First of all, your SNMP string can be encrypted with DES. I think it can be encrypted in MD5 as well, even though I have not personally seen it; however, I have encrypted SNMP string in DES myself. Cisco TACACS freeware does come with a generate_passwd utility that will allow you to encrypt a text string into DES. I use this utility on Linux/BSD platform and it works great. If you want to encrypt your string in MD5, I suggest that you do that on a Linux machine. If you have root privilege, you can create a user, assign that user a password that matches the string of your choice. After that, you can retrieve the MD5 hash string from the /etc/shadow (only root can read this file). This is a very simple task.
The next question you ask is that if the enable secret password, which is an MD5 hash, can be cracked. The answer is a resounding YES. I use a program called John the Ripper (available on Unix platform) to crack MD5 hash password. Now granted that it takes longer to crack MD5 password thatn DES or 3DES; however, if the MD5 password is dictionary-based and/or less than 8 characters long, it takes less than a day to crack the password. I've personally tested it on a dual-processor PIII 600MHz with 256MB of RAM. Finally, how do you protect yourself? Well, for SNMP, use version 3 because everything is encrypted (make sure your IOS supports it). Make everyone who logs onto the router/switch authenticate via TACACS. Enable "aaa authorization" and "aaa accounting" on the router/switch. Having done all that, the only time that you will ever use the enable secret password on the router is when your router loses connectivity with the TACACS server. Therefore, it will be useless for anyone who happen to decode your "enable secret" password anyway. Last, if you really want to be secure, do not telnet to the router, use Secure Shell (SSH) instead. That way, your router/switch will be protected from password sniffer and cracker. Cisco only supports SSH version 1 which sucks big time but it is still better than telnet. ----- Original Message ----- From: "Kwame" To: Sent: Wednesday, January 09, 2002 8:03 AM Subject: SNMP Community String [7:31373] > Is there a way to encrypt the snmp community strings? The strings are > security holes since there are tools out there (I know of at least one) > capable of deriving the RW strings, given the RO strings. Once the RW > strings are known, you can download the config files and hack the passwords > although I'm yet to see enable secret passwords cracked (I could be wrong). Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=31497&t=31373 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
