1
00:00:00,120 --> 00:00:05,970
So at the moment, I've configured and enabled password of Cisco, no service password-encryption is

2
00:00:05,970 --> 00:00:09,000
configured, which means that the password is shown in clear text.

3
00:00:09,980 --> 00:00:15,410
The advantage of an enabled password is when I type in able I'm asked to enter a password.

4
00:00:16,309 --> 00:00:22,220
When you connect to a live router by default, you're in user mode and if an enabled password hasn't

5
00:00:22,220 --> 00:00:28,700
been configured, you are immediately able to access privilege mode or enable mode.

6
00:00:29,450 --> 00:00:34,430
but when a password is configured, you'll be prompted to enter the password before you can access that

7
00:00:34,430 --> 00:00:34,850
mode.

8
00:00:35,810 --> 00:00:44,360
Now, Cisco recommend that you use enable secret rather than enable password, and that's because this

9
00:00:44,360 --> 00:00:46,220
uses a better encryption.

10
00:00:47,170 --> 00:00:52,780
Uses MD5 hashing to hash a password, I'll show you a demonstration of hashing in a moment.

11
00:00:53,790 --> 00:01:00,930
In a similar way to the enable password, we can enter 0, which means we're entering the password

12
00:01:00,930 --> 00:01:05,560
as unencrypted or 5, which means that the password that follows is encrypted.

13
00:01:06,270 --> 00:01:08,500
You don't have to enter 0 by default either.

14
00:01:08,820 --> 00:01:10,890
So I'm just going to say enable secret Cisco

15
00:01:11,160 --> 00:01:12,290
but notice what happens.

16
00:01:13,110 --> 00:01:17,640
I'm told that the enable secret you have chosen is the same as the enable password.

17
00:01:18,030 --> 00:01:19,590
This is not recommended.

18
00:01:19,800 --> 00:01:26,430
Re-enter the enable password when I type show run pipe include enable.

19
00:01:27,120 --> 00:01:34,170
You'll notice it did accept the secret password but I'm told that I should re-enter the password.

20
00:01:34,920 --> 00:01:39,830
So let's follow Cisco's advice and I'll set the password to hello.

21
00:01:40,140 --> 00:01:41,100
So enable secret

22
00:01:41,100 --> 00:01:41,500
Hello.

23
00:01:42,330 --> 00:01:51,960
Now when I type controls zed or control z and disable and type enable I'm actually typing hello rather

24
00:01:51,960 --> 00:01:56,370
than Cisco to access the privilege mode or enable mode.

25
00:01:57,180 --> 00:02:02,160
When I type show run will do the full running-config so that you can see it in the output.

26
00:02:02,820 --> 00:02:04,260
Notice no service

27
00:02:04,260 --> 00:02:08,840
password encryption is configured, but the secret password is hashed.

28
00:02:08,850 --> 00:02:10,229
It's encrypted by default.

29
00:02:10,889 --> 00:02:16,680
You can't decrypt that in the same way that I showed you using the hacking tool.

30
00:02:17,190 --> 00:02:24,140
The hacking tool only works with type 7 passwords and this is a lot more secure than type 7.

31
00:02:24,930 --> 00:02:27,900
Now I've shown you how to hack type 7 password.

32
00:02:28,410 --> 00:02:31,560
It's not as easy to do that with a MD5 password.

33
00:02:32,370 --> 00:02:34,980
This tool is also available as part of the course.

34
00:02:34,980 --> 00:02:37,260
Look below the video to use it.

35
00:02:38,270 --> 00:02:46,220
This is a hashing application that shows you MD5 hashing versus SHA hashing versus SHA 256, SHA 512

36
00:02:46,580 --> 00:02:56,450
and SHA 384, MD5 hashes are 128 bits in length and it's actually recommended for VPN or virtual private

37
00:02:56,450 --> 00:02:58,010
networks that you don't use

38
00:02:58,010 --> 00:03:03,590
MD5 hashes, but Cisco routers are still using MD5 hashes for the secret password.

39
00:03:04,310 --> 00:03:12,860
If I configure a password of Cisco and then click hash, this application will show me the hexadecimal

40
00:03:13,250 --> 00:03:20,390
hash of that password, the binary hash, as well as the SHA hashes of that password

41
00:03:20,930 --> 00:03:24,110
and what you'll notice is the SHA passwords are a lot longer.

42
00:03:24,920 --> 00:03:26,570
These are hex of values.

43
00:03:26,600 --> 00:03:29,740
So each value that you see here is for binary ones.

44
00:03:30,560 --> 00:03:36,550
These are going to be a lot longer and a lot more secure than an MD5 hash of a 128 bits

45
00:03:37,280 --> 00:03:44,950
but for now, keep your eye on the binary and the MD5, and all I'm going to do is add one more character.

46
00:03:45,230 --> 00:03:48,170
So add a 1 at the end and click hash again

47
00:03:48,800 --> 00:03:55,160
and what you should have noticed is that the hash changed quite dramatically from the previous example.

48
00:03:55,700 --> 00:03:58,340
Notice at the end here 0816, 

49
00:03:59,210 --> 00:04:05,540
when I put another character in and I'll just put in a dot click hash notice the entire number has 

50
00:04:05,540 --> 00:04:06,080
changed.

51
00:04:06,950 --> 00:04:12,560
So even a minor change in the source text will cause the hash to change entirely.

52
00:04:13,340 --> 00:04:18,200
So in other words, if you change your password, the whole hash changes.

53
00:04:19,010 --> 00:04:24,740
So it's much more difficult for someone to try and crack this password than, say, using service password

54
00:04:24,740 --> 00:04:25,280
encryption.

55
00:04:26,030 --> 00:04:30,560
Cisco once again recommend that you use a secret password rather than an enable password.

56
00:04:32,650 --> 00:04:39,730
Let's look at functionality of the password's, router 1 has an enable and secret password configured, 

57
00:04:40,180 --> 00:04:43,060
router 2 at the moment doesn't have a password configured.

58
00:04:44,260 --> 00:04:45,520
I'll boot the router

59
00:04:46,390 --> 00:04:47,830
and open up a console.

60
00:04:48,750 --> 00:04:51,030
So type disable on router 1, 

61
00:04:52,410 --> 00:04:58,350
do the same on router 2, when I type enable on router 1, I need to enter my password, which is

62
00:04:58,350 --> 00:05:04,140
my secret password on router 2, I don't have to enter anything because no password has been configured.

63
00:05:06,030 --> 00:05:07,080
If I type in able.

64
00:05:08,150 --> 00:05:09,440
And do nothing.

65
00:05:12,200 --> 00:05:17,210
The right is going to wait for a period of time for me to enter a password, and if I don't, it's going

66
00:05:17,210 --> 00:05:17,840
to prompt me.

67
00:05:18,120 --> 00:05:21,260
I'll speed up the video to save you the time waiting for this.

68
00:05:23,000 --> 00:05:28,940
But notice the time out has expired, that's going to happened three times while we waiting for that.

69
00:05:29,270 --> 00:05:32,060
I'll set up an enabled password on Reddit to.

70
00:05:34,600 --> 00:05:39,430
And I'll show you what happens when I touch the wrong password in, so I'm going to type in password

71
00:05:39,430 --> 00:05:45,310
one password to possibly three notice, it tells me bad passwords.

72
00:05:45,700 --> 00:05:47,290
So I'm not locked out of the router.

73
00:05:47,380 --> 00:05:55,300
I'm simply told that I've entered a bad number of passwords, notice and write a one second time that

74
00:05:55,300 --> 00:05:57,700
has occurred on router 2.

75
00:05:59,360 --> 00:06:05,750
let's do enable secret Cisco 1 disable.

76
00:06:08,510 --> 00:06:15,560
Now, this is going to be my secret password, 1, 2, 3, told bad secrets.

77
00:06:18,210 --> 00:06:25,620
Previously, I was told bad passwords, on router 1 I'm told bad secrets because I've had three timeouts.

78
00:06:27,070 --> 00:06:31,990
So the moral of the story is that if you wait too long, you'll be prompted again.

79
00:06:32,500 --> 00:06:39,590
After three incorrect tries of a password, it reverts back to user mode and that's the default behavior

80
00:06:39,610 --> 00:06:41,200
it's not going to lock you out of the router.

81
00:06:41,770 --> 00:06:46,180
You can enable more security, but that's not covered in the CCNA course.

82
00:06:46,180 --> 00:06:47,500
So won't explain it here

83
00:06:47,950 --> 00:06:50,790
but you can lock someone out of a router if you want to.

84
00:06:51,900 --> 00:06:54,600
Another thing to take note of is, 

85
00:06:57,200 --> 00:07:00,710
show run pipes include enable

86
00:07:01,790 --> 00:07:06,890
you can't use this as your password, so I'll copy that and type disable

87
00:07:08,260 --> 00:07:11,800
and paste it in, but it's not accepted as a password.

88
00:07:15,120 --> 00:07:18,560
So I'll say no enable secret.

89
00:07:21,300 --> 00:07:26,160
Show run pipes include enable, so my password is Cisco

90
00:07:27,860 --> 00:07:30,140
type service password encryption

91
00:07:32,140 --> 00:07:41,170
Show run pipe include enable, there's my encrypted password, I'll try and paste that in when prompted for

92
00:07:41,170 --> 00:07:43,440
a password and it's not accepted.

93
00:07:44,080 --> 00:07:50,500
I need to use my unencrypted password when going from user mode to enable mode.