A little Cisco password recovery

Wondering how to recover encrypted passwords from a Cisco WLC config file?

It’s not that hard 🙂

First you need to have the config file in hand. If you want to just play around google for “wlc config begin” and pick an arbitrary file.

Found a suitable file? Perfect… You’ll find a lot of entries like:

config mgmtuser add encrypt admin 1 
b3a0813c7f611c19d97f1a7455645bf98fb3b4b7 16 
73abc5d52b4522cb871cacac0f8a9e110000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 read-write 
config radius auth add encrypt 1 1645 password 1 
778826bbff6f38ebe930c4472806d41178448ee8 16 7

Having a closer look at those strings we see that no matter which kind of details (SNMP, MGMT-User, …), it’s using the same format:

If encryption type is “1” (what means AES-128 CBC PKCS#7) it’s followed by a bunch of hex encoded strings. The interesting ones are the first and the third (from first example):

f3e99202e483ad9c8308a643d5d51dcb < Init vector

7ba3ab9c7cc59f9626f8fafdfe5d7fc5 <encrypted password, filled with “0”. So we just strip all of them.

We also know there is a constant encryption key: 834156F9940F09C0A8D00F019F850005

Where do we know the constant key from? Yeah, Google of course 🙂

Nothing more is needed… all the magic now is done by the internets wide amount of decrypt tools:

I’ve used: http://aes.online-domain-tools.com/