6 Replies Latest reply: Oct 19, 2010 10:22 PM by Khoa Le RSS

    Hide user name and password

    Ahmad Zia ul Hassan

      Is there any way to hide user name and password in "show run" without using EEM or Changing privilege level.

        • 1. Re: Hide user name and password
          Deydeep - CCIE RS

          Dunno about the username... but by using the "service password-encryption" command...the password will appear in an encrypted format in the "sh run" output...

          • 2. Re: Hide user name and password
            tnewshott

            As Daydeep said - enable password encryption and you're good.  I'm not aware of any method to mask or hide the username from show running-config output.

             


            Restricting it via privilege level isn't terribly complex if you are running Cisco ACS as your AAA server.

            • 3. Re: Hide user name and password
              IntegrationArchitect

              When consulting I can find normal systems in a very compromised state especially if they are unprotected. Often we low level format them to hyper clean the malware and root kits.  But sometimes we need to get some of the changed data off before the wipe.

              .

              In ethical hacking security wizardry they post mortem how attackers hide their access, usernames and file and directory creation and modifications. Often on a zombie compromised system you will find hidden directories, filenames, and usernames with that are invisible until you mouse over them and highlight them or if you show a list and notice an extra line return when there should not be one.  There is an exploit that can use ASCII Alt-255 blank space symbol (not null character, i.e not spacebar).  So if you want to take it extreme you can create such a username and hide it from the screen or printouts on first glance. Don't  use in production network unless you are the sole proprietor.

              .

              If someone does penetration testing or a SAS70 audit they will find it and see who created it with logs and they will be calling the creator into the big office. Everyone should be aware of it and there are many web sites that warn about it and countermeasures.

               

               

               

              • 4. Re: Hide user name and password
                Ahmad Zia ul Hassan

                We can write script in EEM and excute following command when user execute "show run"

                 

                sh run | exclude username

                 

                But I don't want to configure EEM but looking for same thing keeping user in privilege level 15.

                Although we can encrypt service password but that can be decipher easily.

                • 5. Re: Hide user name and password
                  Keith Barker - CCIE RS/Security, CISSP

                  By using the "secret" command instead of "password" on the user creation line, the password will be encrypted way beyond the service password encryption of a plain text password.

                   

                  Using a AAA server for the user database, would prevent someone from seeing the usernames or passwords at level 15.

                   

                  Using parser VIEWs, we could restrict what a user could see, but not down to just the username in the config.

                   

                  I would say the "username bob secret cisco123" with a better password than that, using at least 8 characters, upper and lower case, alpha and numeric, and some special characters, and maybe even a couple non-related words in a phrase, would be the best way to protect the secret assigned to the user if it is kept locally on the router.

                   

                  Keith

                  • 6. Re: Hide user name and password
                    Khoa Le

                    Dear all,

                     

                    I have a quick question: when i do service password-encryption, the password will be encrypted when i do show run. However, when i turn it off with "no service password-encrytion, the password is still encrypted. I wonder is it anyway to decrypt ?

                     

                    Thank you