Using John to Crack Cisco md5


john the ripper, a cisco md5 (enable secret) password hash

Step 1:
Download/Install john

Step 2:
Have yourself a good long dictionary list because brute forcing can take while so dictionary attack is best to start with.

Step 3:
The hash inside the cisco config looks similar to this:
enable secret level 2 5 $1$WhZT$YYEI3f0wwWJGAXtAayK/Q.
enable secret 5 $1$4C5N$JCdhRhHmlH4kdmLz.vsyq0

Make it look like this in a text file:

If you need you can try this in order to get it looking like it needs to be:
sed -n 's/[ :]/_/g; s/^\(.\{1,\}\)_5_\($1$[$./0-9A-Za-z]\{27,31\}\)_*$/\1:\2/p' < cisco-device-config > passwd

Step 4:
Launch john on the text file and be sure to include your dictionary list!

I know this file is titled using John, but I had to add in here that there is another application which is steadily growing in popularity and is now known as the worlds fastest md5 cracker!
It's called BarsWF
You can read more about it in the tools section here and I would definetly recommend using this application over any other for md5 hash cracking/bruteforcing.

At this current point in time BarsWF does not have the ability to crack these type of hashes because they are salted md5. We are hoping that BarsWF includes this funtionality soon as it was posted on their website that including support for other hashes is a goal.
Therefore in order to crack cisco hashes you will still need to utilize John the Ripper.
Why did I bother to even mention BarsWF? Two reasons:
1) I was unaware of the limitations of BarsWF at the time of writing and was amazed at the cracking speed of the normal md5 hash.
2) I wanted to assist in promoting the utility given my amazement. Obviously how much popularity the application gets will impact on whether the author makes an updated version capable of cisco hashes or just other hashes in general. As fast as BarsWF is at cracking md5, we would all love to see this speed utilized for other hashes as well.