Saturday, January 23, 2021

Cisco 3750-X Switch Password Recovery

Here's a nice link in performing a password recovery on a Cisco Catalyst 3750-X switch.


Using driver version 3 for media type 2

Base ethernet MAC Address: 78:da:6e:5c:12:34

Xmodem file system is available.

The password-recovery mechanism is enabled.

 

The system has been interrupted prior to initializing the

flash filesystem.  The following commands will initialize

the flash filesystem, and finish loading the operating

system software:

 

    flash_init

    boot

 

 

switch: flash_init   // TYPE flash_init

Initializing Flash...

mifs[2]: 12 files, 1 directories 

mifs[2]: Total bytes     :    2097152

mifs[2]: Bytes used      :     755200

mifs[2]: Bytes available :    1341952

mifs[2]: mifs fsck took 1 seconds.

mifs[3]: 0 files, 1 directories

mifs[3]: Total bytes     :    4194304

mifs[3]: Bytes used      :       1024

mifs[3]: Bytes available :    4193280

mifs[3]: mifs fsck took 2 seconds.

mifs[4]: 5 files, 1 directories

mifs[4]: Total bytes     :     524288

mifs[4]: Bytes used      :      10240

mifs[4]: Bytes available :     514048

mifs[4]: mifs fsck took 1 seconds.

mifs[5]: 5 files, 1 directories

mifs[5]: Total bytes     :     524288

mifs[5]: Bytes used      :      10240

mifs[5]: Bytes available :     514048

mifs[5]: mifs fsck took 0 seconds.

 

switch: dir flash:   // VIEW FLASH MEMORY

Directory of flash:/

2  -rwx  1048 <date> multiple-fs

3  -rwx  41080 <date> config.text.backup

4  -rwx  1636 <date> vlan.dat

5  -rwx  1943 <date> private-config.text.backup

6  -rwx  10897 <date> config.text


switch: rename flash:config.text flash:config.text.old   // RENAME config.text TO BYPASS STARTUP-CONFIG

 

switch: boot   // RELOAD SWITCH

 

Loading "flash:/c3750e-universalk9-mz.122-55.SE5/c3750e-universalk9-mz.122-55.SE5.bin"...@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

 

<OUTPUT TRUNCATED>

 

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

File "flash:/c3750e-universalk9-mz.122-55.SE5/c3750e-universalk9-mz.122-55.SE5.bin" uncompressed and installed, entry point: 0x3000

executing...

 

 

              Restricted Rights Legend

 

Use, duplication, or disclosure by the Government is

subject to restrictions as set forth in subparagraph

(c) of the Commercial Computer Software - Restricted

Rights clause at FAR sec. 52.227-19 and subparagraph

(c) (1) (ii) of the Rights in Technical Data and Computer

Software clause at DFARS sec. 252.227-7013.

 

           cisco Systems, Inc.

           170 West Tasman Drive

           San Jose, California 95134-1706

 

 

Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 12.2(55)SE5, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2012 by Cisco Systems, Inc.

Compiled Thu 09-Feb-12 18:14 by prod_rel_team

Image text-base: 0x00003000, data-base: 0x02800000

 

Initializing flashfs...

Using driver version 1 for media type 2

mifs[3]: 12 files, 1 directories

mifs[3]: Total bytes     : 2097152  

mifs[3]: Bytes used      : 755200   

mifs[3]: Bytes available : 1341952  

mifs[3]: mifs fsck took 0 seconds.

mifs[3]: Initialization complete.

 

mifs[4]: 0 files, 1 directories

mifs[4]: Total bytes     : 4194304  

mifs[4]: Bytes used      : 1024     

mifs[4]: Bytes available : 4193280  

mifs[4]: mifs fsck took 0 seconds.

mifs[4]: Initialization complete.

 

mifs[5]: 5 files, 1 directories

mifs[5]: Total bytes     : 524288   

mifs[5]: Bytes used      : 10240    

mifs[5]: Bytes available : 514048   

mifs[5]: mifs fsck took 0 seconds.

mifs[5]: Initialization complete.

 

mifs[6]: 5 files, 1 directories

mifs[6]: Total bytes     : 524288   

mifs[6]: Bytes used      : 10240    

mifs[6]: Bytes available : 514048   

mifs[6]: mifs fsck took 0 seconds.

mifs[6]: Initialization complete.

 

mifs[7]: 505 files, 11 directories

mifs[7]: Total bytes     : 57671680 

mifs[7]: Bytes used      : 35700736 

mifs[7]: Bytes available : 21970944 

mifs[7]: mifs fsck took 1 seconds.

mifs[7]: Initialization complete.

 

...done Initializing flashfs.

Checking for Bootloader upgrade.. not needed

 

POST: CPU MIC register Tests : Begin

POST: CPU MIC register Tests : End, Status Passed

 

POST: MA BIST : Begin

POST: MA BIST : End, Status Passed

 

POST: TCAM BIST : Begin

POST: TCAM BIST : End, Status Passed

 

POST: SF ASIC BIST : Begin

POST: SF ASIC BIST : End, Status Passed

 

POST: Switch Fabric Memory Tests : Begin

POST: Switch Fabric Memory Tests : End, Status Passed

 

POST: CPU MIC interface Loopback Tests : Begin

POST: CPU MIC interface Loopback Tests : End, Status Passed

 

POST: PortASIC RingLoopback Tests : Begin

POST: PortASIC RingLoopback Tests : End, Status Passed

 

extracting front_end/front_end_ucode_info (309 bytes)

Waiting for Stack Master Election...

POST: Inline Power Controller Tests : Begin

POST: Inline Power Controller Tests : End, Status Passed

 

POST: Thermal, Fan Tests : Begin

POST: Thermal, Fan Tests : End, Status Passed

 

POST: PortASIC Port Loopback Tests : Begin

POST: PortASIC Port Loopback Tests : End, Status Passed

 

POST: EMAC Loopback Tests : Begin

POST: EMAC Loopback Tests : End, Status Passed

 

Election Complete

Switch 2 booting as Master

Waiting for Port download...Complete

 

 

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

 

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

 

If you require further assistance please contact us by sending email to

export@cisco.com.

 

cisco WS-C3750X-48P (PowerPC405) processor (revision M0) with 262144K bytes of memory.

Processor board ID FDO17411234

Last reset from power-on

1 Virtual Ethernet interface

1 FastEthernet interface

52 Gigabit Ethernet interfaces

2 Ten Gigabit Ethernet interfaces

The password-recovery mechanism is enabled.

 

512K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address       : 78:DA:6E:5C:12:34

Motherboard assembly number     : 73-12553-10

Motherboard serial number       : FDO17415678

Model revision number           : M0

Motherboard revision number     : B0

Model number                    : WS-C3750X-48P-S

Daughterboard assembly number   : 800-32727-03

Daughterboard serial number     : FDO17414567

System serial number            : FDO1741P23R

Top Assembly Part Number        : 800-31324-08

Top Assembly Revision Number    : C0

Version ID                      : V05

CLEI Code Number                : COMJZ00ABC

Hardware Board Revision Number  : 0x05

 

 

Switch Ports Model              SW Version            SW Image                

------ ----- -----              ----------            ----------              

*    2 54    WS-C3750X-48P      12.2(55)SE5           C3750E-UNIVERSALK9-M    

 

 

Press RETURN to get started!

 

<OUTPUT TRUNCATED>

 

 

         --- System Configuration Dialog ---

 

Enable secret warning

----------------------------------

In order to access the device manager, an enable secret is required

If you enter the initial configuration dialog, you will be prompted for the enable secret

If you choose not to enter the intial configuration dialog, or if you exit setup without setting the enable secret,

please set an enable secret using the following CLI in configuration mode-

enable secret 0 <cleartext password>

----------------------------------

Would you like to enter the initial configuration dialog? [yes/no]: no

Switch>enable

Switch#

*Mar  1 00:01:39.740: %LINK-5-CHANGED: Interface Vlan1, changed state to administratively down

*Mar  1 00:01:39.748: %LINK-5-CHANGED: Interface FastEthernet0, changed state to administratively down

 

Switch#rename flash:config.text.old flash:config.text   // REVERT BACK THE ORIGINAL CONFIG NAME

Destination filename [config.text]?

 

Switch#copy flash:config.text system:running-config    // DUMP STARTUP-CONFIG TO RUNNING-CONFIG

Destination filename [running-config]?

 

10897 bytes copied in 3.272 secs (3330 bytes/sec)

MY_SW01#   // NOTICE THE DEFAULT HOSTNAME CHANGED

*Mar  1 00:02:09.360: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan60, changed state to down

*Mar  1 00:02:09.360: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan61, changed state to down

*Mar  1 00:02:09.645: %LINK-5-CHANGED: Interface GigabitEthernet1/0/7, changed state to administratively down

*Mar  1 00:02:09.645: %LINK-5-CHANGED: Interface GigabitEthernet1/0/8, changed state to administratively down

*Mar  1 00:02:09.645: %LINK-5-CHANGED: Interface GigabitEthernet1/0/9, changed state to administratively down

 

<OUTPUT TRUNCATED>

 

 

The password recover (overwrite passwords) doesn't work when AAA is configured. You'll need to re-configure the switch from scratch and skip the AAA config first. Once you can remotely access the switch either via Telnet or SSH, then apply AAA.

 

MY_SW01#configure terminal
% Authorization failed.


 

You can view the start-up config by issuing a more flash:/config.text command.

 

Switch#more flash:/config.text

!

! Last configuration change at 05:49:13 UTC Sat Apr 18 2020 by admin

! NVRAM config last updated at 05:49:28 UTC Sat Apr 18 2020 by admin

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname MY_SW01

 

<OUTPUT TRUNCATED>

 

aaa new-model

!

aaa group server tacacs+ MY_GROUP

 server 10.11.6.4

 

<OUTPUT TRUNCATED>

 

 

Once you've bypassed the startup-config (config.text) can now overwrite the passwords and save the config.

 

Switch(config)#hostname MY_SW01

MY_SW01(config)#enable secret cisco123

MY_SW01(config)#

MY_SW01(config)#username admin privilege 15 secret cisco123

MY_SW01(config)#line con 0

MY_SW01(config-line)# password cisco123

MY_SW01(config-line)#login

MY_SW01(config-line)#line vty 0 4

MY_SW01(config-line)# password cisco123

MY_SW01(config-line)#login

MY_SW01(config-line)#transport input all


No comments:

Post a Comment