Chapter4.Passwords and Privilege Levels
Passwords are the core of Cisco routers’ access control methods. Chapter 3 addressed basic access control and using passwords locally and from access control servers. This chapter talks about how Cisco routers store passwords, how important it is that the passwords chosen are strong passwords, and how to make sure that your routers use the most secure methods for storing and handling passwords. It then discusses privilege levels and how to implement them.
Password Encryption
Cisco routers have three methods of representing passwords in the configuration file. From weakest to strongest, they include clear text, Vigenere encryption, and MD5 hash algorithm. Clear-text passwords are represented in human-readable format. Both the Vigenere and MD5 encryption methods obscure passwords, but each has its own strengths and weaknesses.
Vigenere Versus MD5
The main difference between Vigenere and MD5 is that Vigenere is reversible, while MD5 is not. Being reversible makes it easier for an attacker to break the encryption and obtain the passwords. Being unreversible means that an attacker must use much slower brute force guessing attacks in an attempt to obtain the passwords.
Ideally, all router passwords would use strong MD5 encryption, but the way certain protocols, such as CHAP and PAP, work, routers must be able to decode the original password to perform authentication. This need to decode specific passwords means that Cisco routers will continue to use reversible encryption for some passwords—at least until such authentication protocols are rewritten or replaced.
Clear-Text Passwords
Chapter 3 sets passwords using line passwords, local username passwords, and the enable secret command. A show run provides the following:
enable secret 5 $1$Guks$Ct2/uAcSKHkcxNKyavE1i1enable password enable-password!username jdoe password 0 jdoe-passwordusername rsmith password 0 rsmith-password!line con 0 exec-timeout 5 0password console-passwordlogin local transport input noneline aux 0 exec-timeout 5 0password aux-passwordlogin tacacs transport input noneline vty 0 4 exec-timeout 5 0password vty-passwordlogin transport input ssh
The highlighted parts of the configuration are the passwords. Notice that all passwords, except the enable secret password, are in clear text. This clear text poses a significant security risk. Anyone who can view a copy of the configuration file—whether through shoulder surfing or off a backup server—can see the router passwords. We need a way to make sure that all passwords in the router configuration file are encrypted.
service password-encryption
The first method of encryption that Cisco provides is through the command service password-encryption. This command obscures all clear-text passwords in the configuration using a Vigenere cipher. You enable this feature from global configuration mode.
Router#config terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)#service password-encryptionRouter(config)#^Z
Now a show run command no longer displays the password in humanly readable format.
enable secret 5 $1$Guks$Ct2/uAcSKHkcxNKyavE1i1enable password 7 02030A5A46160E325F59060B01!username jdoe password 7 09464A061C480713181F13253920username rsmith password 7 095E5D0410111F5F1B0D17393C2B3A37!line con 0 exec-timeout 5 0 password 7 110A160B041D0709493A2A373B243A3017 login local transport input noneline aux 0 exec-timeout 5 0 password 7 0005061E494B0A151C36435C0D login tacacs transport input allline vty 0 4 exec-timeout 5 0 password 7 095A5A1054151601181B0B382F login transport input ssh
The only password not affected by the service password-encryption command is the enable secret password. It always uses the MD5 encryption scheme.
While the service password-encryption command is beneficial and should be enabled on all routers, remember that the command uses an easily reversible cipher. Some commercial programs and freely available Perl scripts instantly decode any passwords encrypted with this cipher. This means that the service password-encryption command protects only against casual viewers—someone looking over your shoulder—and not against someone who obtains a copy of the configuration file and runs a decoder against the encrypted passwords. Finally, service password-encryption does not protect all secret values such as SNMP community strings and RADIUS or TACACS keys.
Enable Security
The enable, or privileged, password has an additional level of encryption that should always be used. The privileged-level password should always use the MD5 encryption scheme.
In early IOS configurations, the privileged password was set with the enable password command and was represented in the configuration file in clear text:
enable password ena-password
For additional security, Cisco added the service password-encryption command to obscure all clear-text passwords:
service password-encryptionenable password 7 02030A5A46160E325F59060B01
However, as explained earlier, this uses the weak Vigenere cipher. Because of the importance of the privileged-level password and the fact that it doesn’t need to be reversible, Cisco added the enable secret command that uses strong MD5 encryption:
Router#config terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)#enable secretmy-secret-passwordRouter(config)#^Z
A show run now displays:
enable secret 5 $1$Guks$Ct2/uAcSKHkcxNKyavE1i1e
This type of encryption cannot be reversed. The only way to attack it is though brute force methods.
You should always use the enable secret command instead of enable password. The enable password command is provided only for backward compatibility. If both are set, for example:
enable password 7 02030A5A46160E325F59060B01enable secret 5 $1$Guks$Ct2/uAcSKHkcxNKyavE1i1e
the enable secret password takes precedence and the enable password command is ignored.
Warning
Many organizations begin using the insecure enable password command, and then migrate to using the enable secret command. Often, however, they use the same passwords for both the enable password and enable secret commands. Using the same passwords defeats the purpose of the stronger encryption provided by the enable secret command. Attackers can simply decode the weak encryption from the enable password command to get the router’s password. To avoid this weakness, be sure to use different passwords for each command—or better yet, don’t use the enable password command at all.
Strong Passwords
In addition to using encryption to keep passwords from appearing in human-readable form, secure password protection requires the use of strong passwords. There are two requirements for strong passwords. First, they are difficult to guess or crack. Second, they are easy to remember. If the password is based on a word found in a dictionary—a name, a place, and so on—the password is weak. If the password is a complete random string of letters and numbers, the password is strong, but users end up writing the password down because they can’t remember it. To demonstrate how easy it is to crack weak passwords, the following passwords were encrypted with the strong MD5 encryption:
hello
Enter0
9spot
8twelve8
ilcic4l
A brute force password-cracking program was used to see how long it would take to guess each password.
On a Sun Ultra 5 with 512MB of RAM and a 333MHz processor, the first password, hello, took less than five seconds to crack. This is the same amount of time it would take to guess most words in the English language (or a word in any other language, if the attacker included foreign language dictionaries). After four hours, the password cracker has guessed the next three passwords as well. Any password based on a word—English or foreign—is vulnerable to brute force attacks.
The last password looks random and was still not cracked when the password cracker stopped running three days later. The problem is remembering a password like this one. See the upcoming sidebar, Choosing and Remembering Strong Passwords for tips on choosing an appropriate password.
Choosing and Remembering Strong Passwords
The best way to create a password that is easy to remember but difficult to crack is to use pass phrases. Cisco routers support passwords of up to 25 characters. So create a sentence and use that instead of just a password. When you can’t use a sentence, choose memorable, but strong, six- to eight-character passwords.
When testing the sample passwords hello, Enter0, 9spot, 8twelve8, and ilcic4l, the only password that wasn’t cracked was ilcic4l. The problem is how to remember a password like this. The secret is that this password looks random, but it is not. To create this password, an easily remembered sentence was created. In this case, the sentence was, “I like chocolate ice cream for lunch.” Then the first letter of each word was used to create the base of the password: ilcicfl. Next, the number 4 was put in place of the word for. This provides ilcic4l—a password that is easy to remember, but difficult to crack.
This technique can be modified in any way you like. Take the second letter of each word instead of the first. Change every e to a 3, every a to an @, or every t to a +. Add numbers to the beginning or the end of the password—whatever you can think of.
Finally, another key to creating strong passwords is using a different password on each system. That way, if someone guesses or steals one of your password, they can’t use that password to access every system you have an account on. Now there is a problem of remembering a different password for every system you access. There is a solution to this as well. You can modify the preceding technique to help you remember different passwords for every system. For example, take the password used previously, ilcic4l, and modify it for each system that you access. First come up with a formula. A simple one would be to take the first letter of the system name you are connecting to and replace the first letter of the password with that letter. Then do the same for the last letter. If connecting to a system called Router1, the password for that system would be Rlcic41. If connecting to Firewall-One, the password is Flcic4e. These simple examples produce numerous strong passwords that are easy to remember but difficult to crack. You can get as creative as you want in coming up with sentences and formulas. In fact, the more creative you get, the stronger your passwords will be.
Keeping Configuration Files Secure
Except for the enable secret password, all passwords stored on Cisco routers are weakly encrypted. If someone were to get a copy of a router configuration file, it would take only a few seconds to run it through a program to decode all weakly encrypted passwords. The first protection is to keep the configuration files secured.
You should always have a backup of each router’s configuration file. You should probably have multiple backups. However, each of these backups must be kept in a secure location. This means that they are not stored on a public server or on each network administrator’s desktop. Additionally, backups of all routers are usually kept on the same system. If this system is insecure, and an attacker can gain access, he has hit the jackpot—the complete configuration of your entire network, all access list setups, weak passwords, SNMP community strings, and so on. To avoid this problem, wherever backup configuration files are kept, it is best to keep them encrypted. That way, even if an attacker gains access to the backup files, they are useless.
Encryption on an insecure system, however, provides a false sense of security. If attackers can break into the insecure system, they can set up a key logger and capture everything that is typed on that system. This includes the passwords to decrypt the configuration files. In this case, an attacker just has to wait until the administrator types in the password, and your encryption is compromised.
Another option is to make sure your backup configuration files don’t contain any passwords. This requires that you remove the password from your backup configurations manually or create scripts that strip out this information automatically.
Warning
Administrators should be very careful not to access routers from insecure or untrusted systems. Encryption or SSH does no good if an attacker has compromised the system you’re working on and can use a key logger to record everything you type.
Finally, avoid storing your configuration files on your TFTP server. TFTP provides no authentication, so you should move files out of the TFTP download directory as quickly as possible to limit your exposure.
Privilege Levels
By default, Cisco routers have three levels of privilege—zero, user, and privileged. Zero-level access allows only five commands—logout, enable, disable, help, and exit. User level (level 1) provides very limited read-only access to the router, and privileged level (level 15) provides complete control over the router. This all-or-nothing setting can work in small networks with one or two routers and one administrator, but larger networks require additional flexibility. To provide this flexibility, Cisco routers can be configured to use 16 different privilege levels from 0 to 15.
Changing Privilege Levels
Displaying your current privilege level is done with the show privilege command, and changing privilege levels can be done using the enable and disable commands. Without any arguments, enable will attempt to change to level 15 and disable will change to level 1. Both commands take a single argument that specifies the level you want to change to. The enable command is used to gain more access by moving up levels:
Router>show privilegeCurrent privilege level is 1Router>enable 5Password: level-5-passwordRouter#show privilegeCurrent privilege level is 5Router#
The disable command is used to give up access by moving down levels:
Router#show privilegeCurrent privilege level is 5Router#disable 2Router#show privilegeCurrent privilege level is 2Router#
Notice that a password is required to gain more access; no password is required when lowering your level of access. The router requires reauthentication every time you attempt to gain more privileges, but nothing is needed to give up privileges.
Default Privilege Levels
The bottom and least privileged level is level 0. This is the only other level besides 1 and 15 that is configured by default on Cisco routers. This level has only five commands that allow you to log out or attempt to enter a higher level:
Router#disable 0Router>?Exec commands: disable Turn off privileged commands enable Turn on privileged commands exit Exit from the EXEC help Description of the interactive help system logout Exit from the EXECRouter>
Next is level 1, the default user level. This level provides the user with many more commands that allow the user to display router information, telnet to other systems, and test network connectivity with ping and traceroute. Level 2, which is not enabled by default, adds a few additional show and clear commands, but provides no opportunity for a user to reconfigure the router. Finally, level 15 allows full access to all router commands.
Privilege-Level Passwords
To use the enable command to access a privilege level, a password must be set for that level. If you try to enter a level with no password, you get the error message No password set. Setting privilege-level passwords can be done with the enable secret level command. The following example enables and sets a password for privilege level 5:
Router#config terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)#enable secret level 5level5-passwordRouter(config)#^ZRouter#
Now we can enter level 5 with the enable 5 command.
Warning
Just as default passwords can be set with either the enable secret or the enable password command, passwords for other privilege levels can be set with the enable password level or enable secret level commands. However, the enable password level command is provided for backward compatibility and should not be used.
Line Privilege Levels
Lines (CON, AUX, VTY) default to level 1 privileges. This can be changed using the privilege level command under each line. To change the default privilege level of the AUX port, you would type the following:
Router#config terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)#line aux 0Router(config-line)#privilege level 4Router(config-line)#^ZRouter#
Or, to change the default privilege level of all VTY access to level 12:
Router#config terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)#line vty 0 4Router(config-line)#privilege level 12Router(config-line)#^ZRouter#
Username Privilege Levels
Finally, a username can have a privilege level associated with it. This is useful when you want specific users to default to higher privileges. The username privilege command is used to set the privilege level for a user:
Router#config terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)#username jdoe privilege 5Router(config)#username rsmith privilege 12Router(config)#^ZRouter#
Changing Command Privilege Levels
By default, all router commands fall under levels 1 or 15. Creating additional privilege levels isn’t very useful unless the default privilege level of some router commands is also changed. Once the default privilege level of a command is changed, only those who have that level access or above are allowed to run that command. These changes are made with the privilege command. The following example changes the default level of the telnet command to level 2:
Router#config terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)#privilege exec level 2 telnetRouter(config)#^ZRouter#
Now no one with user-level (level 1) access can run the telnet command. Level 2 access is required.
Privilege Mode Example
Here is an example of how an organization might use privilege levels to access the router without giving everyone the level 15 password.
Assume that the organization has a few highly paid network administrators, a few junior network administrators, and a computer operations center for troubleshooting problems. This organization wants the highly paid network administrators to be the only ones with complete (level 15) access to the routers, but also wants the junior administrators have more limited access to the router that will allow them to help with debugging and troubleshooting. Finally, the computer operations center needs to be able to run the clear line command so they can reset the modem dial-up connection for the administrators if needed; however, they shouldn’t be able to telnet from the router to other systems.
The highly paid administrators will have complete level 15 access. A level 10 will be created for the junior administrators to give them access to the debug and telnet commands. Finally, a level 2 will be created for the operations center to give them access to the clear line command, but not the telnet command:
Router#config terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)#username admin-joe privilege 15 passwordjoes-passwordRouter(config)#username admin-carl privilege 15 passwordcarls-passwordRouter(config)#username junior-jeff privilege 10 passwordjeffs-passwordRouter(config)#username junior-jay privilege 10 passwordjays-passwordRouter(config)#username ops-fred privilege 2 passwordfreds-passwordRouter(config)#username ops-pat privilege 2 passwordpats-passwordRouter(config)#privilege exec level 10 telnetRouter(config)#privilege exec level 10 debugRouter(config)#privilege exec level 2 clear lineRouter(config)#^ZRouter#
Recommended Privilege-Level Changes
The NSA guide to Cisco router security recommends that the following commands be moved from their default privilege level 1 to privilege level 15—connect, telnet, rlogin, show ip access-lists, show access-lists, and show logging. Changing these levels limits the usefulness of the router to an attacker who compromises a user-level account.
To change the privilege level of these commands, you would:
RouterOne#config terminalEnter configuration commands, one per line. End with CNTL/Z.RouterOne(config)#privilege exec level 15 connectRouterOne(config)#privilege exec level 15 telnetRouterOne(config)#privilege exec level 15 rloginRouterOne(config)#privilege exec level 15 show ip access-listsRouterOne(config)#privilege exec level 15 show access-listsRouterOne(config)#privilege exec level 15 show loggingRouterOne(config)#privilege exec level 1 show ipRouterOne(config)#^Z
The final privilege exec level 1 show ip returns the show and show ip commands to level 1, enabling all other default level 1 commands to still function.
Password Checklist
This checklist summarizes the important security information presented in this chapter. A complete security checklist is provided in Appendix A.
Enable service password-encryption on all routers.
Set the privileged-level (level 15) password with the enable secret command and not with the enable password command.
Make sure all passwords are strong passwords that are not based on English or foreign words.
Make sure each router has different enable and user passwords.
Keep backup configuration files encrypted on a secure server.
Access routers only from secure or trusted systems.
In large organizations with numerous personnel with router access, use additional privilege levels to restrict access to unnecessary commands.
Reconfigure the connect, telnet, rlogin, show ip access-lists, show access-lists, and show logging commands to privilege level 15.
