First you need to get a copy of the configuration file, how ? Use your sniffing skills, which I will not show here.
Open the file, find something like below:
mgmtuser add encrypt testadmin 1 a9836e23b845fef2d73ac99f01dfae20 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 16 79f0be7ced838052b0cdfc062764c2de0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 read-write or radius auth add encrypt 1 192.168.11.21 1645 password 1 a9836e23b845fef2d73ac99f01dfae20 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 16 79f0be7ced838052b0cdfc062764c2de0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Having a closer look at those strings we see that no matter which kind of details (SNMP, MGMT-User, …), it’s using the same format:
- The encryption type after username: If encryption type is “1” (what means AES-128 CBC PKCS#7) it’s followed by a bunch of hex encoded strings, which is Init vector
- The Hex number after 16: The encrypted password in Hex.
The data we need here is :
a9836e23b845fef2d73ac99f01dfae20 < Init vector
79f0be7ced838052b0cdfc062764c2de <encrypted password, tailed with “0”, which can be just striped.
We also know there is a constant encryption key ( which is always same for AES-128 CBC PKCS#7): 834156F9940F09C0A8D00F019F850005 , Which can be googled.
Use an online tool http://aes.online-domain-tools.com to crack the password.
Put the values into the online tool, it will do the rest for you!
The password for this user is testP@ssw0rd .
If you tick the plaintext, type testP@ssw0rd into the Input text, keep the init vector as a9836e23b845fef2d73ac99f01dfae20 , thenclick Encrypt!, it will work out the encrypted password 79f0be7ced838052b0cdfc062764c2de