Foundry uses an hash to encrypt the MD5 passwords in the config (not the MD5 used for the packets). It does not use the same hash as Cisco which is a shame because Cisco uses type 7 encryption of which a reverse algorithm does exist. i.e. it's not a one-way-hash.

Today when configuring a peer I discovered that the Foundry hashing mechanism is probably also pretty easy to reverse. Look at this example:

Password: nikn93(b
Hash:         $g=Dg{8p2

The first that we can clearly see is that there are 2 exactly the same characters in the hash and in the password. So this indicates at least that an 'n' is a 'g'. Let's do some more testing:

Password: mekker
Hash:         $6nDDnU

Ok, some more evidence rises, the 'k' is an 'D' and the 'e' is an 'n'. Which both samples prove. It looks like this is a keymapping algorithm (which obviously is pretty quick to crack).

Here is a keymapping of the alfabet, digits and some special signs:

Password: abcdefghijklmnopqrstuvwxyz
Hash:        $!2d@nG"b=?D^6gsSRU-oir+Cx

Password: 01234567890-=!@#%^&*()
Hash:         $QZ|83OmYW{QM$V1Iu<>Xpz

I'll work up on generating a full keymapping table to decrypt these, eventually resulting in a perl script that will decode these hashes.