Wondering how to recover encrypted passwords from a Cisco WLC config file?
It’s not that hard 🙂
First you need to have the config file in hand. If you want to just play around google for “wlc config begin” and pick an arbitrary file.
Found a suitable file? Perfect… You’ll find a lot of entries like:
config mgmtuser add encrypt admin 1 f3e99202e483ad9c8308a643d5d51dcb b3a0813c7f611c19d97f1a7455645bf98fb3b4b7 16 73abc5d52b4522cb871cacac0f8a9e110000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 read-write or config radius auth add encrypt 1 192.168.11.21 1645 password 1 fce16d38caeb3a05d9f3897d8b4892d0 778826bbff6f38ebe930c4472806d41178448ee8 16 7 ba3ab9c7cc59f9626f8fafdfe5d7fc500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Having a closer look at those strings we see that no matter which kind of details (SNMP, MGMT-User, …), it’s using the same format:
If encryption type is “1” (what means AES-128 CBC PKCS#7) it’s followed by a bunch of hex encoded strings. The interesting ones are the first and the third (from first example):
f3e99202e483ad9c8308a643d5d51dcb < Init vector
7ba3ab9c7cc59f9626f8fafdfe5d7fc5 <encrypted password, filled with “0”. So we just strip all of them.
We also know there is a constant encryption key: 834156F9940F09C0A8D00F019F850005
Where do we know the constant key from? Yeah, Google of course 🙂
Nothing more is needed… all the magic now is done by the internets wide amount of decrypt tools:
I’ve used: http://aes.online-domain-tools.com/