Securing IOS Enable mode CLI

Snapshot from my CCNA teaching note.

• First We creat enable mode security passwords. Two password methods for enable mode are enable password and enable secret. But enable secret is securer than enable password.

• Enable password command stores the password as clear text,  and the only option to encrypt it is the weak service password-encryption command.

• Enable secret command automatically encodes the password, using Message Digest 5 (MD5) hash Before IOS 15 code.

Configuration, Verification & Testing

> Task 1 >>  Let Configure Enable mode Protection Passwords. Both enable secret and enable password will be configured. Let’s see which one IOS will use ?

R1> enable
R1# conf t
R1(config)# enable secret iP6password1
R1(config)# enable password iP6password2
R1(config)# exit
R1# disable
R1> enable
Password: iP6password1  ” Because IOS prefer enable secret than enable password.”
R1# show runn | in enable
enable secret 5 $1$0jxr$Os5Ebw0EAFsSF1hrZDedl/        
enable password iP6password2

> Task 2 >> Let’s delete enable secret. IOS will use enable password only.

R1# conf t
R1(config)# no enable secret
R1(config)# exit
R1# disable
R1> enable
Password: iP6password2
R1# show runn | in enable
enable password iP6password2
R1# show runn | in service password
no service password-encryption  “By default, Password Encryption Services is Disable.”

> Task 3 >> Let’s use Password Encryption Service.

R1# conf t
R1(config)# service password-encryption
R1(config)# exit
R1# show runn | in enable |service password
service password-encryption
enable password 7 110029530713181F132539207A  “Now Password is encrypted by Service”

> Task 4 >> We will remove Password Encryption Service. Let’s check password is still Clear Text or not. In this case, Password still encrypted.

R1# conf t
R1(config)# no service password-encryption
R1(config)# exit
R1# show runn | in enable |service password
no service password-encryption
enable password 7 110029530713181F132539207A  “Although NO Service, Password is still encrypted Before changing it next time. “

> Task 5 >> After changing enable password, We will see password as clear text.

R1# conf t
R1(config)# enable password iP6password3
R1(config)# exit
R1# show runn | in enable |service password
no service password-encryption
enable password iP6password3
R1#

Part 2 LAB သို႕သြားရန္

Part 3 LAB သို႔သြားရန္



My Photo1About author
Nyi Nyi Min
, CCNP, CCDP,
is a Instructor and Course
Developer on CCNA, CCNP, CCIE. He holds multiple
professional certifications from Cisco Juniper,
Microsoft, VMware, etc.. and worked and supported
several enterprise networks. He is Founder of
IP6 Networks (www.ip6networks.com), where he currently teaches
CCNA, CCNP Classes.



 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.