[CLUE-Tech] DSL (Cisco Modem) - passwords

[Dave Anselmi]

Richard Knechtel wrote:

> I figured some of it out.  It seems that if you set the password encyption
> to disabled and then set the exec and enable passwords  the "Commander
> Password" doesn't show up. BUT if you set password encryption to enabled
> THEN the "Commander Password shows up".  Unfortunately the password
> recovery stuff won't help since the commander password only shows up in
> encrypted mode and using MD5 so their password recovery procedures won't work.
>
> Anyone know how to reverse MD5 encryption? :^)

Well, it would be nice if we could find some info on this.  I don't think this is a back door.  The reason is
that if you change the root (or exec) password, the commander password changes too.  Oddly, if I set the root
password to 'a', change it to 'b', and then back to 'a', I will get 3 different values for the MD5 Root
Password but only 2 values for the MD5 Commander Password (the first and last are the same, as you'd expect
from a password hash).

So my guess is that when you talk to the modem using the Commander program, it sends the password differently
than when you talk to the modem directly so it needs a different hash.  What that means for security is hard
to tell without the details.

In any case, if I can figure out how to modify the memory of the thing, I'd try poking some other numbers
into the commander password and see what happens.  Probably just prevent Commander from logging in.

MD5 passwords are cracked the same as crypt() passwords - by dictionary attack.  I don't think they are any
harder to do, except that the MD5 hash takes longer than the crypt one does.

Dave