# cisco-hashgen
[](https://pypi.org/project/cisco-hashgen/)
[](https://pypi.org/project/cisco-hashgen/)
[](LICENSE)
[](https://github.com/Krontab/cisco-hashgen/actions/workflows/ci.yml)
<!-- Enable this once downloads look healthy :)
[](https://pepy.tech/project/cisco-hashgen)
-->
> Generate and verify Cisco-compatible password hashes for Cisco ASA & IOS/IOS-XE.
**cisco-hashgen** supports the generation and verification of the following formats:
- **Cisco ASA (PBKDF2-SHA512)** → `$sha512$<iter>$B64(salt)$B64(dk16)`
- **Cisco IOS/IOS-XE Type 5** (MD5-crypt) → `$1$<salt>$<hash>`
- **Cisco IOS/IOS-XE Type 8** (PBKDF2-SHA256) → `$8$<Cisco64(salt)>$<Cisco64(dk32)>`
- **Cisco IOS/IOS-XE Type 9** (scrypt) → `$9$<Cisco64(salt)>$<Cisco64(dk32)>`
## Capabilities
- Generate password hashes discretely in a masked (non-echoing) terminal session.
- Generate hashes offline and embed them in config templates.
- Piped input/output for easy integration with other tools like [pass](https://www.passwordstore.org/), [ansible-vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html), or [GitHub Actions](https://docs.github.com/en/actions/security-guides/encrypted-secrets).
- Securely read passwords from the command line, shell, or environment variables.
- Securely read passwords from the macOS Keychain.
- Verify existing hashes offline without touching the device. (audit mode, brute force)
## Why this exists
1) **Generate Cisco-compatible hashes from any system**
- Now you don't have to have a Cisco switch or router to generate hashes.
2) **Bootstrap device configs without plaintext passwords**
- Pre-generate hashes offline and embed them in config templates.
- No more storing or echoing the clear text password.
3) **Verify existing hashes offline**
- Check if a password matches a Cisco hash without touching the device.
- Script out the verification process of many password hashes looking for matches.
4) **Shoulder surfing and screen share privacy**
- Generate a valid hash with cisco-hashgen which masks your input by default.
- All you see is the hash which you paste into your config or command line.
> 💡 Hashes are only as strong as the password and parameters. Prefer long, random passphrases; keep iteration counts at Cisco defaults (or higher where supported); and protect generated hashes like any credential artifact.
## ⚠️ Cautions
- Hashes produced by this tool ***should*** be able to be used on many Cisco switches, routers, and firewalls but ***please*** test thoroughly before using in production.
- This tool does not support Type 1, 2, 3, 4, or 6. (yet)
## 🚀 Quick Install
**Recommended:** Use [pipx](https://pipx.pypa.io/) to install in an isolated environment.
This avoids dependency conflicts and works the same on Linux, macOS, and Windows.
### Ubuntu / Debian
```text
sudo apt update
sudo apt install pipx
pipx ensurepath
pipx install cisco-hashgen
```
### macOS (Homebrew)
```text
brew install pipx
pipx ensurepath
pipx install cisco-hashgen
```
### Windows (PowerShell)
```powershell
python -m pip install --user pipx
python -m pipx ensurepath
pipx install cisco-hashgen
```
### Verify installation
```text
cisco-hashgen --help
```
> 💡 If you cannot use pipx, you can still install with:
```text
# Linux/macOS
python3 -m pip install --user cisco-hashgen
# Windows
python -m pip install --user cisco-hashgen
# On Debian/Ubuntu you may need:
python3 -m pip install --user cisco-hashgen --break-system-packages
```
## Quick start
### Generate ASA (PBKDF2-SHA512)
Default operation is interactive password input (password is masked)
```text
~ >> cisco-hashgen -asa
Cisco HashGen v2.0.1rc2 — Generate and verify Cisco-compatible hashes
ASA PBKDF2-SHA512 defaults: iterations=5000, salt-bytes=16
IOS/IOS-XE Type 5 (MD5-crypt)
IOS/IOS-XE Type 8 PBKDF2-SHA256 defaults: iterations=20000, salt-bytes=10
IOS/IOS-XE Type 9 (scrypt) defaults: N=16384, r=1, p=1, salt-bytes=10
Validation: minlen=8, maxlen=1024
[Generating ASA PBKDF2-SHA512 hash]
Enter password: ********
Retype to confirm: ********
$sha512$5000$ICO3MWp5LADdvY85gGkqYA==$kji0GEgm5nHqKum7VmoY/w==
```
>💡 Note: cisco-hashgen defaults to -asa output, but you can specify -asa for clarity.
### Generate IOS/IOS-XE Type 9 (ASCII Salt) and use hash in configuration
```text
~ >> cisco-hashgen -ios9 -ios9-salt-mode ascii -quiet
Enter password: ********
Retype to confirm: ********
$9$cFiaINGxv8Gp4U$qG0lKpyM56WpYvZ1B2IY8LX6fInUsHs5NmRbVpyqHDQ
# From Cisco device
switch1#configure terminal
switch1(config)#username admin secret 9 $9$cFiaINGxv8Gp4U$qG0lKpyM56WpYvZ1B2IY8LX6fInUsHs5NmRbVpyqHDQ
```
### Verify a hash (auto-detects hash type!)
```text
>> cisco-hashgen -v '$sha512$5000$ICO3MWp5LADdvY85gGkqYA==$kji0GEgm5nHqKum7VmoY/w=='
[Verifying ASA PBKDF2-SHA512 hash]
[Enter password to verify against ASA PBKDF2-SHA512]
Enter password to verify: ********
[+] Password matches.
```
### One-liner verify (stdin + -v) - Insecure / Password is visible
```text
echo 'My S3cr3t!' | cisco-hashgen -v '$8$HxHoQOhOgadA7E==$HjROgK8oWfeM45/EHbOwxCC328xBBYz2IF2BevFOSok='
[Verifying IOS/IOS-XE Type 8 PBKDF2-SHA256 hash]
[+] Password matches.
```
> 💡 This above example illustrates the tool's flexibility for stdin/stdout. When executed this way, the password is displayed on screen and likely saved in the terminal history or process list. See more secure methods below.
## Supplying passwords securely
### A) Interactive (masked, safest)
```text
cisco-hashgen -asa
```
### B) Shell read (no secret in history)
```text
read -rs PW && printf '%s' "$PW" | cisco-hashgen -asa -quiet && unset PW
# or use env var:
read -rs PW && CISCO_HASHGEN_PWD="$PW" cisco-hashgen -ios8 -env CISCO_HASHGEN_PWD -quiet && unset PW
```
### C) macOS Keychain (GUI → CLI)
1. Open **Keychain Access** → add a new password item (e.g., Service: `HASHGEN_PW`).
2. Use it without revealing plaintext:
```text
security find-generic-password -w -s HASHGEN_PW | cisco-hashgen -asa -quiet
```
3. Remove later with: `security delete-generic-password -s HASHGEN_PW`
### D) pass (Password Store)
```text
brew install pass gnupg
gpg --quick-generate-key "Your Name <you@example.com>" default default never
gpg --list-secret-keys --keyid-format LONG
pass init <YOUR_LONG_KEY_ID>
pass insert -m network/asa/admin <<'EOF'
Str0ngP@ss!
EOF
pass show network/asa/admin | head -n1 | cisco-hashgen -ios8 -v
```
### E) CI secret environment variable (GitHub Actions)
```yaml
- name: Generate ASA hash
env:
CISCO_HASHGEN_PWD: ${{ secrets.CISCO_HASHGEN_PWD }}
run: |
cisco-hashgen -asa -env CISCO_HASHGEN_PWD -quiet > hash.txt
```
## Quoting cheatsheet (very important)
- Always **single-quote** `$sha512...` / `$8$...` hashes to avoid `$` expansion:
```text
cisco-hashgen -v '$sha512$5000$...$...'
```
- For passwords with spaces or shell characters, prefer interactive input, `read -rs`, Keychain, or `pass`.
- If you must put a password on the command line (not recommended), single-quote it; if it contains a single quote, use:
```text
'pa'"'"'ss'
```
## CLI
```text
cisco-hashgen -h
usage: cisco-hashgen [-h] [-asa | -ios5 | -ios8 | -ios9] [-verify HASH] [-iter ITER] [-salt-bytes SALT_BYTES]
[--ios9-salt-mode {cisco64,ascii,stdb64}] [-minlen MINLEN] [-maxlen MAXLEN] [-pwd STRING]
[-env VAR] [-quiet] [-no-color] [-no-prompt] [-V] [-ios9-debug]
```
### options
- `-h, --help` — show this help message and exit
- `-asa` — Generate ASA PBKDF2 (SHA-512) hash (default).
- `-ios5` — Generate IOS/IOS-XE Type 5 (MD5-crypt) hash.
- `-ios8` — Generate IOS/IOS-XE Type 8 (PBKDF2-SHA256) hash.
- `-ios9` — Generate IOS/IOS-XE Type 9 (scrypt) hash.
- `-verify, -v HASH` — Verify a password against an existing hash.
- `-iter ITER` — Override iterations (default: ASA=5000, IOS8=20000).
- `-salt-bytes SALT_BYTES` — Override salt length in bytes (default: ASA=16, IOS8=10, IOS9=10).
- `-ios9-debug` — Enable maximum IOS9 verify diagnostics
- `-ios9-salt-mode` `{cisco64, ascii, stdb64}` — IOS9 salt field mode.
- **cisco64** (default) stores Cisco64 text and uses decoded bytes for KDF.
- **ascii** stores Cisco64 text but uses the literal ASCII text for KDF;
- **stdb64** stores StdBase64 text and uses that literal ASCII for KDF.
- `-minlen MINLEN` — Minimum password length (default: 8).
- `-maxlen MAXLEN` — Maximum password length (default: 1024).
- `-pwd STRING` — Password provided directly (quote if it contains spaces/shell chars).
- `-env VAR` — Read password from environment variable VAR.
- `-quiet` — Suppress banners and extra output (script-friendly).
- `-no-color` — Disable ANSI colors in help/banners.
- `-no-prompt` — Fail if no password is provided via stdin/-pwd/-env (no interactive prompt).
- `-V, --version` — show program's version number and exit
## Exit codes
- `0` — Success / verified match
- `1` — Verify mismatch
- `2` — Unsupported/invalid hash format
- `3` — Password validation error
- `4` — No password provided and `-no-prompt` set
- `130` — User interrupted (Ctrl-C)
## Technical notes
- **ASA**: PBKDF2-HMAC-SHA512; iterations stored; salt Base64; **first 16 bytes** of DK stored.
_Why it matters_: Only a portion of the derived key is stored, so reproducing the hash requires exact PBKDF2 parameters and truncation behavior.
- **IOS/IOS-XE Type 5**: MD5-based crypt (`md5crypt`); 1000 iterations (fixed); salt up to 8 chars; Cisco Base64 alphabet (`./0..9A..Za..z`).
_Why it matters_: Legacy format, still seen on older systems; uses a fixed iteration count and short salts, making it less secure but widely compatible.
- **IOS/IOS-XE Type 8**: PBKDF2-HMAC-SHA256; **20000** iterations (fixed); salt 10 bytes; Cisco Base64 alphabet (`./0..9A..Za..z`).
_Why it matters_: Modern, strong PBKDF2 with fixed parameters; hash reproduction must match iteration count exactly.
- **IOS/IOS-XE Type 9 – Canonical**: scrypt (N=16384, r=1, p=1); salt 14 bytes; Cisco Base64 alphabet (`./0..9A..Za..z`).
_Why it matters_: Strongest Cisco hash; requires exact scrypt parameters and binary salt encoding for compatibility.
- **IOS/IOS-XE Type 9 – ASCII Salt**: scrypt (N=16384, r=1, p=1); salt literal ASCII (non-canonical but accepted by some platforms); salt length 14 chars; Cisco Base64 alphabet for hash output only.
_Why it matters_: Some devices expect ASCII salt rather than binary; essential for login compatibility on these picky systems.
- **IOS/IOS-XE Type 9 – Mixed Salt**: scrypt (N=16384, r=1, p=1); salt may contain printable ASCII + Cisco64 characters (non-canonical); length still 14; Cisco Base64 alphabet for hash output.
_Why it matters_: Rare variant; sometimes seen when salts are generated inconsistently; necessary to replicate for exact hash matching.
## Supported Platforms
- Python 3.8+ (tested on 3.8–3.13)
- macOS / Linux / Windows
## License
Cisco-Hashgen is available under the MIT license. See the LICENSE file for details.
Author: Gilbert Mendoza
## Changelog
See the [docs/releases](docs/releases/) folder for complete version history, or visit the [GitHub Releases](https://github.com/Krontab/cisco-hashgen/releases) page.
Raw data
{
"_id": null,
"home_page": null,
"name": "cisco-hashgen",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.8",
"maintainer_email": null,
"keywords": "Cisco, ASA, IOS, PBKDF2, password, security, networking, router, switch, firewall",
"author": "Gilbert Mendoza",
"author_email": null,
"download_url": "https://files.pythonhosted.org/packages/03/aa/0a27f877505740c79e1c628c841f20fc1779ab6e5a4d84f88071278a92b8/cisco_hashgen-2.0.1.tar.gz",
"platform": null,
"description": "# cisco-hashgen\n\n[](https://pypi.org/project/cisco-hashgen/)\n[](https://pypi.org/project/cisco-hashgen/)\n[](LICENSE)\n[](https://github.com/Krontab/cisco-hashgen/actions/workflows/ci.yml)\n\n<!-- Enable this once downloads look healthy :)\n[](https://pepy.tech/project/cisco-hashgen)\n-->\n\n> Generate and verify Cisco-compatible password hashes for Cisco ASA & IOS/IOS-XE.\n\n**cisco-hashgen** supports the generation and verification of the following formats:\n\n- **Cisco ASA (PBKDF2-SHA512)** \u2192 `$sha512$<iter>$B64(salt)$B64(dk16)`\n- **Cisco IOS/IOS-XE Type 5** (MD5-crypt) \u2192 `$1$<salt>$<hash>`\n- **Cisco IOS/IOS-XE Type 8** (PBKDF2-SHA256) \u2192 `$8$<Cisco64(salt)>$<Cisco64(dk32)>`\n- **Cisco IOS/IOS-XE Type 9** (scrypt) \u2192 `$9$<Cisco64(salt)>$<Cisco64(dk32)>`\n\n## Capabilities\n\n- Generate password hashes discretely in a masked (non-echoing) terminal session.\n- Generate hashes offline and embed them in config templates.\n- Piped input/output for easy integration with other tools like [pass](https://www.passwordstore.org/), [ansible-vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html), or [GitHub Actions](https://docs.github.com/en/actions/security-guides/encrypted-secrets).\n- Securely read passwords from the command line, shell, or environment variables.\n- Securely read passwords from the macOS Keychain.\n- Verify existing hashes offline without touching the device. (audit mode, brute force)\n\n## Why this exists\n\n1) **Generate Cisco-compatible hashes from any system** \n - Now you don't have to have a Cisco switch or router to generate hashes. \n2) **Bootstrap device configs without plaintext passwords**\n - Pre-generate hashes offline and embed them in config templates. \n - No more storing or echoing the clear text password.\n3) **Verify existing hashes offline** \n - Check if a password matches a Cisco hash without touching the device.\n - Script out the verification process of many password hashes looking for matches. \n4) **Shoulder surfing and screen share privacy**\n - Generate a valid hash with cisco-hashgen which masks your input by default. \n - All you see is the hash which you paste into your config or command line.\n\n> \ud83d\udca1 Hashes are only as strong as the password and parameters. Prefer long, random passphrases; keep iteration counts at Cisco defaults (or higher where supported); and protect generated hashes like any credential artifact.\n\n## \u26a0\ufe0f Cautions\n- Hashes produced by this tool ***should*** be able to be used on many Cisco switches, routers, and firewalls but ***please*** test thoroughly before using in production.\n- This tool does not support Type 1, 2, 3, 4, or 6. (yet)\n\n## \ud83d\ude80 Quick Install\n\n**Recommended:** Use [pipx](https://pipx.pypa.io/) to install in an isolated environment.\nThis avoids dependency conflicts and works the same on Linux, macOS, and Windows.\n\n### Ubuntu / Debian\n```text\nsudo apt update\nsudo apt install pipx\npipx ensurepath\npipx install cisco-hashgen\n```\n\n### macOS (Homebrew)\n```text\nbrew install pipx\npipx ensurepath\npipx install cisco-hashgen\n```\n\n### Windows (PowerShell)\n```powershell\npython -m pip install --user pipx\npython -m pipx ensurepath\npipx install cisco-hashgen\n```\n\n### Verify installation\n```text\ncisco-hashgen --help\n```\n\n> \ud83d\udca1 If you cannot use pipx, you can still install with:\n```text\n# Linux/macOS\npython3 -m pip install --user cisco-hashgen\n\n# Windows\npython -m pip install --user cisco-hashgen\n\n# On Debian/Ubuntu you may need:\npython3 -m pip install --user cisco-hashgen --break-system-packages\n```\n\n## Quick start\n\n### Generate ASA (PBKDF2-SHA512)\nDefault operation is interactive password input (password is masked)\n\n```text\n~ >> cisco-hashgen -asa\nCisco HashGen v2.0.1rc2 \u2014 Generate and verify Cisco-compatible hashes\n ASA PBKDF2-SHA512 defaults: iterations=5000, salt-bytes=16\n IOS/IOS-XE Type 5 (MD5-crypt)\n IOS/IOS-XE Type 8 PBKDF2-SHA256 defaults: iterations=20000, salt-bytes=10\n IOS/IOS-XE Type 9 (scrypt) defaults: N=16384, r=1, p=1, salt-bytes=10\n Validation: minlen=8, maxlen=1024\n\n[Generating ASA PBKDF2-SHA512 hash]\nEnter password: ********\nRetype to confirm: ********\n$sha512$5000$ICO3MWp5LADdvY85gGkqYA==$kji0GEgm5nHqKum7VmoY/w==\n```\n>\ud83d\udca1 Note: cisco-hashgen defaults to -asa output, but you can specify -asa for clarity.\n\n### Generate IOS/IOS-XE Type 9 (ASCII Salt) and use hash in configuration\n```text\n~ >> cisco-hashgen -ios9 -ios9-salt-mode ascii -quiet\nEnter password: ********\nRetype to confirm: ********\n$9$cFiaINGxv8Gp4U$qG0lKpyM56WpYvZ1B2IY8LX6fInUsHs5NmRbVpyqHDQ\n\n# From Cisco device\nswitch1#configure terminal\nswitch1(config)#username admin secret 9 $9$cFiaINGxv8Gp4U$qG0lKpyM56WpYvZ1B2IY8LX6fInUsHs5NmRbVpyqHDQ\n```\n\n### Verify a hash (auto-detects hash type!) \n```text\n>> cisco-hashgen -v '$sha512$5000$ICO3MWp5LADdvY85gGkqYA==$kji0GEgm5nHqKum7VmoY/w=='\n[Verifying ASA PBKDF2-SHA512 hash]\n[Enter password to verify against ASA PBKDF2-SHA512]\nEnter password to verify: ********\n[+] Password matches.\n```\n\n### One-liner verify (stdin + -v) - Insecure / Password is visible\n```text\necho 'My S3cr3t!' | cisco-hashgen -v '$8$HxHoQOhOgadA7E==$HjROgK8oWfeM45/EHbOwxCC328xBBYz2IF2BevFOSok=' \n[Verifying IOS/IOS-XE Type 8 PBKDF2-SHA256 hash]\n[+] Password matches.\n```\n> \ud83d\udca1 This above example illustrates the tool's flexibility for stdin/stdout. When executed this way, the password is displayed on screen and likely saved in the terminal history or process list. See more secure methods below.\n\n## Supplying passwords securely\n\n### A) Interactive (masked, safest)\n```text\ncisco-hashgen -asa\n```\n\n### B) Shell read (no secret in history)\n```text\nread -rs PW && printf '%s' \"$PW\" | cisco-hashgen -asa -quiet && unset PW\n# or use env var:\nread -rs PW && CISCO_HASHGEN_PWD=\"$PW\" cisco-hashgen -ios8 -env CISCO_HASHGEN_PWD -quiet && unset PW\n```\n\n### C) macOS Keychain (GUI \u2192 CLI)\n1. Open **Keychain Access** \u2192 add a new password item (e.g., Service: `HASHGEN_PW`).\n2. Use it without revealing plaintext:\n```text\nsecurity find-generic-password -w -s HASHGEN_PW | cisco-hashgen -asa -quiet\n```\n3. Remove later with: `security delete-generic-password -s HASHGEN_PW`\n\n### D) pass (Password Store)\n```text\nbrew install pass gnupg\ngpg --quick-generate-key \"Your Name <you@example.com>\" default default never\ngpg --list-secret-keys --keyid-format LONG\npass init <YOUR_LONG_KEY_ID>\n\npass insert -m network/asa/admin <<'EOF'\nStr0ngP@ss!\nEOF\n\npass show network/asa/admin | head -n1 | cisco-hashgen -ios8 -v\n```\n\n### E) CI secret environment variable (GitHub Actions)\n```yaml\n- name: Generate ASA hash\n env:\n CISCO_HASHGEN_PWD: ${{ secrets.CISCO_HASHGEN_PWD }}\n run: |\n cisco-hashgen -asa -env CISCO_HASHGEN_PWD -quiet > hash.txt\n```\n\n## Quoting cheatsheet (very important)\n\n- Always **single-quote** `$sha512...` / `$8$...` hashes to avoid `$` expansion:\n ```text\n cisco-hashgen -v '$sha512$5000$...$...'\n ```\n- For passwords with spaces or shell characters, prefer interactive input, `read -rs`, Keychain, or `pass`.\n- If you must put a password on the command line (not recommended), single-quote it; if it contains a single quote, use:\n ```text\n 'pa'\"'\"'ss'\n ```\n\n## CLI\n\n```text\ncisco-hashgen -h\nusage: cisco-hashgen [-h] [-asa | -ios5 | -ios8 | -ios9] [-verify HASH] [-iter ITER] [-salt-bytes SALT_BYTES]\n [--ios9-salt-mode {cisco64,ascii,stdb64}] [-minlen MINLEN] [-maxlen MAXLEN] [-pwd STRING]\n [-env VAR] [-quiet] [-no-color] [-no-prompt] [-V] [-ios9-debug]\n```\n\n### options\n- `-h, --help` \u2014 show this help message and exit\n- `-asa` \u2014 Generate ASA PBKDF2 (SHA-512) hash (default).\n- `-ios5` \u2014 Generate IOS/IOS-XE Type 5 (MD5-crypt) hash.\n- `-ios8` \u2014 Generate IOS/IOS-XE Type 8 (PBKDF2-SHA256) hash.\n- `-ios9` \u2014 Generate IOS/IOS-XE Type 9 (scrypt) hash.\n- `-verify, -v HASH` \u2014 Verify a password against an existing hash.\n- `-iter ITER` \u2014 Override iterations (default: ASA=5000, IOS8=20000).\n- `-salt-bytes SALT_BYTES` \u2014 Override salt length in bytes (default: ASA=16, IOS8=10, IOS9=10).\n- `-ios9-debug` \u2014 Enable maximum IOS9 verify diagnostics\n- `-ios9-salt-mode` `{cisco64, ascii, stdb64}` \u2014 IOS9 salt field mode. \n - **cisco64** (default) stores Cisco64 text and uses decoded bytes for KDF.\n - **ascii** stores Cisco64 text but uses the literal ASCII text for KDF;\n - **stdb64** stores StdBase64 text and uses that literal ASCII for KDF.\n- `-minlen MINLEN` \u2014 Minimum password length (default: 8).\n- `-maxlen MAXLEN` \u2014 Maximum password length (default: 1024).\n- `-pwd STRING` \u2014 Password provided directly (quote if it contains spaces/shell chars).\n- `-env VAR` \u2014 Read password from environment variable VAR.\n- `-quiet` \u2014 Suppress banners and extra output (script-friendly).\n- `-no-color` \u2014 Disable ANSI colors in help/banners.\n- `-no-prompt` \u2014 Fail if no password is provided via stdin/-pwd/-env (no interactive prompt).\n- `-V, --version` \u2014 show program's version number and exit\n\n## Exit codes\n- `0` \u2014 Success / verified match \n- `1` \u2014 Verify mismatch \n- `2` \u2014 Unsupported/invalid hash format \n- `3` \u2014 Password validation error \n- `4` \u2014 No password provided and `-no-prompt` set \n- `130` \u2014 User interrupted (Ctrl-C)\n\n## Technical notes\n\n- **ASA**: PBKDF2-HMAC-SHA512; iterations stored; salt Base64; **first 16 bytes** of DK stored. \n _Why it matters_: Only a portion of the derived key is stored, so reproducing the hash requires exact PBKDF2 parameters and truncation behavior.\n\n- **IOS/IOS-XE Type 5**: MD5-based crypt (`md5crypt`); 1000 iterations (fixed); salt up to 8 chars; Cisco Base64 alphabet (`./0..9A..Za..z`). \n _Why it matters_: Legacy format, still seen on older systems; uses a fixed iteration count and short salts, making it less secure but widely compatible.\n\n- **IOS/IOS-XE Type 8**: PBKDF2-HMAC-SHA256; **20000** iterations (fixed); salt 10 bytes; Cisco Base64 alphabet (`./0..9A..Za..z`). \n _Why it matters_: Modern, strong PBKDF2 with fixed parameters; hash reproduction must match iteration count exactly.\n\n- **IOS/IOS-XE Type 9 \u2013 Canonical**: scrypt (N=16384, r=1, p=1); salt 14 bytes; Cisco Base64 alphabet (`./0..9A..Za..z`). \n _Why it matters_: Strongest Cisco hash; requires exact scrypt parameters and binary salt encoding for compatibility.\n\n- **IOS/IOS-XE Type 9 \u2013 ASCII Salt**: scrypt (N=16384, r=1, p=1); salt literal ASCII (non-canonical but accepted by some platforms); salt length 14 chars; Cisco Base64 alphabet for hash output only. \n _Why it matters_: Some devices expect ASCII salt rather than binary; essential for login compatibility on these picky systems.\n\n- **IOS/IOS-XE Type 9 \u2013 Mixed Salt**: scrypt (N=16384, r=1, p=1); salt may contain printable ASCII + Cisco64 characters (non-canonical); length still 14; Cisco Base64 alphabet for hash output. \n _Why it matters_: Rare variant; sometimes seen when salts are generated inconsistently; necessary to replicate for exact hash matching.\n\n## Supported Platforms\n- Python 3.8+ (tested on 3.8\u20133.13) \n- macOS / Linux / Windows\n\n## License\nCisco-Hashgen is available under the MIT license. See the LICENSE file for details.\nAuthor: Gilbert Mendoza\n\n## Changelog\nSee the [docs/releases](docs/releases/) folder for complete version history, or visit the [GitHub Releases](https://github.com/Krontab/cisco-hashgen/releases) page.\n",
"bugtrack_url": null,
"license": null,
"summary": "Generate and verify Cisco-compatible password hashes for Cisco ASA & IOS/IOS-XE.",
"version": "2.0.1",
"project_urls": {
"Homepage": "https://github.com/Krontab/cisco-hashgen",
"Issues": "https://github.com/Krontab/cisco-hashgen/issues"
},
"split_keywords": [
"cisco",
" asa",
" ios",
" pbkdf2",
" password",
" security",
" networking",
" router",
" switch",
" firewall"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "f9b93203446d3a4a3aec72869993e24f2c01e8381af581a9204ada301c457900",
"md5": "b5d0058af3e5652e21c8b3b71776d843",
"sha256": "aa899e1be686fa1103e2787f2af94fddf8fb9b1e72acaaaedd81617a85d428ad"
},
"downloads": -1,
"filename": "cisco_hashgen-2.0.1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "b5d0058af3e5652e21c8b3b71776d843",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.8",
"size": 15218,
"upload_time": "2025-08-14T05:24:48",
"upload_time_iso_8601": "2025-08-14T05:24:48.558477Z",
"url": "https://files.pythonhosted.org/packages/f9/b9/3203446d3a4a3aec72869993e24f2c01e8381af581a9204ada301c457900/cisco_hashgen-2.0.1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "03aa0a27f877505740c79e1c628c841f20fc1779ab6e5a4d84f88071278a92b8",
"md5": "723651fb2e857b1218af502ee3a074ea",
"sha256": "43fd447da09d370fb0a2170a3cb77b6434ce18882bfe4fae9f9d4266dbba1362"
},
"downloads": -1,
"filename": "cisco_hashgen-2.0.1.tar.gz",
"has_sig": false,
"md5_digest": "723651fb2e857b1218af502ee3a074ea",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.8",
"size": 18841,
"upload_time": "2025-08-14T05:24:50",
"upload_time_iso_8601": "2025-08-14T05:24:50.867620Z",
"url": "https://files.pythonhosted.org/packages/03/aa/0a27f877505740c79e1c628c841f20fc1779ab6e5a4d84f88071278a92b8/cisco_hashgen-2.0.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-08-14 05:24:50",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "Krontab",
"github_project": "cisco-hashgen",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "cisco-hashgen"
}
JSON
