Using Python to Remove Passwords and IP Addresses From Configuration Files

by: George El., January 2019, Reading time: 4 minutes

Lets assume you have a configuration file and you want to send it to someone, but you want to remove the passwords, and ip addresses before you send it. the program takes one argument, the config to be read

import sys
import re

if len(sys.argv) < 2:
    print("please type a configuration file: replaceIPs.py file.conf")
    sys.exit()

with open(sys.argv[1],"r") as f:
    file = f.readlines()

replaceIPwith="X.X.X.X"
replacePasswith="XXXXX"

def checkIP(m):
    return "X.X.X.X" if len([x for x in m.groups() if 0<= int(x) <=255])==4 else m.group(0)
   

for line in file:
    line = re.sub(r'(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})',checkIP,line) # this will replace only valid IPs
    #line = re.sub(r'(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})',"X.X.X.X",line) # if you don't want to check validity you can uncomment this line and comment the previous one
    line = re.sub(r'(password \d ).*$',r'\1'+replacePasswith,line) # replace Passwords
    #line = re.sub(r'^username.*$','!',line) # delete the user line completely
    print (line, end='')

I will analyze the checkIP function because it seems the most complicated one. I could rewrite it as follows:

def checkIP(m):
    list1 = [x for x in m.groups() if 0<= int(x) <=255]
    if len(list1) == 4:
        return "X.X.X.X"
    else:
        return m.group(0)

if you want to save the output, you can just redirect like that:
python replaceIPs.py > config-output.conf

so if i have this config file

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable password 7 151A0E000825322B3D
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip domain name mydomain.com
!
!
!
username admin privilege 15 secret 5 $1$lb33$HqC.8wnS5bbz1wRUv71JW0
username cisco password 7 00071A150754
!
!
ip tcp synwait-time 5
ip ssh version 2
!
!
!
interface Loopback1
 ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
 clock rate 2000000
!
interface FastEthernet0/1
 ip address 10.0.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/1
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/2
 no ip address
 shutdown
 clock rate 2000000
!
interface FastEthernet1/0
 ip address 10.0.2.1 255.255.255.0
 duplex auto
 speed auto
!
router eigrp 1
 network 1.1.1.1 0.0.0.0
 network 10.0.0.0
 no auto-summary
!
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 password 7 11011C091B1D1C0316262F
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 password 7 052303032D435A011C1712
 login local
 transport input telnet ssh
!
!
end

you can see I have created on purpose users with password instead of secret, password in line vty and con and enable password.

Now if I run python replaceIPs.py 1.1.1.1.txt I get the following output

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable password 7 XXXXX
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip domain name mydomain.com
!
!
!
!
username admin privilege 15 secret 5 $1$lb33$HqC.8wnS5bbz1wRUv71JW0
username cisco password 7 XXXXX
!
!
ip tcp synwait-time 5
ip ssh version 2
!
!
!
interface Loopback1
 ip address x.x.x.x x.x.x.x
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
 clock rate 2000000
!
interface FastEthernet0/1
 ip address x.x.x.x x.x.x.x
 duplex auto
 speed auto
!
interface Serial0/1
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/2
 no ip address
 shutdown
 clock rate 2000000
!
interface FastEthernet1/0
 ip address x.x.x.x x.x.x.x
 duplex auto
 speed auto
!
router eigrp 1
 network x.x.x.x x.x.x.x
 network x.x.x.x
 no auto-summary
!
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 password 7 XXXXX
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 password 7 XXXXX
 login local
 transport input telnet ssh
!
!
end

you can see that the addresses have become ip address x.x.x.x x.x.x.x and the password password 7 XXXXX the secret password was not replaced because it is not breakable, but you can also delete it if you want, by adding the following line:

   line = re.sub(r'(secret \d ).*$',r'\1'+replacePasswith,line) # replace Passwords

the \d matches the 7 or 0 digit after the password. you can remove it, if you don’t want to appear

   line = re.sub(r'(secret ).*$',r'\1'+replacePasswith,line) # replace Passwords
comments powered by Disqus