1
00:00:00,150 --> 00:00:05,190
In this video, we're going to discuss the enable and secret passwords on Cisco devices.

2
00:00:06,090 --> 00:00:12,870
In this example, I have a Cisco router and when I hit enter, I'm taken to user mode and then I can 

3
00:00:12,870 --> 00:00:18,480
type enable, which takes me immediately to enable or privilege mode.

4
00:00:19,530 --> 00:00:24,930
There is no authentication at all, I'm immediately able to start configuring the router.

5
00:00:25,960 --> 00:00:31,360
Now, from a security point of view, that's a really bad idea when someone connects to the console

6
00:00:31,360 --> 00:00:39,220
of a router or switch, you typically want to have a password configured so that that person is not able

7
00:00:39,220 --> 00:00:46,090
to go from the user mode to the enable or privilege mode without some type of security.

8
00:00:47,120 --> 00:00:53,060
It's very risky to have a router configured without some type of authentication.

9
00:00:54,070 --> 00:01:01,480
Now, in this example, in GNS3 it works a little bit differently, GNS3 routers take you

10
00:01:01,480 --> 00:01:03,850
to privilege mode immediately.

11
00:01:04,300 --> 00:01:11,470
So I'm going to open up a console to this Cisco router running in GNS3 and I'm told that I can press

12
00:01:11,470 --> 00:01:21,160
enter to get started and I'm taken to privilege mode immediately. So if I type exit and hit enter notice

13
00:01:21,160 --> 00:01:28,360
I'm taken to privilege mode straight away. On a real Cisco router, so a physical router

14
00:01:29,020 --> 00:01:31,930
you can see in this example that I'm using a 2801.

15
00:01:33,070 --> 00:01:40,810
When I type exit and then hit enter, I'm taken to user mode, not privileged mode, and then I need

16
00:01:40,810 --> 00:01:43,120
to type enable to go to privilege mode.

17
00:01:43,990 --> 00:01:51,370
Now, apart from that, you can test this entire lab on GNS3 because you can type disable and then

18
00:01:51,370 --> 00:01:55,720
type enable and that takes you from user mode to privilege mode once again.

19
00:01:56,590 --> 00:02:02,890
So the issue here is that when you connect to real routers via the console.

20
00:02:03,850 --> 00:02:11,350
You can gain access to the router without entering a password, so we want to change this and add some

21
00:02:11,350 --> 00:02:12,370
type of security.

22
00:02:13,750 --> 00:02:21,520
So once again, when I'm in user mode and I type enable, I gain access to the router by default using

23
00:02:21,520 --> 00:02:27,070
privilege level 15, which means I have all rights to the router without a password.

24
00:02:27,760 --> 00:02:28,750
So let's change that.

25
00:02:28,760 --> 00:02:30,690
So Configure Terminal or CONFT.

26
00:02:31,480 --> 00:02:36,730
There are two ways to configure passwords for the enable mode or privilege mode

27
00:02:37,410 --> 00:02:43,330
and when you type enable you'll see that you can configure a password for enable mode or a secret

28
00:02:43,330 --> 00:02:44,840
password for enable mode.

29
00:02:45,640 --> 00:02:49,080
So both of these assign a privilege, a level type of password.

30
00:02:49,930 --> 00:02:57,880
Now the enable password is still in the Cisco CCNA which is surprising because it's a very weakway

31
00:02:58,030 --> 00:02:59,500
of setting up passwords.

32
00:03:00,370 --> 00:03:03,990
The reason why is the password is unencrypted as shown over here.

33
00:03:04,660 --> 00:03:08,740
When you type in the password, you either specify 0, which means that the password you're going

34
00:03:08,740 --> 00:03:14,860
to now type is in clear text or you specify 7, which means that the password is encrypted when

35
00:03:14,860 --> 00:03:20,260
you type it in. By default, you don't have to put the 0 in, which means that the password you're

36
00:03:20,290 --> 00:03:21,880
not typing is in clear text.

37
00:03:22,690 --> 00:03:24,110
Now be careful hitting enter

38
00:03:24,110 --> 00:03:26,980
at this point, you don't want a password of Cisco space.

39
00:03:27,550 --> 00:03:30,750
So I'm going to press backspace and then hit enter.

40
00:03:31,420 --> 00:03:38,920
So the password configured is enable password Cisco, control Z, or control Zed takes me back to privilege

41
00:03:38,920 --> 00:03:41,350
mode and now I type show run.

42
00:03:41,710 --> 00:03:42,820
You'll see the problem.

43
00:03:43,630 --> 00:03:45,610
Notice the password is in clear text.

44
00:03:46,240 --> 00:03:51,340
So if you were standing behind me looking over my shoulder, you'd be able to see what the password

45
00:03:51,340 --> 00:03:52,580
is configured as well.

46
00:03:52,600 --> 00:03:59,200
If I copied the configuration to a TFTP server and you opened up the file on the FTP server, you'd

47
00:03:59,200 --> 00:04:01,570
also be able to see what the password is configured as.

48
00:04:02,410 --> 00:04:09,010
So Cisco recommend that you change this default of no service password-encryption to service password

49
00:04:09,010 --> 00:04:12,670
encryption to enable encryption of the password.

50
00:04:13,390 --> 00:04:14,650
Now this is a trap, 

51
00:04:14,710 --> 00:04:16,899
don't be fooled by this encryption.

52
00:04:17,680 --> 00:04:22,810
So firstly, when you type, show run or show running-config notice we've set service password

53
00:04:22,810 --> 00:04:27,310
encryption and the password is now encrypted with a type 7 password.

54
00:04:28,030 --> 00:04:35,350
However, if I copy that and paste it into a hacking tool, I'll make this tool available as part of

55
00:04:35,350 --> 00:04:36,010
the course.

56
00:04:36,040 --> 00:04:38,200
So you should see it below this video.

57
00:04:39,010 --> 00:04:46,330
If I paste that password in and click show password, notice the password is decrypted, so this password

58
00:04:46,330 --> 00:04:52,060
is only useful for stopping someone standing behind you, looking over your shoulder and seeing what

59
00:04:52,060 --> 00:04:52,900
your password is.

60
00:04:53,420 --> 00:05:00,280
It is not actually something that you should be using today, now just to confirm that if I type enable

61
00:05:00,280 --> 00:05:02,160
password Cisco 1

62
00:05:02,710 --> 00:05:09,940
and in this case, I'll use the do show run command, which means I'm running a show command from configure

63
00:05:09,940 --> 00:05:17,500
mode and I'm going to specify pipe include enable to show only lines in the running-config with the

64
00:05:17,500 --> 00:05:19,330
enable word notice

65
00:05:19,330 --> 00:05:22,510
the password is different to what we had previously.

66
00:05:23,260 --> 00:05:28,120
So back in my hacking application, I'll paste that in, notice

67
00:05:28,120 --> 00:05:29,080
there's the password.

68
00:05:29,900 --> 00:05:32,300
I'll set it back to Cisco, 

69
00:05:33,890 --> 00:05:34,740
look at it again.

70
00:05:35,360 --> 00:05:42,830
Notice it's changed, but when I pasted in, the password is shown through this hacking tool, so don't

71
00:05:42,830 --> 00:05:45,600
be fooled into using the enable password.

72
00:05:46,250 --> 00:05:50,390
One more thing I'll point out and then I'll show you a better way of doing it is when you type enable

73
00:05:50,570 --> 00:05:51,210
password, 

74
00:05:51,590 --> 00:05:52,550
notice the 7

75
00:05:52,910 --> 00:05:55,860
that means that the password that follows is encrypted.

76
00:05:56,510 --> 00:06:01,370
So if I put it in like that, it means that I've used a password of Cisco.

77
00:06:02,210 --> 00:06:03,320
Now, how does this help me?

78
00:06:03,890 --> 00:06:09,530
Well, when I typed disable and now I type enable notice, I need to put in a password of Cisco.

79
00:06:10,340 --> 00:06:20,300
So the enable password command is used to stop someone moving from user mode to enable mode without

80
00:06:20,300 --> 00:06:21,050
authentication.

81
00:06:21,890 --> 00:06:24,950
You'll also notice that the password is not displayed.

82
00:06:25,670 --> 00:06:28,940
It doesn't even show you the number of characters that you're typing.

83
00:06:28,940 --> 00:06:33,350
So when I type enable nothing is displayed even though I'm typing the password.

84
00:06:33,860 --> 00:06:39,890
So someone behind me wouldn't know how many characters my password is and you wouldn't know watching

85
00:06:39,890 --> 00:06:40,440
this video.

86
00:06:41,180 --> 00:06:47,390
So that's the enable password recommendation is don't use it because it's in clear text by default.

87
00:06:48,230 --> 00:06:53,720
So once again, if I type no service password-encryption and then type do show run, the password is shown

88
00:06:54,560 --> 00:06:56,630
the password is shown is encrypted here.

89
00:06:57,380 --> 00:07:03,380
But if I change that to enable password, Cisco do show run password is shown in clear text.

90
00:07:04,210 --> 00:07:10,450
So if you are going to use an enabled password and it's recommended that you don't it's recommended

91
00:07:10,450 --> 00:07:16,510
that you use the service password encryption option to encrypt your passwords, societal support, the

92
00:07:16,510 --> 00:07:18,520
enable password for backward compatibility

93
00:07:19,090 --> 00:07:21,910
but it's not something you should be using in the real world.

94
00:07:22,630 --> 00:07:27,820
Now, let's look at a better way of setting security for enable mode.