Resetting passwords without a visit
By Richard
Bannister
The problem:
Imagine one of these scenarios:
1) You need to update the configuration of a remote device and
have a backup of a router/switch configuration in front of you,
you can see the encrypted secret password before your very eyes
yet you don’t know what it is!
2) You are certain the password you are using is correct yet it
simply isn’t working!
3) You have remotely removed the enable secret password!
(telnet = ‘Password required, but none set’)
You’re locked out of the router/switch! This means a visit and
the password recovery procedure……or does it?
What you need:
YOU EITHER
need to know the SNMP settings of the device in question (or
somebody else can tell you what it is), have a RW (read/write)
string, and an idea of any filtering policy (SNMP ACL) for the
router/switch
OR
you have a copy of the configuration in front of you and can see
a SNMP RW community string:
Command format=
snmp-server community ‘community’ rw
Example 1:
snmp-server community private rw
Example 2:
snmp-server community private rw 10
access-list 10 permit 192.168.20.2
The Fix:
EXAMPLE 1
This first example demonstrates how you can reset the enable
secret password using SNMP in the following scenarios:
1) A SNMP ACL doesn’t exist on the SNMP read/write string
2) You are able to use a node with an IP address in the SNMP ACL
Step 1
Download Net-SNMP and install using the default values (files
should be copied to ‘c:\usr’).
All URL’s can be found at the end of this article under the
URL’s section.
Step 2
If required, download and install a local TFTP server. There
are many TFTP servers available, I use 3cDaemon.
Step 3
Launch notepad and enter the configuration line(s) you
would like to send to the router and save it within your TFTP
directory as filename ‘config.txt’.
We need to reset the enable secret password so our file would
look something like this:
Step 4
Browse to the Net-SNMP bin directory using cmd.exe:
‘Start’
à
‘Run’
à
‘cmd’
à
‘OK’
> c:
> cd c:\usr\bin
!=== Browse to the Net-SNMP
executables including a file named snnpset.exe
!=== Verify all
required files are present (‘dir’)
Step 5
We now need to use the ‘snmpset.exe’ program to instruct
your computer to send a SNMP packet requesting that the router
merges the contents of ‘config.txt’ with the running
configuration of the router.
We need to specify a SNMP OID which is the key bit of
information to perform this task, a community string, a
filename, and a TFTP server address. The command takes the
following format (command wrapped):
snmpset –v 2c -c ‘communitystring’ ‘hostname/ip’
.1.3.6.1.4.1.9.2.1.53.tftpipoct1.tftpipoct2.tftpipoct3.tftpipoct4
s ‘filename’
Our example network could look something like this:
(click on picture to enlarge)
So our command would be:
> snmpset
–v 2c -c private 192.168.10.1 .1.3.6.1.4.1.9.2.1.53.192.168.20.2
s config.txt
Let’s break that down:
‘-v 2c’ = SNMP Version 2c
‘-c private’ = SNMP community string is ‘private’
‘192.168.10.1’ = Destination IP address of SNMP packet (Router)
‘.1.3.6.1.4.1.9.2.1.53’ = OID
‘.192.168.20.2’ = Extension to OID. TFTP server IP address.
‘s’ = OID variable type. s = string.
‘config.txt’ = OID variable value. Filename to download from
the TFTP server.
If you have been successful the following should be displayed in
your command window:
SNMPv2-SMI::enterprises.9.2.1.53.192.168.20.2 = STRING: "config.txt"
You may also see a log entry on your TFTP server. 3cDaemon
displays:
‘Aug 10, 2007 16:02:54 Session 1, Peer 192.168.10.1 Send of
config.txt done. 32 bytes in 0 secs.(0 KB/sec)’
And that’s it, you should now have access to the router again
using the password held in config.txt (in this example ‘newpass’).
The merge of configuration is with the running-config of the
device so if required issue the ‘copy run start’ command to
write changes to the startup-config.
EXAMPLE 2
This second example
demonstrates how you can reset the enable secret password using
SNMP in the following scenario:
1) An SNMP ACL is configured and you can’t send the request from
a node with an IP address in the ACL (our example = anything
other than 192.168.20.2).
Going back to our network layout, we are now at node
192.168.30.2:
(click on picture to enlarge)
In order for this workaround to be successful no
anti-spoofing ACL’s can exist along the path between sending
node and router/switch.
Firstly, here is the message you would see if we tried to send
the same packet from 192.168.30.2. Remember, 192.168.30.2 is
not in ACL 10.
Timeout:
No Response from 192.168.10.1
Steps 1 to 4
Follows Example 1 steps
Step 5
Download and install Wireshark (Inc. WinPcap) selecting all
default values.
Step 6
Launch WireShark and select ‘Capture’ from the top
toolbar and then select ‘Options’. Select the correct network
adapter from the ‘Interface’ drop down selector and then
configure all other settings to match the image below:
Click ‘Start’
Step 7
Do step 5 of Example 1 remembering to replace the IP address at
the end of the OID with your current IP (or the IP of a TFTP
server the router has access to)
> snmpset –v 2c -c private 192.168.10.1
.1.3.6.1.4.1.9.2.1.53.192.168.30.2 s config.txt
Step 8
Bring wireshark back into view and stop the capture (‘Capture’
à
‘Stop’). Right click the first SNMP set-request entry you can
see and select ‘Mark’:
1 0.000000
192.168.30.2 192.168.10.1 SNMP set-request
We now need to save the marked packet into it’s own .pcap file.
You can do this by selecting ‘File’
à
‘Save As’ and then save the packet by copying the image below:
The file name has been set as ‘snmpset’ and within the
‘Packet Range’ option ‘Marked packets’ has been selected. Save
the file into a temporary location that you can go back to.
Step 9
Now we need to rewrite the source IP address within the packet
you have just saved and send it to the router. To do this we
need to download and extract a program called Bit-Twist.
Bit-Twist is a package made of two executables, one of which
rewrites packets, and a second “injects” packets onto the wire.
Extract the Bit-Twist zip file into ‘c:\usr\bittwist\ ‘
Cut and paste the ‘snmpset.pcap’ file into the bin directory
(c:\usr\bittwist\bin).
Step 10
To rewrite the source IP address of the snmpset packet:
‘Start’
à ‘Run’
à ‘cmd’
à
‘OK’
> c:
> cd c:\usr\bittwist\bin
!=== Browse to the Bit-Twist
executables directory which contains files named bittwist.exe
and bittwiste.exe
!=== Verify all
required files are present
bittwiste
-I snmpset.pcap -O snmpset2.pcap -T ip -s 192.168.20.2
!=== Rewrite the
snmpset.pcap packet
Let’s break that down:
‘-I snmpset.pcap’ = Input file is snmpset.pcap
‘-O snmpset2.pcap’ = Output file is snmpset2.pcap
‘-T ip’ = Header to edit is the IP header
‘-s 192.168.20.2’ = Change source address to 192.168.20.2
After hitting enter you should now see the following message:
Leave your command window open.
Open snmpset2.pcap and verify that the first (and only) line
should is modified and correct:
1 0.000000
192.168.20.2 192.168.10.1 SNMP set-request
Bring your command window back on top.
Step 11
The final step to complete is to actually place the new packet
we have created ‘on the wire’. We can achieve this using the
bittwist.exe application. Bittwist.exe will by default send the
specified packet out of the first available network adapter –
this obviously isn’t always correct so we normally need to
specify one. We can use bittwist.exe to list available network
adapters, the command is ‘bittwist.exe -d’:
My main wired connection is number 2 in the list so I would need
to copy the device name starting at \Dev… and ending at …3B6E}
Now we send the packet using the ‘-i’ switch to specify the
network adapter followed by the packet we wish to send (in our
case the rewritten file snmpset2.pcap):
bittwist -i
\Device\NPF_{C4BFCA34-DB0F-4F5A-A7D4-C6158E833B6E} snmpset2.pcap
We then see:
If everything has gone to plan you should now have access to the
router/switch.
URL’s
Net-SNMP
http://net-snmp.sourceforge.net/download.html
3cDaemon
http://support.3com.com/software/utilities_for_windows_32_bit.htm
Wireshark
http://www.wireshark.org/download.html
Bit-Twist
http://prdownloads.sourceforge.net/bittwist/bittwist-win-0.80.zip?download
Cisco OID description
http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=1.3.6.1.4.1.9.2.1.53&submitValue=SUBMIT
Hints/Tips
If the snmpset command doesn’t work try SNMP version 1 or 2.
e.g. ‘-v 1’ instead of ‘-v 2c’
If you want to be really boring a tool with a GUI exists for an
example 1 scenario, it can be found at
http://billythekids.demirdesign.com/CiscoSnmpTool-v1.4.zip
| 
