Cisco IOS
Cisconetwork9 credentials
Enable Secret / Enable Password
cisco-ios / enable-secret
Privileged EXEC access on Cisco IOS is protected with an enable secret or the older enable password. Cisco recommends enable secret instead of enable password because enable password uses weak reversible protection when service password-encryption is enabled.
Looks like
pattern^enable secret (5|8|9) [^\r\n]+$^enable password (0|7)? ?[^\r\n]+$Location
IOS device configuration (running-config, startup-config) visible via `show running-config`
configuration backups, TFTP archives, RANCID / Oxidized output
Notes
If no enable secret or enable password is set, IOS falls back to the line password to authorize entry into privileged EXEC. Combined with a vty line configured with `privilege level 15` or a line password used for authentication, this fallback is how many devices historically ended up granting privileged access from a remote session — the line password effectively becomes the enable credential.
Local Username Password / Secret
cisco-ios / local-user-credential
Cisco IOS local users are configured with username statements that include either a password or a secret. These accounts are commonly used for console, SSH, Telnet, and fallback AAA authentication.
Looks like
pattern^username \S+ secret (5|8|9) [^\r\n]+$^username \S+ password (0|7)? ?[^\r\n]+$Location
username lines in the IOS device configuration
golden configs, network automation templates, lab snippets
router and switch configuration backups
Notes
Cisco examples often use placeholder usernames and passwords such as cisco/cisco when demonstrating SSH configuration. Those are examples, not product defaults, and should not be treated as shipped credentials. Certain Cisco platforms do document Day 0 provisioning usernames used by their initial-config flow (for example, some Catalyst 9K and ISR models); those are platform-specific and belong in per-model entries rather than being generalized here.
Console / VTY Line Password
cisco-ios / line-password
IOS line configuration can protect console, AUX, and virtual terminal access with a line password. The password appears under line con, line aux, or line vty configuration blocks.
Looks like
pattern^\s*password (0|7)? ?[^\r\n]+$Location
line con / line aux / line vty blocks in the IOS configuration
archived IOS configurations and device replacement configs
Notes
Line passwords are still encountered in legacy Telnet and console configurations. When service password-encryption is enabled, IOS stores many of these values as type 7 strings, which Cisco describes as suitable only against casual observation. See enable-secret above for how a line password can double as the enable credential when no enable secret is set.
SNMP Community String
cisco-ios / snmp-community-string
SNMPv1 and SNMPv2c on Cisco IOS use community strings as shared secrets for read-only or read-write management access. The community string is configured with snmp-server community.
Looks like
pattern^snmp-server community \S+ (RO|RW)( .*)?$Location
snmp-server community lines in the IOS configuration
network monitoring templates and bootstrap configs
configuration repositories and NMS discovery exports
Notes
Cisco's hardening guide shows `snmp-server community READONLY RO` and `READWRITE RW` only as explanatory examples and tells operators to choose strong strings for production. A read-write community can modify device state through SNMP where write access is permitted.
SNMPv3 User Auth / Privacy Secrets
cisco-ios / snmpv3-user-secrets
Cisco IOS SNMPv3 users can be configured with authentication and privacy secrets for authenticated and encrypted SNMP management. These secrets are per-SNMP-user credentials stored in the IOS configuration.
Looks like
pattern^snmp-server user \S+ \S+ v3 (auth|encrypted|priv).*$(auth (md5|sha|sha-256|sha-384|sha-512) \S+|priv (des|3des|aes) \S+)Location
snmp-server user lines in the IOS running-config or startup-config
network monitoring templates and SNMP bootstrap configs
configuration repositories and NMS discovery exports
Notes
SNMPv3 is the hardened replacement for SNMP community strings, but the configured auth and privacy secrets are still credentials. A leaked SNMPv3 user with authPriv can provide authenticated management access within the views and ACLs assigned to that user.
Routing Protocol & IPsec Pre-Shared Keys
cisco-ios / routing-and-ipsec-keys
Cisco IOS stores shared secrets used to authenticate routing-protocol peers (EIGRP / OSPF / BGP / RIPv2 MD5 authentication keys) and IPsec peers (isakmp / IKEv2 pre-shared keys) directly in the configuration. These are per-peer secrets, not user login credentials, but they leak from the same config-file storage as the rest of this entry.
Looks like
pattern^\s*key-string (0|7)? ?[^\r\n]+$^\s*(message-digest-key|authentication-key)\s+\d+\s+md5\s+(0|7)?\s?[^\r\n]+$^\s*neighbor \S+ password (0|7)? ?[^\r\n]+$^crypto isakmp key (0|6)? ?\S+ address \S+^\s*pre-shared-key (local|remote)? ?(0|6)? ?[^\r\n]+$Location
`key chain`, `router ospf` / interface authentication, `router bgp` neighbor blocks, `crypto isakmp` / `crypto ikev2 keyring` blocks
config backups, network-as-code repositories, HA replacement configs
Notes
The trust boundary differs from AAA: a leaked routing-protocol key lets an attacker inject or accept routes with the affected peer(s), and a leaked IPsec PSK lets an attacker impersonate one end of the tunnel. Type 6 encoding (AES) is only as strong as the master key, which is stored on the device — losing the running-config generally means losing both.
Type 6 Master Key / AES-Encrypted Secrets
cisco-ios / type-6-master-key-and-encrypted-secrets
Cisco IOS can store certain pre-shared keys and passwords using type 6 AES encryption. The encryption depends on the master key configured by key config-key password-encrypt; losing both the configuration and the master key exposes the protected secrets.
Looks like
pattern^key config-key password-encrypt [^\r\n]+$\b6 [A-Fa-f0-9]{16,}\bLocation
IOS running-config or startup-config containing type 6 secrets and key config-key
configuration backups, network-as-code repositories, and HA replacement configs
Notes
Type 6 is stronger than type 7, but it is still configuration-bound secret storage. Backups that include both encrypted type 6 values and the configured master key should be treated as containing recoverable plaintext credentials.
Type 7 Encoded Secret
cisco-ios / type-7-encoded-secret
Cisco IOS type 7 is the reversible encoding produced by `service password-encryption` for passwords, CHAP secrets, and similar data saved in the configuration. Cisco states that the algorithm is a simple Vigenere cipher and is not designed to protect configuration files against serious analysis.
Looks like
pattern(password|key|community|key-string) 7 [0-9A-Fa-f]{4,}Location
any IOS command storing a type 7 password or key
config backups, audit exports, and archived `show tech` output
Notes
Treat type 7 values as recoverable plaintext — public tools decode them in a single step. The command context is required to tell whether the value is a line password, user password, SNMP community, AAA key, routing-protocol key, or another shared secret. A single leaked config typically yields multiple type 7 values across different commands.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.