May 15, 2014

Obtaining Passwords from Cisco Wireless LAN Controllers

During security analysis, experts often deal with default accounts. Particularly, it is very usual for large companies having several hundred systems. That’s why one of the main requirements is to use complex non-dictionary passwords to comply with security standards and best practices.
There are two ways to test the system compliance with this requirement:

  • password brute-forcing,
  • obtaining and checking passwords or their hashes from the system.

The former method can cause account lockout and thus is often found unacceptable. The latter one is preferable, but gives another problem if passwords are encrypted or hashed.

Let us consider how passwords are stored in Cisco Wireless LAN Controllers. The configuration file contains usernames and passwords for Cisco WLC in the following form:

config mgmtuser add encrypt admin2 1 5082d27dd0048bf167d04b96b9f2aad1 fbf57db49db49643897d14cd89d7ba14e96a4fbd 16 d20d07b60ff785d718b47837f1915dbe0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 read-write

The format differs from MD5, which is usually used in Cisco systems, isn’t it? We need to find out what encryption (hashing) algorithm is being applied here.

So, the record format looks as follows:

config mgmtuser add encrypt ,


  • is the username;
  • is the encryption type. If == 0, then encryption is not used and contains the hex-encoded password. If == 1, then the password is encrypted with AES-128 in CBC + PKCS#7 padding mode using the constant key 834156F9940F09C0A8D00F019F850005;
  • is the hex-encoded initialization vector for AES-CBC (16 bytes);
  • is the hex-encoded HMAC-SHA1 (20 bytes) calculated using the constant key 44C60835E800EC06FFFF89444CE6F789. During HMAC calculation, they sequentially hash number 1 (as DWORD), (16 bytes) and ( bytes). DWORD endianness depends on the processor architecture (it can be big-endian or little-endian);
  • is the length of data structure containing the password;
  • is the hex-encoded data that contain the password. To store the encoded data, multiple zero characters are added for some reason;
  • is the account type. It can be read-only, read-write, and lobby-admin.

It is worth mentioning that this storage format is used not only for account passwords, but for other passwords and secrets, too.

Below are given some sample templates that can precede the fields encType, iv, hmac, cbData, and data.

config local-auth method fast server-key encrypt
config mgmtuser add encrypt *
config radius auth add encrypt * * * password
config wlan security * akm * set-key * encrypt
transfer * encrypt password

Thus, if we have the configuration file of a Cisco WLC device, we can obtain and restore all encrypted passwords.

To avoid disclosure of account passwords, you should always encrypt configuration files with built-in Cisco WLC tools when transferring such files to an external server (see figure below).

Watch yourself ;)

Authors: Dmitry Sklyarov, Sergey Pavlov, Dmitry Kurbatov (Positive Research)


  1. Nice writeup, but you should properly encode variables that look like HTML tags (<enctype>, <iv>, <hmac>, ....).

    1. Thanks for your comment! We'll try to fix it somehow

  2. I knw the ipipadress of lan controller but i dont knw ththe username n password how can i get it?

  3. Good hit mate. Could you reply me with the thing that ON WHAT ACCOUNT WE SHOULD AVOID password brute-forcing ? and yes sorry for the caps.

  4. This comment has been removed by a blog administrator.

  5. This comment has been removed by a blog administrator.

  6. This comment has been removed by a blog administrator.