09-05-2007 10:18 AM
(*Sorry to be long winded, but I guess detail counts*)
We had the perfect storm...network wise anway. Our cumpuattional culster was doing a huge data-push, while there was a deep SARA scan going on. The little 4003 was not able to take the beating from both sides and crashed.
When we it rebooted, everything seemed to be fine. All the VLANs were intact, the servers saw one another, access semed to be restored. I just couldn't log into the server. I have the right password, but it isn't accepting it. I can access the switch, still running COS 7.1 (I know, I know...I have a 4503 in the wings as a replacement), but only with SNMP. The community strings seem to have been reset to the default.
I know how to do a password recovery/reset, but I am unable to do a reboot till next week. That being said, this is a gaping security hole, and my ISSO knows about it. Is there a way to either set the community strings properly or totally deactivate SNMP, via SNMP. Take into consideration, I am a total Noob to SNMP other than setting the strings.
Any advice would deeply be apreciated.
Thanks
Poirot
09-05-2007 08:27 PM
You can try using snmp to change the password on the device and see if you can get in
CatOS:
http://www.cisco.com/en/US/customer/tech/tk648/tk362/technologies_tech_note09186a0080094aa3.shtml
IOS (example):
THESE PROCEDURES WILL NOT WORK IF THERE IS NOT A READ-WRITE STRING (as in 'snmp-server community private RW') OR THE READ-WRITE STRING IS NOT KNOWN!!.
Command-line Procedure (HPOV or Netview)
1.In /tftpboot directory create the router-confg file (read-write-executable by all) which contains the partial file you want to send (examples follow below).
2.From the management station command-line:
/usr/OV/bin/snmpset -c rw-string #.#.#.# .1.3.6.1.4.1.9.2.1.53.$.$.$.$ octetstring router-confg
where:
the rw-string is the router read-write snmp community string (as in 'snmp-server community private RW')
#.#.#.# is the ip (or DNS name) of the router
$.$.$.$ is the ip of the tftp server in which the router-confg file resides in the /tftpboot directory
router-confg is the name of the file in the /tftpboot directory
3.After the file is written to ram, copy it to nvram:
/usr/OV/bin/snmpset -c rw-string #.#.#.# .1.3.6.1.4.1.9.2.1.54.0 integer 1
where:
the rw-string is the router read-write snmp community string (as in 'snmp-server community private RW').
#.#.#.# is the ip (or DNS name) of the router.
routr-confg files
Enable password changing/recovery through snmp:
!
enable password cisco
no enable secret
!
end
Breaking into line and console passwords through snmp:
!
line vty 0 4
login
password cisco
!
line con 0
login
password cisco
!
end
09-06-2007 04:20 AM
Thanks for the reply. So the basic process is to use SNMP to copy the config from the switch, edit it then upload it back. Ok.
After looking at the config, it seems that the password is hashed or encrypted. If I just replaced that hash with a new password, will it accept it?
Thanks
Poirot
09-06-2007 05:34 AM
Yes, but if you have the level7 password downloaded from the config, just type "level 7 cisco cracker" into google and enter the hash in one of the dozens of sites that are returned.
It will give you the plain text of the password for Level7 passwords.
09-07-2007 12:17 PM
Thanks. It looks like it is not a level 7 password. I believe it is a blowfish hash, as it starts with $2$....I did a little ferreting around with a Linux guy. I wasn't able to find a blowfish util that didn't need a seed key.
Thanks
Poirot
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide