type it in.

35
00:03:16,280 --> 00:03:18,830
By default you don't have to put the zero in.

36
00:03:19,100 --> 00:03:22,780
Which means that the password you are typing is in clear text.

37
00:03:22,790 --> 00:03:27,560
Now be careful hitting enter at this point you don't want a password of Cisco space.

38
00:03:27,650 --> 00:03:31,230
So when I press backspace and then hit enter.

39
00:03:31,550 --> 00:03:38,960
So the password configured is enabled password Cecka control zero controls it takes me back to privilege

40
00:03:38,960 --> 00:03:39,530
mode.

41
00:03:39,890 --> 00:03:43,760
And now for top show run you'll see the problem.

42
00:03:43,760 --> 00:03:46,180
Notice the password is in clear text.

43
00:03:46,370 --> 00:03:51,470
So if you were standing behind me looking over my shoulder you'd be able to see what the password is

44
00:03:51,470 --> 00:03:57,890
configured as a way for copy the configuration to a TFT piece over and you opened up the file on the

45
00:03:57,890 --> 00:03:59,060
TFT piece.

46
00:03:59,090 --> 00:04:02,330
You'd also be able to see what the password is configured as.

47
00:04:02,490 --> 00:04:08,990
So Cisco recommend that you change the default of no service password encryption to service password

48
00:04:09,140 --> 00:04:13,550
encryption to enable encryption of the password.

49
00:04:13,550 --> 00:04:14,800
Now this is a trap.

50
00:04:14,810 --> 00:04:17,770
Don't be fooled by this encryption.

51
00:04:17,840 --> 00:04:23,570
So firstly when you type show run or show running config notice reset set service password encryption

52
00:04:23,960 --> 00:04:28,130
and the password is now encrypted with a type seven password.

53
00:04:28,130 --> 00:04:35,540
However if I copy that and paste it into a hacking tool now makes this tool available as part of the

54
00:04:35,540 --> 00:04:36,100
course.

55
00:04:36,140 --> 00:04:42,680
So you should see it below the video if I paste that password in and click Show password.

56
00:04:42,680 --> 00:04:44,850
Notice the password is decrypted.

57
00:04:45,200 --> 00:04:51,770
So this password is only useful for stopping someone standing behind me looking over your shoulder and

58
00:04:51,770 --> 00:04:53,470
seeing what your password is.

59
00:04:53,570 --> 00:04:56,720
It is not actually something that you should be using today.

60
00:04:56,820 --> 00:05:05,360
Now just to confirm that that type enabled password Cisco one and in this case I'll use the do show

61
00:05:05,360 --> 00:05:12,560
run command which means I'm running a show command from configure mode and I'm going to specify pipe

62
00:05:12,740 --> 00:05:20,270
include enable to show only lines in the running config with the Enable word Notice the password is

63
00:05:20,270 --> 00:05:23,120
different to what we had previously.

64
00:05:23,390 --> 00:05:27,890
So back in my hacking application I'll paste that in.

65
00:05:27,890 --> 00:05:29,950
Notice there's the password.

66
00:05:30,050 --> 00:05:33,850
I'll send it back to Cisco.

67
00:05:34,020 --> 00:05:35,380
Look at it again.

68
00:05:35,490 --> 00:05:41,990
Notice it's changed but when I pasted in the password is shown through this hacking tool.

69
00:05:42,360 --> 00:05:46,380
So don't be fooled into using the Enable password.

70
00:05:46,380 --> 00:05:49,480
One more thing I'll point out and then I'll show you a better way of doing it.

71
00:05:49,800 --> 00:05:56,540
So when you type enabled password notice the seven that means that the password that follows is encrypted.

72
00:05:56,640 --> 00:06:02,240
So if I put it in like that it means that I've used a password of Cisco.

73
00:06:02,250 --> 00:06:03,680
Now how does this help me.

74
00:06:03,970 --> 00:06:12,360
Well when I type disable and now type enable notice I need to put in the password of Cisco So the enabled

75
00:06:12,360 --> 00:06:22,010
password command is used to stop someone moving from user mode to enable mode without any cation.

76
00:06:22,020 --> 00:06:25,740
You'll also notice that the password is not displayed.

77
00:06:25,830 --> 00:06:31,320
It doesn't even show you the number of characters that you typing so when I type in table nothing is

78
00:06:31,320 --> 00:06:33,730
displayed even though I'm typing the password.

79
00:06:33,990 --> 00:06:38,080
So someone behind me wouldn't know how many characters my password is.

80
00:06:38,430 --> 00:06:39,550
And you wouldn't know.

81
00:06:39,630 --> 00:06:41,250
Watching this video.

82
00:06:41,310 --> 00:06:47,930
So that's the Enable password recommendation is don't use it because it's unclear text by default.

83
00:06:48,360 --> 00:06:54,660
So once again foretop no service password encryption and then type do show run.

84
00:06:54,660 --> 00:06:57,310
The password is shown as encrypted here.

85
00:06:57,480 --> 00:07:04,250
If I change that to enable password Cisco do show run passio to shown in clear text.

86
00:07:04,350 --> 00:07:10,530
So if you are going to use an enabled password and it's recommended that you don't it's recommended

87
00:07:10,530 --> 00:07:14,990
that you use the service password encryption option to encrypt your passwords.

88
00:07:15,030 --> 00:07:20,730
Cisco still support the enabled password for backward compatibility but it's not something you should

89
00:07:20,730 --> 00:07:22,770
be using in the real world.

90
00:07:22,770 --> 00:07:28,170
Now let's look at a better way of setting security for Enable mode.