如何使用 python 在没有 cisco 设备的情况下对 Cisco Type 8 密钥进行编码

Question

I was wondering if it is possible to generate the hashed secret shown in the CISCO documentation using a python script, without a CISCO device.

https://learningnetwork.cisco.com/s/article/cisco-routers-password-types

Example :

R1(config)# username yasser algorithm-type sha256 secret cisco

R1# show running-config | inc username

username yasser secret 8 $8$dsYGNam3K1SIJO$7nv/35M/qr6t.dVc7UY9zrJDWRVqncHub1PE9UlMQFs

Answer 1

The hash values from the linked example can be reproduced if the following is considered in addition to the information given there:

• the format is $8$<salt>$<Base64 encoded PBKDF2 hash>
• 20000 as iteration count for PBKDF2
• ./0-9A-Za-z as Base64 alphabet
• no Base64 padding

While the iteration count is described here , the others are more or less educated guesses (eg ./0-9A-Za-z is a common variant with the letter . ), which are eventually confirmed by the successful tests.

A possible Python implementation is:

import hashlib
import base64

STD_B64_ALPHABET   = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
CISCO_B64_ALPHABET = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
TRANS = str.maketrans(STD_B64_ALPHABET, CISCO_B64_ALPHABET)

def b64CiscoEncode(data):
    return base64.b64encode(data).decode('ascii').translate(TRANS).rstrip('=')

def type8Hash(salt, password):   
    return b64CiscoEncode(hashlib.pbkdf2_hmac('sha256', password, salt, 20000))

# $8$mTj4RZG8N9ZDOk$elY/asfm8kD3iDmkBe3hD2r4xcA/0oWS5V3os.O91u.
print(type8Hash(b'mTj4RZG8N9ZDOk', b'cisco')) # elY/asfm8kD3iDmkBe3hD2r4xcA/0oWS5V3os.O91u.

# $8$dsYGNam3K1SIJO$7nv/35M/qr6t.dVc7UY9zrJDWRVqncHub1PE9UlMQFs
print(type8Hash(b'dsYGNam3K1SIJO', b'cisco')) # 7nv/35M/qr6t.dVc7UY9zrJDWRVqncHub1PE9UlMQFs

which successfully reproduces the hashes from the linked example.