| ||
Imagine that you have managed to reach a desired device physically and you plug in a Cisco console (or rollover) cable.
Note | Several types of Cisco console ports and appropriate rollover cables are available. To find out about their pinouts, consult the following: http://www.pinouts.ru/data/CiscoConsole.shtml http://www.pinouts.ru/data/Catalyst5000.shtml http://www.pinouts.ru/data/cisco_cons.shtml http://www.pinouts.ru/data/cisco_700.shtml A more general Cisco guide to cabling and pinouts is available at http://www.cisco.com/warp/public/701/14.html. A more general Cisco guide to cabling and pinouts is available at http://www.cisco.com/warp/public/701/14.html. |
What comes next ? The obvious answer is configuration file modification to provide future remote access. This may include changing the passwords, adding a read-write (RW) Simple Network Management Protocol (SNMP) community, or, in specific cases, modifying access lists to ease up future access to the attacked network.
Here we outline the process of quick local access configuration file modification using the examples of password reset for different Cisco devices. This knowledge is useful every day for any network administrator. Passwords do get lost or forgotten, and you have no doubt encountered such a situation once upon a time. Of course, instead of changing the password, other alterations to the configuration file can be made.
Attack |
|
First of all, if a password is encrypted with the enable secret command, you can recover it only by cracking the MD5 hash, as described previously in this chapter. This may or may not be successful. In the majority of cases, we are talking about resetting the legitimate password to one selected by an attacker, rather than finding out what is the legitimate password.
Then the procedure of resetting the password would depend on a model of the router. Generally, two methods of Cisco router password resets are available for different router and related device types.
Method 1 Appliances | ||
---|---|---|
Cisco 806 | Cisco 827 | Cisco uBR900 |
Cisco 1003 | Cisco 1004 | Cisco 1005 |
Cisco 1400 | Cisco 1600 | Cisco 1700 |
Cisco 1800 | Cisco 2600 | Cisco 2800 |
Cisco 3600 | Cisco 3800 | Cisco 4500 |
Cisco 4700 | Cisco AS5x00 access servers | Cisco 7000 (RSP 7000) |
Cisco 7100 | Cisco 7200 | Cisco 7500 |
Cisco uBR7100 | Cisco uBR7200 | Cisco uBR10000 |
Cisco 12000 | Cisco LS1010 | Catalyst 5500 RSM |
Catalyst 8510-CSR | Catalyst 8510-MSR | Catalyst 8540-CSR |
Catalyst 8540-MSR | Cisco MC3810 | Cisco NI-2 |
Cisco VG200 | Route Processor Module | |
Analog Gateway |
Method 2 Appliances | ||
---|---|---|
Cisco 2000 | Cisco 2500 | Cisco 3000 |
Cisco 4000 | Cisco AccessPro | Cisco 7000 (RP, not RSP) |
Cisco AGS | Cisco IGS | Cisco STS-10x |
We'll start by reviewing the first method, because it applies to a larger number of routers; we'll do it step-by-step.
Plug in the console cable. Set your terminal emulation program as follows :
9600 baud rate
No parity
8 data bits
1 stop bit
No flow control
To save critical time, configure these settings in advancefor example, by setting them as default in Minicom.
Using the power switch, turn the router off and then on.
Send a break signal to the router within 60 seconds of the powerup. This will put the router into the ROM monitor (ROMMON) mode. The break sequence would depend on your terminal emulation program. We usually employ Minicom, for which the break sequence is CTRL-A-R. The most commonly used terminal emulation software on Microsoft systems is HyperTerminal (break sequence CTRL-BREAK). You can find out more about break sequences of various terminal emulators at http://www.cisco.com/warp/public/701/61.html . Now you should see the ROMMON prompt. Type confreg 0x2142 and press ENTER . This will set the router to boot, ignoring the configuration stored in NVRAM. Then type reset and press ENTER to reboot. When the router boots, it will display the following:
--- System Configuration Dialog ---
Skip the initial setup procedure by pressing CTRL-C.
When the Router> prompt appears, type enable and press ENTER . Copy the NVRAM config file into RAM with copy start run or conf mem . Then enter the configuration mode ( conf t ).
Now you can change the passwords you want to changefor example, the enable password using the enable secret <password> command. Change the configuration register back with the config-register 0x2102 command. Leave the configuration mode (CTRL-Z). Save the changes with copy run start or write mem . Reboot the router.
To save time, all necessary commands can be prestored in a text file so that you can copy and paste instead of typing.
The second method of password resetting for appliances is quite similar to the first method. Steps 1, 2, and 3 are the same. When you arrive at step 4, type o/r 0x2142 and press ENTER to boot the router from Flash without loading the configuration, then type i and press ENTER to reboot. The remaining steps are identical to those of method 1.
Attack |
|
For the CatOS Catalyst switches 1200, 1400, 2901, 2902, 2926T/F, 2926GS/L, 2948G, 2980G, 4000, 5000, 5500, 6000, and 6500, follow this procedure:
Plug in the console cable. Set your terminal emulation program as follows:
9600 baud rate
No parity
8 data bits
1 stop bit
No flow control
All of this must be done within 30 seconds! To save critical time, configure these settings ahead of timefor example, by setting them as default in Minicom.
Turn the switch off and then on.
You will be presented a first password prompt and have only 30 seconds to act. Quickly press ENTER to send a null character.
Type enable and press ENTER to send a null character when asked for a password.
Change the passwords via set enablepass and set password commands. Press ENTER when asked for an old password.
For older Catalyst 1900 and 2820 models that you may still encounter, plug in the console cable, power-cycle the switch, and you'll receive the Do you wish to clear the passwords? [Y]es or [N]o: prompt. You have 10 seconds to indicate Yes. On these switches, you can also view the existing password without a change:
Disconnect the power cable.
Press and hold down the LED Mode button.
Reconnect the power cable, continuing to hold down the button.
Release the LED Mode button for 1 or 2 seconds after the LED above Port 1x goes off.
Press ENTER, press S, and then press V. The password will be shown.
Press X and then C to continue with a normal switch startup.
It is easy to reset the password on another older Catalyst model, Catalyst 1800:
Find two small black buttons placed side by side on the red holding device inside the left cover of the switch. The button closest to the front of the switch is the NMI button.
Plug in the console cable, launch terminal emulation software, and reboot the switch.
When asked for a login password, press the NMI button five times. The switch will reload and its management password will be reset to the default value, which is public .
Catalysts 3000, 3100, and 3200 are also easy in terms of password reset:
Plug in the console cable and launch terminal emulation software.
Press the SysReq button on a switch (this button is next to the Reset button).
Move the arrow key to Clean NVRAM. Unfortunately, all switch configuration will be lost.
Press ENTER to reboot and enjoy a passwordless login to the clean system.
Password changes on 2900/3500XL, 2940, 2950/2955, and 3550 Catalyst switches are more complex and interesting:
Plug in the console cable. Set your terminal emulation program as follows:
Bits per second (baud): 9600
Data bits: 8
Parity: None
Stop bits: 1
Flow control: Xon/Xoff
Apply flow control.
Unplug the power cord.
Hold down the Mode button on the left side of the front panel of the switch when plugging in the power cable.
The moment of Mode button release depends on a switch model:
For 2900/3500XL and 3550 series Catalysts, release the Mode button after the LED above Port 1x goes out.
For 2940 and 2950 series Catalysts, release the Mode button after the STAT LED goes out.
Catalyst 2955 switches do not use an external Mode button for password recovery. Send the break sequence to the switch within 15 seconds after reboot instead. (We described the breaking sequences earlier in the chapter.) Initialize Flash with the flash_init command.
Follow it with the load_helper command.
Type in dir flash: to view the file system and see how the configuration file is called.
Rename the configuration filehere's an example: rename flash:config.text flash:config.bak .
Issue the boot command to reboot the switch.
When the Continue with configuration dialog? [yes/no]: string is displayed, answer No.
Enter the enable command at the switch prompt. Rename the configuration file with its original name using the rename flash:config.bak flash:config.text command.
Copy the initial configuration back to RAM: copy flash:config.text system:running-config . Now you have a normal switch configuration and the enable prompt. You can easily modify the configfor example:
Switch#conf t Switch(config)#no enable secret Switch(config)#enable secret youareowned
Issue the write mem command to save the modified configuration file.
Finally, some IOS-running Catalysts follow the password reset procedure described as method 1 for routers. Such switches are 2948G-L3, 4840G, 4908G-L3, and the Route Switch Module on the 5500 series. Catalyst 6000/6500 switches are a specific case. When these switches are turned on, the switch processor (SP) boots up first. After 25 to 60 seconds, the SP handles console ownership to the route processor (RP). The RP carries on to load the software image. It is essential that the break signal is sent to the switch just after the SP transfers control of the console to the RP. If you type in the break sequence too early, you will get into the SP ROMMON, which is not what you need. Use the break sequence only after you see this message on the console:
00:00:03: %OIR-6-CONSOLE: Changing console ownership to route processor
Then follow the router method 1 of password reset and reconfiguration.
Attack |
|
Two general types of PIX firewalls are encountered: those with a floppy drive and those without one. The procedure for changing passwords on a PIX is strictly dependent on the presence of a floppy drive. It is somewhat easier to modify a password on a PIX with a floppy drive, since this doesn't require that you have a Trivial File Transfer Protocol (TFTP) server accessible to the PIX at hand.
First of all, an attacker needs to create a PIX Password Lockout Utility disk. The disk is specific for different PIX OS versions; thus, a cracker can try to fingerprint the version of PIX OS remotely and select a PIX Password Lockout Utility on the basis of fingerprinting results. They may or they may not reflect the reality.
A cracker can have a collection of PIX Password Lockout Utility disks for all PIX OS versions in his pocket.
To create the disk(s), go to http://www.cisco.com/warp/public/110/34.shtml and pick up the needed binary file and run rawrite.exe :
On your machine, type in rawrite.exe and supply it with a name of the selected binary PIX Password Lockout Utility file.
When you have gained physical access to the PIX, plugged in the console cable, and can see the password prompt, insert the floppy and press the Reset button to reboot the firewall.
After the boot, eject the disk when the PIX asks you to and press the Reset button again.
Now you can log in without a passwordsimply press ENTER when you are asked for the password. There is no enable password and the Telnet password is cisco . The firewall is yours.
The newer PIX firewall models come without floppy drives . You will need to get the password recovery binary onto the PIX via TFTP. It is entirely possible to open tftpd and store the file on a laptop, which is also used for the terminal connection, providing that the laptop's Ethernet cable can be plugged into a switch nearby and the laptop will be accessible from the PIX. Alternatively, a cracker can put the binary file onto a legitimate internal corporate TFTP server or lift up tftpd on a hacked host on the same or neighboring (one-hop) network from the PIX. After the TFTP server problem is sorted, you can go for the password reset: Plug-in the console cable and launch the terminal emulator of your choice. Make sure that it works and you see the password prompt.
Power-cycle the PIX and send the usual break signal. You should see a monitor> prompt. Set up all necessary networking parameters on the PIX:
The interface command sets the PIX interface to be used. On a two-port PIX, such as PIX 501, the default is inside .
The address command sets the IP address of this interface.
The server command sets the IP address of the TFTP server.
The file command sets the name of the binary password recovery file to download.
The gateway command sets a default gateway to reach a TFTP server on a different network segment.
You can use ping to check whether the server is reachable .
Initiate the download using the tftp command. As the binary loads, the PIX will ask whether you want to erase the passwords. You know the answer. The result is going to be the same with the PIX password reset using a floppyno enable password and Telnet login password cisco .
Attack |
|
If you have managed to gain physical access to a VPN concentrator, you must be a damn good social engineer or an internal attacker. Cisco VPN concentrators come in two series: 3000 and 5000. Password reset on these devices is easy:
Plug in the RS-232 serial cable between the concentrator's console port and a COM port on your laptop. Launch the terminal emulation software of choice with the following settings:
9600 bits per second
8 data bits
No parity
1 stop bit
Hardware flow control
During the booting process, send a break signal when a line of three dots appears on the console (you have 3 seconds to complete the break sequence!) after the diagnostics check is done. This opens a small menu, offering to reset the concentrator passwords. Press 1.
3. Changing a password on Cisco 5000 VPN concentrators isn't difficult, either: Power off the concentrator and turn the rotary dial switch at the back of the box to position 9. Turn on the concentrator.
4. After it has booted , log in using the factory default password letmein . This must be done within 5 seconds after the booting sequence is completed. Now you can change the system passwords with the following commands:
configure General Password = [ string ] EnablePassword = [ string ]
Save your changes and let the concentrator reboot. Then power it off and turn the dial to position 0 to end the procedure.
Tip | You can find a lot of useful information on password recovery for various Cisco appliances at http://www.cisco.com/warp/public/474/ . |
Countermeasure | No technical countermeasures against such attacks are available. You can block the break signal dropping an attacker into ROMMON on a Cisco router using the no service password-recovery command. However, this command is risky. You can still gain local access to the router if no service password-recovery is enabled by sending a break signal within 5 seconds after the image decompresses during the boot, but the startup configuration file in NVRAM will be lost and the router will boot to factory default settings. Thus, if the password is forgotten, the working router configuration will go with it. If someone manages to steal the device, he or she can physically remove the NVRAM chip and read it by plugging it into the specialized hardware device. |
Tip | You can find more about the no service password-recovery command at http://www.cisco.com/en/US/products/sw/iosswrel/ps5413/products_feature_guide09186a00802a1e76.html#wp1027258 . The best defense against wily invaders with laptops and console cables is not to let them anywhere near your precious equipment. This brings us back to the defenses against social engineering and basic physical countermeasures such as locking your racks and server room doors well and, perhaps, using closed-circuit TV (CCTV) to monitor them. |
| ||