Password recovery via SNMP

Unanswered Question
Apr 21st, 2010

Hi

Has anybody ever tried resetting a vty or the enable secret password via SNMP?  I've read that there is something you can do with pullling back the running-config and comparing it to startup-config....via snmp assuming you know the RW Community-string.

But I was sure there was another method available whereby you could (if you knew snmp community-name) reset the passwords remotely using snmp?

Regards

Mary

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
angvarga Wed, 04/21/2010 - 09:19

Hello Mary,

To change the vty password, it is necessary to know the Read-Write (RW) community string, since the procedure needs to write information in some of the OIDs.

This is the link with the information about How To Copy Configurations To and From Cisco Devices Using SNMP:

http://www.cisco.com/en/US/partner/tech/tk648/tk362/technologies_configuration_example09186a0080094aa6.shtml

You can create a .txt file with just the lines you want to send to the device and these ones will be added to the configuration you already have.

I will prepare an example for you and post it so you can take a look.

Angel V.

tavoularisr Thu, 12/15/2011 - 08:38

I had the same problem, and I followed these instructions and they worked perfectly.  I just wanted to say thanks!

angvarga Wed, 04/21/2010 - 10:48

Hello Mary,

This is the example I have for you:

We need to make is to create a new ROW in the device within the ccCopyTable Mib, where all the values are going to be stored in order to replace the line we want in the configuration:


The procedure to recover password via snmp only, instead of referencing a file with an entire configuration the contents of the file would be
simply the password information that you want to change to.  It won't leave you with a one line config.  It will just overwrite the one line
that is in your current running config.  The rest should stay the same.


For example, create a .txt file with just these 2 lines in the TFTP boot directory of your TFTP application:


enable password newpass
end


*** Note: the end statement is totally necessary.


Step 1 (Creating the Row).
================================

Please look into MIB ccCopyEntryRowStatus

snmpset  -v  2c  -c  private  10.10.10.2  1.3.6.1.4.1.9.9.96.1.1.1.1.14.222  i  5

NOTE: var_type is "i" for Interger

Value is 5 for createAndWait

In the MIB the last .222 is the entry index in the table. If the row is occupied then please destroy it first and try to create it and wait again.


Step 2 (Setting the protocol).
================================

We are going to use TFTP to transfer the device configuration with the OID ccCopyProtocol.

Please look into MIB ccCopyProtocol

snmpset  -v  2c  -c  private  10.10.10.2 1.3.6.1.4.1.9.9.96.1.1.1.1.2.222  i  1

NOTE: Value is 1 for tftp


Step 3 (Specifying  the Source).
================================

We are going to specify that what we want to copy is the file in your PC.

Please look into MIB ccCopySourceFileType

snmpset  -v  2c  -c  private  10.10.10.2  1.3.6.1.4.1.9.9.96.1.1.1.1.3.222  i  1

NOTE: Value is 1 for networkFile


Step 4 (Specifying the Destination).
================================

Once we have specified the Source, we need to tell what would be the destination to where
we are copying the file.

Please look into MIB ccCopyDestFileType

snmpset  -v  2c  -c  private  10.10.10.2  1.3.6.1.4.1.9.9.96.1.1.1.1.4.222  i  4

NOTE: Value is 4 for runningConfig


Step 5 (TFTP Server's Address).
================================

Let's now setup the IP address of the server where the TFTP service is currently running and where the configuration is going to get copied.

Please look into MIB ccCopyServerAddress

snmpset  -v  2c  -c  private  10.10.10.2  1.3.6.1.4.1.9.9.96.1.1.1.1.5.222  a

NOTE: var_type is "a" for IP address

Value is the TFTP server's IP address


Step 6 (Specifying the File name in the TFTP Server).
================================

Now, we need to tell the name of the file where the data is going to be sent to or stored (the one you create with the 2 lines).

Please look into MIB ccCopyFileName

snmpset  -v  2c  -c  private  10.10.10.2  1.3.6.1.4.1.9.9.96.1.1.1.1.6.222  s

NOTE: var_type is "s" for Display String. Sometimes the name could need " "

Value is the file name in the TFTP boot previously created with full privileges


Step 7 (Deploy the settings and run it).
================================

Last thing is deploying the settings so the config archive takes place. Before activating the row 222,  we must double-check that the TFTP service is up and running.

Is the service running?

If yes, then activate the row with the following snmpset.

Please look into MIB ccCopyEntryRowStatus

snmpset  -v  2c  -c  private  10.10.10.2  1.3.6.1.4.1.9.9.96.1.1.1.1.14.222 i 1

NOTE: Value is 1 for active.


Step 8 (Check the results).
================================

Check if the transfer was successful.

do a snmpwalk to 1.3.6.1.4.1.9.9.96.1.1.1.1.10.222

Results:

1:waiting
2:running
3:successful
4:failed


Step 9.(Try to access the device).
================================

This should be more than enough to change an specific line in the configuration using SNMP.


I hope this answered your question.

Best Regards,

Angel V.

m.renshaw Wed, 11/02/2011 - 08:26

Can you set the "ip tftp source-interface" before running the tftp?

angvarga Wed, 11/02/2011 - 08:46

No, it would not work, you have to set the IP address of the TFTP server in the ccCopyServerAddress OID; that is the value that will be used for the transfer.

m.renshaw Wed, 11/02/2011 - 08:52

So I if all my interfaces have "vrf forwarding" and I didn't have the "ip tftp source-interface" command  I wouldn't be able to pull the text file down to the router.

angvarga Wed, 11/02/2011 - 09:02

What I mean in my previous post is that you don't need that command, the TFTP transference is done by SNMP, therefore all the details about the TFTP transference needs to be configured/set in the OIDs of the ccCopyTable Mib. Obviosly, between the device and the PC in which you have the TFTP application you needs to have the TFTP protocol open ( no firewalls or ACLs blocking it) 

If you need further assistance with the procedure I strongly recommend you to open a TAC service request.

Actions

Login or Register to take actions

This Discussion

Posted April 21, 2010 at 8:55 AM
Stats:
Replies:7 Avg. Rating:5
Views:9575 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 2,483
2 1,624
3 1,445
4 861
5 578