Sometimes you just need the password

Cisco Type 7 and other Password Hashes / Pop that Hash

Decrypting Cisco Type 7 Password Hashes

Passwords with Cisco Router configurations can be stored in a number of different forms. Each with a varied degree of security. Cisco Type 7 based secrets are a very poor and legacy way of storing the password. Anyone with access to the systems running configuration will be able to easily decode the Cisco Type 7 value. This is demonstrated in the form below. A type 7 password is not actually encrypted at all it is simply encoded. The fact that it is encoded means it can be decoded very easily.

An example Cisco Type 7 encoding of the string cisco is 0822455D0A16.

Try to match the example in our online Cisco Type 7 password hash tool below.

More about Cisco Passwords and Secrets

Over time Cisco has improved the security of its password storage within the standard Cisco Configuration. From type 0 which is password in plain text up to the latest type 8 and type 9 Cisco password storage types.

In this example we can see a type 0 password configuration. There is no obsfucation or hashing of the password. It simply sits in the configuration in plain text.

# show run | inc password
     enable password mypassword

When looking at a Cisco Configuration file you can easily spot the type of security used with the password by looking for the enable line. Here is an example of a password of type 7:

enable password 7 094F4F1D1A0DDD

You can see that while the password is obfuscated getting the password for this device would not be difficult at all. The Cisco Type 7 password format uses a simple reversible cipher ( There are scripts on Github to decode this format or you could use the form above to quickly decode a type 7 password.

A very common example, that provided significantly more security than the Cisco Type 7 encoding is to use MD5 with a Salt. In the configuration file this would be shown as:

enable secret 5 $1$B8pH$PmmcMRoqfeEtQ7WxL865a0

Additional types of encryption were used, including type 4 that was found to have a number of flaws. Even though it was encrypted using SHA256 there was no salt used leaving it vulnerable to brute force attacks.

Newer versions of IOS have both type 8 and type 9 these are significantly harder to brute force and should be used if you can to keep your systems secure.

As with all password security using a long and complicated string of characters will always make things harder for the attacker (except of course if you are using type 0 or type 7 on a Cisco Device). Both Hashcat and John the Ripper are able to brute force common Cisco password types.

Hashcat and Cisco Hashes

Hashcat can be now be used to recover passwords from over 360 different formats. This includes Cisco passwords, in the table below we can see common examples of Cisco hashes with the corresponding Hashcat mode to use when cracking.

ModeHash TypeExample Hash (password for the hash is "hashcat")
500md5crypt, MD5 (Unix), Cisco-IOS $ (MD5) 8772684.bIz5sk8k/
2400Cisco-PIX MD5dRRVnUmUHXOTt9nk
2410Cisco-ASA MD502dMBMYkTdC5Ziyp:36
5700Cisco-IOS type 4 (SHA256)2btjjy78REtmYkkW0csHUbJZOstRXoWdX1mGrmmfeHI
9200Cisco-IOS $ (PBKDF2-SHA256)$8$TnGX/fE4KGHOVU$pEhnEvxrvaynpi8j4f.EMHr6M.FzU8xnZnBr/tJdFWk
9300Cisco-IOS $ (scrypt)$9$2MJBozw/9R3UsU$2lFhcKvpghcyw8deP25GOfyZaagyUOGBymkryvOdfo6