Removing Passwords from a Router Configuration File
Problem
You want to remove sensitive information from a router configuration file.
Solution
The following Perl script removes sensitive information like passwords and SNMP community strings from configuration files. The script takes the name of the file containing the router's configuration as its only command-line argument.
Here's some sample output:
Freebsd% strip.pl Router1-confg version 12.2 service password-encryption ! hostname Router1 ! aaa new-model aaa authentication login default local enable secret enable password ! username ijbrown password username kdooley password ! !Lines removed for brevity ! ! snmp-server community RO snmp-server community RW ! line con 0 password line aux 0 password line vty 0 4 password end Freebsd%
The Perl code follows in Example 3-1.
Example 3-1. strip.pl
#!/usr/local/bin/perl # # strip.pl -- a script to remove sensitive information # from a router configuration file. # # my $configf; undef $/; # $configf = shift(@ARGV); if (open (CNFG, $configf ) ){ $config=; close (CNFG); $config =~ s/password .*/password /gi; $config =~ s/secret .*/secret /gi; $config =~ s/community [^ ]+/community /gi; print $config; } else { print STDERR "Failed to open config file "$configf" "; } |
Discussion
This script strips sensitive information from router configuration files. You can safely store or forward the resulting "stripped" configuration files to others, including vendors, partners, or colleagues. Recipe 3.5 shows how trivial the default password-encryption method is, which highlights why stripping a configuration file like this is so important.
This script should require no modifications to work in most environments. Because the script sends its output to the screen, if you want to save a copy of the "stripped" configuration file, you will have to direct the standard output into a file:
Freebsd% strip.pl Router1-confg > /Router1-stripped
This example runs the script and sends the output to a file called Router1-stripped that is located in the directory /. Of course, you can direct the output of the script to any file you wish.
In earlier recipes, we mentioned that the enable secret password was encrypted using a strong method, MD5, which is extremely difficult to crack. However, there are brute force attacks in which an attacker systematically encrypts likely sequences of letters, numbers and characters in an attempt to find an encrypted match. Although these types of attacks are time consuming, there are a number of freely available software packages that offer efficient password cracking capabilities. In short, it is better to be safe than sorry.
You can easily modify the script to strip other sensitive configuration commands (such as TACACS keys, routing keys, etc.) simply by adding more substitution lines. For instance, to strip TACACS keys, add the following line of code near the other lines that begin with $config =~:
$config =~ s/tacacs-server key .*/tacacs-server key /gi;
See Also
Recipe 3.2; Recipe 3.3; Recipe 3.5