Removing Passwords from a Router Configuration File


You want to remove sensitive information from a router configuration file.


The following Perl script removes sensitive information like passwords and SNMP community strings from configuration files. The script takes the name of the file containing the router's configuration as its only command-line argument.

Here's some sample output:

Freebsd% Router1-confg

version 12.2
service password-encryption
hostname Router1
aaa new-model
aaa authentication login default local
enable secret 
enable password 
username ijbrown password 
username kdooley password 
!Lines removed for brevity
snmp-server community  RO
snmp-server community  RW
line con 0
line aux 0
line vty 0 4

The Perl code follows in Example 3-1.

Example 3-1.

# -- a script to remove sensitive information 
# from a router configuration file.
my $configf;
undef $/;
$configf = shift(@ARGV);
if (open (CNFG, $configf ) ){
 close (CNFG);
 $config =~ s/password .*/password /gi;
 $config =~ s/secret .*/secret /gi;
 $config =~ s/community [^ ]+/community /gi;
 print $config;
} else { 
 print STDERR "Failed to open config file "$configf"


This script strips sensitive information from router configuration files. You can safely store or forward the resulting "stripped" configuration files to others, including vendors, partners, or colleagues. Recipe 3.5 shows how trivial the default password-encryption method is, which highlights why stripping a configuration file like this is so important.

This script should require no modifications to work in most environments. Because the script sends its output to the screen, if you want to save a copy of the "stripped" configuration file, you will have to direct the standard output into a file:

Freebsd% Router1-confg > /Router1-stripped

This example runs the script and sends the output to a file called Router1-stripped that is located in the directory /. Of course, you can direct the output of the script to any file you wish.

In earlier recipes, we mentioned that the enable secret password was encrypted using a strong method, MD5, which is extremely difficult to crack. However, there are brute force attacks in which an attacker systematically encrypts likely sequences of letters, numbers and characters in an attempt to find an encrypted match. Although these types of attacks are time consuming, there are a number of freely available software packages that offer efficient password cracking capabilities. In short, it is better to be safe than sorry.

You can easily modify the script to strip other sensitive configuration commands (such as TACACS keys, routing keys, etc.) simply by adding more substitution lines. For instance, to strip TACACS keys, add the following line of code near the other lines that begin with $config =~:

$config =~ s/tacacs-server key .*/tacacs-server key /gi;


See Also

Recipe 3.2; Recipe 3.3; Recipe 3.5

Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505
Simiral book on Amazon © 2008-2017.
If you may any questions please contact us: