Switch crashed, now passwords not functioning

poirot1967 · ‎09-05-2007

(*Sorry to be long winded, but I guess detail counts*)

We had the perfect storm...network wise anway. Our cumpuattional culster was doing a huge data-push, while there was a deep SARA scan going on. The little 4003 was not able to take the beating from both sides and crashed.

When we it rebooted, everything seemed to be fine. All the VLANs were intact, the servers saw one another, access semed to be restored. I just couldn't log into the server. I have the right password, but it isn't accepting it. I can access the switch, still running COS 7.1 (I know, I know...I have a 4503 in the wings as a replacement), but only with SNMP. The community strings seem to have been reset to the default.

I know how to do a password recovery/reset, but I am unable to do a reboot till next week. That being said, this is a gaping security hole, and my ISSO knows about it. Is there a way to either set the community strings properly or totally deactivate SNMP, via SNMP. Take into consideration, I am a total Noob to SNMP other than setting the strings.

Any advice would deeply be apreciated.

Thanks

Poirot

David Stanford · ‎09-05-2007

You can try using snmp to change the password on the device and see if you can get in

CatOS:

http://www.cisco.com/en/US/customer/tech/tk648/tk362/technologies_tech_note09186a0080094aa3.shtml

IOS (example):

THESE PROCEDURES WILL NOT WORK IF THERE IS NOT A READ-WRITE STRING (as in 'snmp-server community private RW') OR THE READ-WRITE STRING IS NOT KNOWN!!.

Command-line Procedure (HPOV or Netview)

1.In /tftpboot directory create the router-confg file (read-write-executable by all) which contains the partial file you want to send (examples follow below).

2.From the management station command-line:

/usr/OV/bin/snmpset -c rw-string #.#.#.# .1.3.6.1.4.1.9.2.1.53.$.$.$.$ octetstring router-confg

where:

the rw-string is the router read-write snmp community string (as in 'snmp-server community private RW')

#.#.#.# is the ip (or DNS name) of the router

$.$.$.$ is the ip of the tftp server in which the router-confg file resides in the /tftpboot directory

router-confg is the name of the file in the /tftpboot directory

3.After the file is written to ram, copy it to nvram:

/usr/OV/bin/snmpset -c rw-string #.#.#.# .1.3.6.1.4.1.9.2.1.54.0 integer 1

where:

the rw-string is the router read-write snmp community string (as in 'snmp-server community private RW').

#.#.#.# is the ip (or DNS name) of the router.

routr-confg files

Enable password changing/recovery through snmp:

!

enable password cisco

no enable secret

!

end

Breaking into line and console passwords through snmp:

!

line vty 0 4

login

password cisco

!

line con 0

login

password cisco

!

end

poirot1967 · ‎09-06-2007

Thanks for the reply. So the basic process is to use SNMP to copy the config from the switch, edit it then upload it back. Ok.

After looking at the config, it seems that the password is hashed or encrypted. If I just replaced that hash with a new password, will it accept it?

Thanks

Poirot

avmabe · ‎09-06-2007

Yes, but if you have the level7 password downloaded from the config, just type "level 7 cisco cracker" into google and enter the hash in one of the dozens of sites that are returned.

It will give you the plain text of the password for Level7 passwords.

poirot1967 · ‎09-07-2007

Thanks. It looks like it is not a level 7 password. I believe it is a blowfish hash, as it starts with $2$....I did a little ferreting around with a Linux guy. I wasn't able to find a blowfish util that didn't need a seed key.

Thanks

Poirot