Cisco Type 7 Decrypter

This Python script decrypts Cisco “type 7” or otherwise insecure passwords used for local users, OSPF keys, and TACACS keys. It can:

1. Parse a file (with the allowed extensions: .txt, .log, or .cisco) for lines like:

   username <USERNAME> privilege 15 password 7 <ENCRYPTED>
   

2. Parse a file for OSPF MD5 key lines within interface configs, e.g.:

   interface <INTF_NAME>
     …
     ip ospf message-digest-key <KEY_ID> md5 7 <ENCRYPTED>
   

3. Parse a file for insecure TACACS server keys, e.g.:

   tacacs server <SERVER_NAME>
     …
     key 7 <ENCRYPTED>
      - or -
     key <PLAINTEXT>
   

4. Parse a directory of files (with optional recursion) for all of the above.
5. Decrypt a single raw “type 7” encrypted string.

Use Cases

• Interactive Troubleshooting
  Quickly decrypt a single Type 7 string on the command line (-s) when reviewing live device logs or debugging automation failures.

• Configuration Reviews
  Use recursive directory scans (-d) to ensure no overlooked files in nested folders—ideal for large teams sharing network standards.

• Security Audits
  Scan entire configuration repositories (or live exports) to locate insecure (unencrypted or Type 7) credentials without manual searching.

• Bulk Reporting
  Generate CSV reports (--csv) for integration into vulnerability management or ticketing systems.

• CI/CD Integration
  Incorporate into build or compliance pipelines to automatically flag new or changed Cisco configs that contain weak password storage.

Requirements

• Python 3.8+

Usage

usage: c7_decrypt [-h] [-s] [-m] [-d DEPTH] [-c] target

Decrypt Cisco Type 7 lines in files/directories, or a single string.

positional arguments:
  target             File or directory path (if not using -s), or a raw type-7 string (if -s is set).

options:
  -h, --help         show this help message and exit
  -s, --string       Interpret the `target` argument as a raw type-7 encrypted string.
  -m, --mask         Mask the decrypted passwords (show <MASKED> instead).
  -d, --depth DEPTH  Recursively parse directories up to this depth (default=0 = non-recursive).
  -c, --csv          Output results in CSV format.

Examples

1. Decrypt a single Type 7 string:

   ./c7_decrypt.py -s 15060E1F103A2A373B243A3017

   If valid, you’ll see output like:

   Decrypted password: testpassword
   

2. Parse a single file:

   ./c7_decrypt.py config.txt

   • Must have an allowed extension (.txt, .log, .cisco).
   • Decrypts any username … password 7 <ENC> lines.
   • Decrypts any ip ospf message-digest-key <#> md5 7 <ENC> under interface configurations.
   • Decrypts any key 7 <ENC> under TACACS server configurations.
   • Calls out any unencrypted passwords found for users or TACACS configs.

3. Parse a directory (non-recursive):

   ./c7_decrypt.py /path/to/configs

   • Only .txt, .log, .cisco files are scanned.
   • Prints decrypted Type 7 passwords/key if found.

4. Parse a directory (recursive):

   ./c7_decrypt.py -r 2 /path/to/configs

   • Processes .txt, .log, .cisco files down to 2 subdirectory levels.

5. Mask the decrypted passwords (e.g., for security audits):

   ./c7_decrypt.py --mask /path/to/configs

   • Instead of printing the real plaintext, it displays <MASKED> for each found password.
   • Useful in scenarios where you want to confirm the existence of Type 7 passwords without exposing them.

CSV Output

You can emit all findings in CSV format by adding the -c/--csv flag (ignored in string mode). The output is written to stdout with these columns:

file,username,type,decrypted_password,ospf_interface,ospf_key_id,ospf_key,tacacs_server,tacacs_key

Example

./c7_decrypt.py --csv /path/to/configs

Produces:

file,username,type,decrypted_password,ospf_interface,ospf_key_id,ospf_key,tacacs_server,tacacs_key
/path/to/configs/router1.txt,testadmin,7,testpassword,,,,,
/path/to/configs/router1.txt,testadmin2,7,testpassword2,,,,,
/path/to/configs/router1.txt,,,,Vlan800,1,testospfkey
/path/to/configs/router1.txt,,,,,,,TACACS_1,testtacacskey
…

To save the CSV directly to a file, use shell redirection (> or >>). For example:

# Overwrite or create results.csv
./c7_decrypt.py --csv /path/to/configs > results.csv

# Append to an existing file
./c7_decrypt.py --csv /path/to/configs >> results.csv

Behavior

• If you run the script without -s and provide a non-existent path, it prints:

  Error: file or directory does not exist: /bad/path
  

• If you run the script with -s, it always interprets your argument as a raw Cisco Type 7 encrypted string, never checking the filesystem.
• Only files ending in .txt, .log, or .cisco are parsed to avoid false positives from other file types.
• After scanning a directory, if no Type 7 passwords are found, a message prints:

  No Type 7 passwords or keys found in any file in path: /path/to/dir
  

Implementation Details

1. Decimal Offset
   The first two characters of an encrypted string are interpreted as decimal (0..15). This is a different approach from the “classic” Type 7, which often uses them as hex. Some Cisco devices (certain ASA versions) store the offset that way.

2. 53-Byte Key
   The script uses a longer XOR key than the 22-byte string you may find in older references. This key is:

   0x64,0x73,0x66,0x64,0x3B,0x6B,0x66,0x6F,0x41,0x2C,
   0x2E,0x69,0x79,0x65,0x77,0x72,0x6B,0x6C,0x64,0x4A,
   0x4B,0x44,0x48,0x53,0x55,0x42,0x73,0x67,0x76,0x63,
   0x61,0x36,0x39,0x38,0x33,0x34,0x6E,0x63,0x78,0x76,
   0x39,0x38,0x37,0x33,0x32,0x35,0x34,0x6B,0x3B,0x66,
   0x67,0x38,0x37
   

3. Allowed Extensions

   • .txt, .log, .cisco
     If you wish to parse other file types, just update the ALLOWED_EXTENSIONS set.

4. Masking for Security Audits

   • The --mask allows you to verify where Type 7 passwords exist in your configs, without revealing the actual plaintext. This option is especially useful during internal or external security assessments.

License