cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
36206
Views
15
Helpful
11
Replies

Password recovery via SNMP

maryodriscoll
Level 1
Level 1

Hi

Has anybody ever tried resetting a vty or the enable secret password via SNMP?  I've read that there is something you can do with pullling back the running-config and comparing it to startup-config....via snmp assuming you know the RW Community-string.

But I was sure there was another method available whereby you could (if you knew snmp community-name) reset the passwords remotely using snmp?

Regards

Mary

11 Replies 11

angvarga
Level 1
Level 1

Hello Mary,

To change the vty password, it is necessary to know the Read-Write (RW) community string, since the procedure needs to write information in some of the OIDs.

This is the link with the information about How To Copy Configurations To and From Cisco Devices Using SNMP:

http://www.cisco.com/en/US/partner/tech/tk648/tk362/technologies_configuration_example09186a0080094aa6.shtml

You can create a .txt file with just the lines you want to send to the device and these ones will be added to the configuration you already have.

I will prepare an example for you and post it so you can take a look.

Angel V.

I had the same problem, and I followed these instructions and they worked perfectly.  I just wanted to say thanks!

angvarga
Level 1
Level 1

Hello Mary,

This is the example I have for you:

We need to make is to create a new ROW in the device within the ccCopyTable Mib, where all the values are going to be stored in order to replace the line we want in the configuration:


The procedure to recover password via snmp only, instead of referencing a file with an entire configuration the contents of the file would be
simply the password information that you want to change to.  It won't leave you with a one line config.  It will just overwrite the one line
that is in your current running config.  The rest should stay the same.


For example, create a .txt file with just these 2 lines in the TFTP boot directory of your TFTP application:


enable password newpass
end


*** Note: the end statement is totally necessary.


Step 1 (Creating the Row).
================================

Please look into MIB ccCopyEntryRowStatus

snmpset  -v  2c  -c  private  10.10.10.2  1.3.6.1.4.1.9.9.96.1.1.1.1.14.222  i  5

NOTE: var_type is "i" for Interger

Value is 5 for createAndWait

In the MIB the last .222 is the entry index in the table. If the row is occupied then please destroy it first and try to create it and wait again.


Step 2 (Setting the protocol).
================================

We are going to use TFTP to transfer the device configuration with the OID ccCopyProtocol.

Please look into MIB ccCopyProtocol

snmpset  -v  2c  -c  private  10.10.10.2 1.3.6.1.4.1.9.9.96.1.1.1.1.2.222  i  1

NOTE: Value is 1 for tftp


Step 3 (Specifying  the Source).
================================

We are going to specify that what we want to copy is the file in your PC.

Please look into MIB ccCopySourceFileType

snmpset  -v  2c  -c  private  10.10.10.2  1.3.6.1.4.1.9.9.96.1.1.1.1.3.222  i  1

NOTE: Value is 1 for networkFile


Step 4 (Specifying the Destination).
================================

Once we have specified the Source, we need to tell what would be the destination to where
we are copying the file.

Please look into MIB ccCopyDestFileType

snmpset  -v  2c  -c  private  10.10.10.2  1.3.6.1.4.1.9.9.96.1.1.1.1.4.222  i  4

NOTE: Value is 4 for runningConfig


Step 5 (TFTP Server's Address).
================================

Let's now setup the IP address of the server where the TFTP service is currently running and where the configuration is going to get copied.

Please look into MIB ccCopyServerAddress

snmpset  -v  2c  -c  private  10.10.10.2  1.3.6.1.4.1.9.9.96.1.1.1.1.5.222  a

NOTE: var_type is "a" for IP address

Value is the TFTP server's IP address


Step 6 (Specifying the File name in the TFTP Server).
================================

Now, we need to tell the name of the file where the data is going to be sent to or stored (the one you create with the 2 lines).

Please look into MIB ccCopyFileName

snmpset  -v  2c  -c  private  10.10.10.2  1.3.6.1.4.1.9.9.96.1.1.1.1.6.222  s

NOTE: var_type is "s" for Display String. Sometimes the name could need " "

Value is the file name in the TFTP boot previously created with full privileges


Step 7 (Deploy the settings and run it).
================================

Last thing is deploying the settings so the config archive takes place. Before activating the row 222,  we must double-check that the TFTP service is up and running.

Is the service running?

If yes, then activate the row with the following snmpset.

Please look into MIB ccCopyEntryRowStatus

snmpset  -v  2c  -c  private  10.10.10.2  1.3.6.1.4.1.9.9.96.1.1.1.1.14.222 i 1

NOTE: Value is 1 for active.


Step 8 (Check the results).
================================

Check if the transfer was successful.

do a snmpwalk to 1.3.6.1.4.1.9.9.96.1.1.1.1.10.222

Results:

1:waiting
2:running
3:successful
4:failed


Step 9.(Try to access the device).
================================

This should be more than enough to change an specific line in the configuration using SNMP.


I hope this answered your question.

Best Regards,

Angel V.

Can you set the "ip tftp source-interface" before running the tftp?

No, it would not work, you have to set the IP address of the TFTP server in the ccCopyServerAddress OID; that is the value that will be used for the transfer.

So I if all my interfaces have "vrf forwarding" and I didn't have the "ip tftp source-interface" command  I wouldn't be able to pull the text file down to the router.

What I mean in my previous post is that you don't need that command, the TFTP transference is done by SNMP, therefore all the details about the TFTP transference needs to be configured/set in the OIDs of the ccCopyTable Mib. Obviosly, between the device and the PC in which you have the TFTP application you needs to have the TFTP protocol open ( no firewalls or ACLs blocking it) 

If you need further assistance with the procedure I strongly recommend you to open a TAC service request.

this work great on IOS 12.0 and above. Thanks for the instructions.

I am having issues with 4507 IOS-XE and its not working. Do you know the mibs value for 4507 as well.

 

Thanks

 

Awesome!

I tried to do this many years back with no success. Today I have managed to carry out the process with no issues! I had to try 2 times before it finally worked as the 1st time I messed up the path to the file and the second time I needed "enable secret" instead of "enable password". Also, each whole set of SNMP commands requires a different SNMP "row" number  else you will get an error if you attempt to reuse "222". 

 

Good Luck.

Also, each whole set of SNMP commands requires a different SNMP "row" number  else you will get an error if you attempt to reuse "222". 

As the final step you should always set the ccCopyEntryRowStatus to "destroy" (6):

snmpset  -v  2c  -c  private  10.10.10.2  1.3.6.1.4.1.9.9.96.1.1.1.1.14.222 i 6

After that you can reuse the same random number.

 

HTH

Rolf

It helps me a lot!
Thank you!
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco