1
00:00:00,210 --> 00:00:06,700
So at the moment I've configured and enabled password of Cisco nocive is password encryption is configured.

2
00:00:06,780 --> 00:00:12,500
Which means that the password shown in clear text the advantage of an enable password is when I type

3
00:00:12,530 --> 00:00:15,980
enable I'm AWST to enter a password.

4
00:00:16,430 --> 00:00:22,490
When you connect to a live router by default you're in user mode and if an enable password hasn't been

5
00:00:22,490 --> 00:00:29,140
configured you are immediately able to access privilege mode or enable mode.

6
00:00:29,540 --> 00:00:34,430
But when a password is configured you'll be prompted to enter the password before you can access that

7
00:00:34,490 --> 00:00:35,130
mode.

8
00:00:35,890 --> 00:00:42,440
Now Cisco recommend that you use enable secret rather than in a password.

9
00:00:42,910 --> 00:00:50,550
And that's because this uses a better encryption uses empty five hashing to hash a password.

10
00:00:50,570 --> 00:00:57,190
I'll show you a demonstration of hashing in a moment in a similar way to the Enable password.

11
00:00:57,190 --> 00:01:04,210
We can enter it zero which means we entering the password as unencrypted or 5 which means that the password

12
00:01:04,210 --> 00:01:06,050
that follows is encrypted.

13
00:01:06,400 --> 00:01:08,760
You don't have to enter Zerah by default either.

14
00:01:08,950 --> 00:01:11,090
So I'm just going to say enable secret Cisco.

15
00:01:11,230 --> 00:01:18,130
But notice what happens I'm told that the Enable secret you have chosen is the same as the Enable password.

16
00:01:18,130 --> 00:01:19,930
This is not recommended.

17
00:01:19,930 --> 00:01:27,130
Re-enter the Enable password when a top show run pipe include enable.

18
00:01:27,250 --> 00:01:34,890
You'll notice it did except the secret password but I'm told that I should re enter the password.

19
00:01:35,050 --> 00:01:40,080
So let's follow Cisco's advice and I'll set the password to Hello.

20
00:01:40,270 --> 00:01:42,020
So enable secret Hello.

21
00:01:42,460 --> 00:01:52,030
Now when I typed controls that are control Z and disable and top enable I'm actually typing Hello rather

22
00:01:52,030 --> 00:01:59,980
than Cisco to access the privilege mode or enable mode when I type show run will do the full running

23
00:01:59,980 --> 00:02:02,900
config so that you can see it in the output.

24
00:02:02,980 --> 00:02:09,010
Notice nocive is possible encryption is configured but the secret password is hashed.

25
00:02:09,010 --> 00:02:10,760
It's encrypted by default.

26
00:02:11,020 --> 00:02:17,070
You can't decrypt that in the same way that I showed you using the hacking tool.

27
00:02:17,310 --> 00:02:20,870
The hacking tool only works with top seven passwords.

28
00:02:21,400 --> 00:02:25,030
And this is a lot more secure than Top 7.

29
00:02:25,070 --> 00:02:28,220
Now I've shown you how to hack type 7 password.

30
00:02:28,450 --> 00:02:32,470
It's not as easy to do that with a empty five password.

31
00:02:32,470 --> 00:02:35,020
This tool is also available as part of the course.

32
00:02:35,050 --> 00:02:37,520
Look below the Vidia to use it.

33
00:02:38,370 --> 00:02:44,850
This is a hashing application that shows the empty five hashing versus Shaw hashing versus Shaar 256

34
00:02:44,930 --> 00:02:56,160
schaw 512 and Shaw 384 M.D five hashes 128 bits in length and it's actually recommended for VPN or virtual

35
00:02:56,160 --> 00:02:59,340
private networks that you don't use empty five hashes.

36
00:02:59,760 --> 00:03:04,440
But Siska rod is still using M.D five hashes for the secret password.

37
00:03:04,440 --> 00:03:12,990
If I configure a password of Cisco and then click cache this application will show me the hexadecimal

38
00:03:13,350 --> 00:03:20,950
hash of that password the binary hash as well as the Shaw hashes of that password.

39
00:03:21,090 --> 00:03:24,590
And what you'll notice is the Shaw passwords are a lot longer.

40
00:03:25,020 --> 00:03:26,640
These are hex values.

41
00:03:26,700 --> 00:03:30,620
So each of value that you see here is four binary ones.

42
00:03:30,660 --> 00:03:37,300
These are going to be a lot longer and a lot more secure than an empty five hash of 128 bits.

43
00:03:37,380 --> 00:03:45,170
But for now keep your eye on the binary and the empty five and all I'm going to do is add one more character.

44
00:03:45,330 --> 00:03:52,410
So at a one at the end and click hash again and what you should have noticed is that the hash changed

45
00:03:52,620 --> 00:03:55,550
quite dramatically from the previous example.

46
00:03:55,830 --> 00:04:03,710
Notice that the NGF 0 8 1 6 when I put another character in and I'll just put in a dot hash.

47
00:04:03,870 --> 00:04:07,080
Notice the entire number has changed.

48
00:04:07,080 --> 00:04:13,440
So even a minor change in the source text will cause the hash to change entirely.

49
00:04:13,440 --> 00:04:19,110
So in other words if you change your password the whole hash changes.

50
00:04:19,110 --> 00:04:24,780
So it's much more difficult for someone to try and crack this password than say using service password

51
00:04:24,780 --> 00:04:26,120
encryption.

52
00:04:26,130 --> 00:04:32,810
So once again recommend that you use a secret password rather than an enable password.

53
00:04:32,810 --> 00:04:36,480
Let's look at functionality of the passwords.

54
00:04:36,530 --> 00:04:42,560
Radu one has an enable and secret password configured router to at the moment doesn't have a password

55
00:04:42,570 --> 00:04:54,110
configured all but the Rodda and open up a console so top disable and rotten do the same on router.

56
00:04:54,450 --> 00:05:00,670
When I tap enable on Rotto one I need to enter my password which is my secret password and router 2

57
00:05:00,670 --> 00:05:04,400
I don't have to enter anything because no password is being configured.

58
00:05:06,110 --> 00:05:09,840
If Alltop been able and to do nothing.

59
00:05:12,310 --> 00:05:17,260
The road is going to wait for a period of time for me to enter a password and if I don't it's going

60
00:05:17,260 --> 00:05:24,320
to prompt me I'll speed up the video to save you the time waiting for this but notice the time it has

61
00:05:24,320 --> 00:05:27,950
expired that's going to happen three times.

62
00:05:27,960 --> 00:05:32,120
While we're waiting for that I'll set up an enable password on route to

63
00:05:34,760 --> 00:05:39,830
and I'll show you what happens when I've touched the wrong parts but in seminar type in Ponsford one

64
00:05:40,370 --> 00:05:42,950
possible to prosper to three.

65
00:05:43,220 --> 00:05:47,480
Notice it tells me bad passwords so I'm not locked out of the router.

66
00:05:47,570 --> 00:05:55,340
I'm simply told that I've entered a bad number of passwords notice and wrote a one second time that

67
00:05:55,370 --> 00:06:08,640
has occurred on Rodek t it's doing enable secret Cecka one disable.

68
00:06:08,660 --> 00:06:10,910
Now this is going to be my secret password.

69
00:06:11,180 --> 00:06:18,270
One two three told bad secrets.

70
00:06:18,320 --> 00:06:27,130
Previously I was told bad passwords on Rato one I'm told bad secrets because I've had three timeouts.

71
00:06:27,210 --> 00:06:34,260
So the moral of the story is that if you wait too long you'll be prompted again offers free incorrect

72
00:06:34,260 --> 00:06:35,620
tri's of a password.

73
00:06:35,790 --> 00:06:39,690
It reverts back to user mode and that's the default behavior.

74
00:06:39,690 --> 00:06:41,620
It's not going to lock you out of the router.

75
00:06:41,910 --> 00:06:48,210
You can enable more security but that's not covered in the CCN a course so I won't explain it here but

76
00:06:48,210 --> 00:06:58,420
you can lock someone out of a router if you want to and something to take note of is show run piping

77
00:06:58,460 --> 00:07:04,700
Kloot enable you can't use this as your password.

78
00:07:04,860 --> 00:07:12,020
So copy that time disable and pasted in but it's not accepted as a password.

79
00:07:15,290 --> 00:07:16,310
So I'll say no.

80
00:07:16,330 --> 00:07:18,650
Enable secret

81
00:07:21,410 --> 00:07:22,880
show run pipe.

82
00:07:22,910 --> 00:07:23,510
Include.

83
00:07:23,510 --> 00:07:24,720
Enable.

84
00:07:24,720 --> 00:07:37,870
So my password is Siska top civis password encryption show run piping CLEET enable my cryptic password.

85
00:07:38,230 --> 00:07:44,220
I'll try and paste that in when prompted for a password and it's not accepted.

86
00:07:44,240 --> 00:07:50,560
I need to use my unencrypted password when going from user mode to enable mode.