Case combat: the switch password is lost how to restore? - Vulnerability warning-the black bar safety net

2008-10-18T00:00:00
ID MYHACK58:62200820730
Type myhack58
Reporter 佚名
Modified 2008-10-18T00:00:00

Description

Editor's note: the computer password is lost, we can use a password remove the disc and other tools to solve, but a switch, a router password is lost, you cannot use the CD and other tools, and requirements Does not change the original configuration files in case it how to do it?

As the Internet continues to expand, network with our lives has been more and more near, many governments, schools and companies have established their own information network, which makes switches and routers that the network equipment is used more and more widely. In the use of switches and routers in the process often there will be a Forgot Password thing, so that the maintenance personnel cannot log in, the impact of the further work carried out. This section will introduce the recover switch password ideas and steps.

The former network administrator of separation caused by the switch password is lost

As is well known, switches and routers are required to have certain security guarantees, that is, to time for their reasonable configuration of the password, then, if this password is forgotten?

A company's network administrator turnover, new recruitment of network administrators ready to re-configure the switch some of the parameters. But the discovery which more than one switch password with the"password"of the record is inconsistent. All of the company's network equipment generally, there are 3 passwords, a lot of people to help guess the password, respectively, try out the"original network administrator's birthday"and some default passwords, but are unable to login, as shown in Fig.

View the switch login password error

Solve the premise: you can not destroy the switch, the original configuration file

To the company management of the situation, most likely is not the switch and router running configuration file to the backup, and therefore need not destroy the switch configuration file changes and the configuration of a new password.

In addition, the company used network equipment many brands, Huawei, Shida, and Cisco three of the world. First, to be clear, different products spleen of the network devices themselves have a different file system, so crack the password is different, the following Cisco products as an example.

http://www.cisco.com/warp/public/474/index.shtml provides Cisco products password recovery Password Recovery Procedures)manual.

Or visit the National website http://www. net130. com/cms/Pubpspecial/special_password/ 202320.htm part of the CISCO Password Recovery manual.

1. Password Recovery principles

All Cisco routers have a bit in the NVRAM of the 1 6-bit software register. By default, the configuration register settings from the flash memory to load the Cisco IOS from NVRAM locate and load startup-config file. In hands-on recovery password first before you want to learn more about IOS the characteristics of management.

  1. Theoperating systemmode

The router can load 3 types ofoperating system: the

(1)full-featured IOS

Generally in flash memory, can be placed in the TFTP server; the application to a product of full functions of the normal IOS.

(2)limiting function of IOS

Generally in the ROM with the basic IP connectivity for the flash fails and you need IP connectivity to copy a new IOS into Flash memory in the case, referred to as RXBOOT mode.

(3)The ROM Monitor

Usually for the Cisco TAC of the low-level debugging and for password recovery, is called ROM Monitor mode.

For many beginners, not recommended to use the Cisco router ROM Monitor mode. The reason is simple: one is we do not often use this mode, for which the relevant operation is not familiar with; the second is in the ROM Monitor mode of operation mistakes, often will the router cause a fatal damage such as the destruction of the Flash of the IOS file, cause the system to crash it.

2)IOS startup sequence

IOS software boot sequence as described below, broadly divided into 4 steps.

Step 1: The router performs the Power On Self Test POST, to find and verify the hardware.

Step 2: The router from the ROM to load and run the bootstrap program code.

Step 3: The router to load the IOS or other software.

Step 4: The router finds the configuration file and loads it into running configuration.

Specific startup sequence may also be complex, as shown below.

Figure the router start from the figure

The router at each power up or reboot when you are trying to complete all this 4 steps. The router administrators can not change the POST code and its function. Note that in the self-boot code to load the IOS and configuration files can be changed, but a self-boot program code and the initial configuration is almost always placed in their default position, that is, from the boot program code in the ROM, and the initial configuration are generally placed in NVRAM. Therefore, the IOS or other software the position would become General only need to change the part.

3 register worth set

The following discussion of the configuration register settings and how these settings are used to recover the router's password. Configuration register 1 6 bits from left to right 1 5、1 4、1 3、......、 0。 Cisco router default configuration setting is 0x2102(0x indicates a hexadecimal to. That is, the first 1 to 3 bits, 8 bits and 1 bit value is 1, as shown in Table 6-1 6 shown in Fig.

Table 6-1 6 register bit

Register 2 1 0 2 Bit Value 1 5 1 4 1 3 1 2 1 1 1 0 9 8 7 6 5 4 3 2 1 0 Binary 0 0 1 0 0 0 0 1 0 0 0 0 0 0 1 0

The software configuration bits of significance as shown in Table 6-1 7 shown. Note that the first 6 bits are used to ignore the NVRAM contents. This bit can be used for password recovery.

Table 6-1 7 For each software configuration bit values with explanation

Digit hexadecimal interpretation 0~3 0x0000~0x000f boot field, see Table 6-1 8) 6 0x0040 ignore NVRAM contents 7 0x0080 enable OEM bit 8 0x0100 disable interrupt 1 0 0x0400 IP broadcast all zero 5,11~1 2 0x800 to 0x1000 console line rate 1 3 0x2000-if the network boot failure the boot default ROM software 1 4 0x4000 IP broadcasts do not contain the network number 1 5 0x8000 to start the diagnostic message and ignore NVRAM contents

Note that in the configuration register 0~3 bits of the start field is the router startup sequence, and Table 6-1 8 Further illustrates the respective position of use.

Table 6-1 8 Start field and use thereof

Boot field meaning use 0 0 ROM monitor mode if you want to start using the ROM monitor mode, the configuration register value is set to 2 1 0 to 0. Must use the b command to manually boot the router. The router will show the rommon>as a hint 0 1 From the ROM boot image file to boot stored in the ROM IOS Image File the configuration register value is set to 2 1 0 to 1. The router will display the router(boot)>as a hint 0 2~F specifies a default boot file name any from 2 1 0 2~210F value will tell the router uses the NVRAM specified by the boot command.

It is assumed that before the routing Controller register value has been modified, use the show version command to check the current configuration register value, as shown below:

The last line of information is the configuration register value, here is 0x2142, i.e., the next boot without loading the startup-config file, under normal circumstances the value should be 0x2102 to. Thus, as long as the interrupt router boot process, skip the startup-config contains the password authentication, which means passwords will not work.

Figure 6-4 to check the register values

The default configuration register value is 0x2102, meaning that Bit 6 is off the value is 0 it. By default, the router will find and load stored in the NVRAM of the router configuration files startup-config file. If you want to recover password, need to open the configuration registers of the first 6 bits tell the router to ignore the NVRAM contents. Open the first 6-bit configuration register value is 0x2142 to.

The following is a password recovery the major steps.

Step 1: Start the router and through the implementation of an interrupt to interrupt the boot sequence.

Step 2: modify the configuration register on the first 6-bit value to 0x2142 to.

Step 3: reload the router.

Step 4: Enter privileged mode.

Step 5: the startup-config file copy running-config file.

Step 6: modify the password.

Step 7: The configuration register is reset to the default value.

Step 8: save the configuration.

Step 9: reload the router.

3. Switch Password Recovery

Switch Password Recovery the principle is similar to routers, switch password recovery process is mainly by stopping the boot process, do not use the configuration file to achieve, but the specific operation method is different. CatOS and IOS exchange password recovery process is different, because this company exists in a few different models of Cisco equipment, so in the back of the operation process for different models of the development of the recovery strategy.

Combat process: crack routing, switch password

Since the remote hack these devices the password the opportunity is very small, the network administrators abandoned this idea, carry a good serial cable and the laptop came to the Cabinet next to, began to gradually crack each device password.

You first need to put the serial port to one end of the cable inserted in the network device on the back of the Console port, the other end inserted in an ordinary PC serial port. When the switch powers on, theOSusing the"super terminal"program. Open the"super terminal", in setting the connection parameters, you can password cracking.

1. Cisco 2 5 0 0 2 6 0 0 router

Step 1: boot the router and perform an interrupt.

When the router restarts, press the notebook [Ctrl+Break] key to interrupt the router startup, then will see a prompt Rommon 1> which is 2 6 0 0 series the router prompt; for 2 5 0 0 series the router prompt is">".

Step 2: modify the configuration register. For 2-6 0 0 series, command Rommon 1 >Config-register 0x2142; for 2 5 0 0 series the command is>o/r 0x2142 to.

Step 3: reload the router and enter privileged mode.

2 6 0 0 series, the input reset. In 2 5 0 0 series routers, the output I. The router will reload, this time will be asked if you want to use Setup mode answer No, press ENTER to enter user mode, type the Enable command to enter privileged mode.

Step 4: view and modify the configuration.

Now need the startup-config copy running-config file, give way by the controller in this case the running state to maintain a normal copy startup-config running-config, then configuration is the RAM running in the privileged mode, you can modify the configuration. Note: at this time, although into the router, but still cannot view the departure of the administrator, use the enable secret sets the encrypted passwordThat can be modified to become a new password, get it modified, as follows:

configure terminal

the enable secret(password)

Step 5: reset the configuration register and reload the router.

Modify the password after, be sure to use the config-register the configuration register setting back to the default value of Config-register 0x2102, and finally save the configuration copy running-config startup-config and reload the router, the password recovery to an end.

Be sure to note step 2 and step 5 in the command, must not reverse the order. Due to input errors, we are in a project implementation resulting in customer data loss, resulting in network paralysis up to 4 hours of the accident.

2. In the COS on the switch to recover the password

For CatOS for Catalyst switches, the Password Recovery steps are as follows.

Step 1: properly connected to the switch hardware and software.

Step 2: re-open the switch during the power on self test during operation.

Step 3: in the switch boot 3 0 seconds, in order to complete the following work.

At the password prompt press the ENTER key, enter an empty command.

At the prompt, enter enable, enter privileged mode.

At the password prompt press the ENTER key, enter an empty command.

Use the set password command or the set enablepass command to change the password.

At the prompt, press the ENTER key to enter the password.

Step 4: save the configuration, complete.

Due to the need for an administrator in 3 0 seconds of the input command, to avoid an input error such as operation impact, the above command is copied to a TXT text file, when using paste in the Operations console interface.

3. Cisco IOS switch Password Recovery

Cisco IOS switch than a CatOS switch Password Recovery, even more than the router Password Recovery have to be complicated.

Step 1: Disconnect the switch power cord.

Step 2: re-connect the power cord, always hold the Switch MODE button. Can be in the 1X interface of the LCD lamp is no longer lit 1 or 2 seconds after releasing the MODE button. In this case the System indicator light has been flashing, the console appears the following information.

The system has been interrupted prior to initializing the flash filesystem. The following commands will initialize the flash

filesystem, and finish loading the operating system software:

flash_init

boot

Step 3: enter the flash_init, initialize the flash file system.

Switch: flash_init

Initializing Flash...

flashfs[0]: 8 6 files, 4 directories

flashfs[0]: 0 orphaned files, 0 orphaned directories

flashfs[0]: Total bytes: 1 5 9 9 8 9 7 6

flashfs[0]: Bytes used: 6 6 3 9 6 1 6

flashfs[0]: Bytes available: 9 3 5 9 3 6 0

flashfs[0]: flashfs fsck took 1 5 seconds.

...done Initializing Flash.

Boot Sector Filesystem (bs:) installed, fsid: 3

Step 4: Enter load_helper, load and initialize auxiliary image Helper Imager, which is stored in the ROM in the mini-IOS image, usually with disaster recovery.

Step 5: Enter dir flash: to have the colon, and display the Flash file system file and directory list.

Switch: dir flash:

Directory of flash:/

2-rwx 0 <date> env_vars

3-rwx 3 4 4 <date> system_env_vars

4-rwx 5 <date> private-config. text

6-rwx 2 1 4 9 <date> config. text

8 drwx 1 9 2 <date> c3550-i9q3l2-mz. 121-20. EA1a

9 3 5 9 3 6 0 bytes available (6 6 3 9 6 1 6 bytes used)

Step 6: Enter rename flash:config. text flash:config. old, this file name can be your own determination, modify the configuration file name. The file includes a password setting.

Step 7: enter boot to restart the system.

Step 8: after restart, the system prompts as follows.

--- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: no

Would you like to terminate autoinstall? [yes]:↙

Enter no, do not enter the Set Mode Wizard Configuration dialog box. Press【Enter】key to enter user mode.

Step 9: at the switch prompt, enter enable to enter privileged mode.

The 1 Step 0: input the rename flash:config. old flash:config. text, the configuration file is changed back to the original default name.

First 1 Step 1: copy the configuration file into RAM, execute the copy startup-config runnig-config, now the configuration file is loaded.

No. 1 Step 2: modify the password.

No. 1 Step 3: save the configuration.

In the switch 2 9 5 0 recovery password, the 2-step method is somewhat different. The start is to hold down the panel on the mode button, plug in the switch power cord, observe the panel, just start the stat indicator light keeps flashing, the system indicator light, etc stat indicator lights burn out, the system indicator light flashes, then release the mode button. The console appears the following message:

The system has been interrupted prior to initializing the flash filesystem. The following commands will initialize the flash filesystem, and finish loading the operating system software:

flash_init

load_helper

boot

Then in Step 3 sequentially enter the flash_init command and the boot command, the other steps the same.

This company's router and the Cisco 3 5 5 0, Cisco 3 7 5 0 switch use the following step to crack the password and modify the password after the work. The present section describes the method, modify the password does not put the original configuration file contents to clear off, especially in a production network is already running in the switch, so compare the insurance.