Skip navigation
Cisco Learning Home > Certifications > CCIE Routing & Switching > Discussions

_Communities

This Question is Not Answered 1 Correct Answer available (4 pts) 2 Helpful Answers available (2 pts)
6507 Views 6 Replies Latest reply: Oct 19, 2010 10:22 PM by Khoa Le RSS

Currently Being Moderated

Hide user name and password

Oct 4, 2010 2:38 PM

Ahmad Zia ul Hassan 15 posts since
Jul 26, 2009

Is there any way to hide user name and password in "show run" without using EEM or Changing privilege level.

  • Currently Being Moderated
    1. Oct 4, 2010 5:12 PM (in response to Ahmad Zia ul Hassan)
    Re: Hide user name and password

    Dunno about the username... but by using the "service password-encryption" command...the password will appear in an encrypted format in the "sh run" output...

  • Currently Being Moderated
    2. Oct 4, 2010 5:55 PM (in response to Ahmad Zia ul Hassan)
    Re: Hide user name and password

    As Daydeep said - enable password encryption and you're good.  I'm not aware of any method to mask or hide the username from show running-config output.

     


    Restricting it via privilege level isn't terribly complex if you are running Cisco ACS as your AAA server.

  • IntegrationArchitect 1,126 posts since
    Aug 14, 2009
    Currently Being Moderated
    3. Oct 4, 2010 8:17 PM (in response to Ahmad Zia ul Hassan)
    Re: Hide user name and password

    When consulting I can find normal systems in a very compromised state especially if they are unprotected. Often we low level format them to hyper clean the malware and root kits.  But sometimes we need to get some of the changed data off before the wipe.

    .

    In ethical hacking security wizardry they post mortem how attackers hide their access, usernames and file and directory creation and modifications. Often on a zombie compromised system you will find hidden directories, filenames, and usernames with that are invisible until you mouse over them and highlight them or if you show a list and notice an extra line return when there should not be one.  There is an exploit that can use ASCII Alt-255 blank space symbol (not null character, i.e not spacebar).  So if you want to take it extreme you can create such a username and hide it from the screen or printouts on first glance. Don't  use in production network unless you are the sole proprietor.

    .

    If someone does penetration testing or a SAS70 audit they will find it and see who created it with logs and they will be calling the creator into the big office. Everyone should be aware of it and there are many web sites that warn about it and countermeasures.

     

     

  • Keith Barker - CCIE RS/Security, CISSP 5,351 posts since
    Jul 3, 2009
    Currently Being Moderated
    5. Oct 5, 2010 6:15 PM (in response to Ahmad Zia ul Hassan)
    Re: Hide user name and password

    By using the "secret" command instead of "password" on the user creation line, the password will be encrypted way beyond the service password encryption of a plain text password.

     

    Using a AAA server for the user database, would prevent someone from seeing the usernames or passwords at level 15.

     

    Using parser VIEWs, we could restrict what a user could see, but not down to just the username in the config.

     

    I would say the "username bob secret cisco123" with a better password than that, using at least 8 characters, upper and lower case, alpha and numeric, and some special characters, and maybe even a couple non-related words in a phrase, would be the best way to protect the secret assigned to the user if it is kept locally on the router.

     

    Keith

  • Khoa Le 1 posts since
    May 17, 2010
    Currently Being Moderated
    6. Oct 19, 2010 10:22 PM (in response to Ahmad Zia ul Hassan)
    Re: Hide user name and password

    Dear all,

     

    I have a quick question: when i do service password-encryption, the password will be encrypted when i do show run. However, when i turn it off with "no service password-encrytion, the password is still encrypted. I wonder is it anyway to decrypt ?

     

    Thank you

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)