Cisco c3550 Password Recovery from SPARC Solaris
Abstract:
Sometimes, old lab equipment may sit around, operating well for years without interruption. In some cases, the password for older network lab equipment may have had it's authentication passwords lost. Network equipment is often in the same rack as a remote server. A Solaris Server can be easily used to gain console on various serial based network equipment to perform password recovery.
SPARC Server:
Physical serial ports on SPARC Solaris servers are often defined as tty's, vs pts's (Pseudo Terminals.)Log into a server via a pts or pseudo terminal:
Last login: Tue Feb 20 14:44:39 2018 from sun1593.daytonoExample of physical terminal ports available on servers with a hardware serial port:
Sun Microsystems Inc. SunOS 5.9 Generic May 2002
INTR=Ctrl-C ERASE=Ctrl-H KILL=Ctrl-U
/dev/pts/1
sun9999/user$
sun9999/user$ ls -al /dev/tty* | head -4The ttya port is used for console access, while ttyb can be used with a Cisco console cable. The default speed for older equipment is 9600 baud.
lrwxrwxrwx 1 root other 26 Mar 12 2016 /dev/tty -> ../devices/pseudo/sy@0:tty
lrwxrwxrwx 1 root root 6 Mar 12 2016 /dev/ttya -> term/a
lrwxrwxrwx 1 root root 6 Mar 12 2016 /dev/ttyb -> term/b
lrwxrwxrwx 1 root root 30 Mar 12 2016 /dev/ttyp0 -> ../devices/pseudo/ptsl@0:ttyp0
sun9999/user$ tip -9600 /dev/ttyb
connected
Process for password recovery or just normal console usage can begin.
Cisco Console Equipment:
Depending on the configuration, a single carriage return may result in a read-only prompt or an authentication sequence.Switch>
A normal power cycle of the switch may look like the following on the console.
Switch> Base ethernet MAC Address: 00:11:93:a1:70:80
Xmodem file system is available.
The password-recovery mechanism is enabled.
Initializing Flash...flashfs[0]: 87 files, 4 directoriesflashfs[0]: 0 orphaned files, 0 orphaned directoriesflashfs[0]: Total bytes: 15998976flashfs[0]: Bytes used: 6642176flashfs[0]: Bytes available: 9356800flashfs[0]: flashfs fsck took 16 seconds....done Initializing Flash.Boot Sector Filesystem (bs:) installed, fsid: 3Loading "flash:c3550-i9q3l2-mz.121-20.EA1a/c3550-i9q3l2-mz.121-20.EA1a.bin"...###########################################################################################################################################################################################################################################################################################################################################################################################################File "flash:c3550-i9q3l2-mz.121-20.EA1a/c3550-i9q3l2-mz.121-20.EA1a.bin" uncompressed and installed, entry point: 0x3000executing...Restricted Rights LegendUse, duplication, or disclosure by the Government issubject to restrictions as set forth in subparagraph(c) of the Commercial Computer Software - RestrictedRights clause at FAR sec. 52.227-19 and subparagraph(c) (1) (ii) of the Rights in Technical Data and ComputerSoftware clause at DFARS sec. 252.227-7013.cisco Systems, Inc.170 West Tasman DriveSan Jose, California 95134-1706Cisco Internetwork Operating System SoftwareIOS (tm) C3550 Software (C3550-I9Q3L2-M), Version 12.1(20)EA1a, RELEASE SOFTWARE (fc1)Copyright (c) 1986-2004 by cisco Systems, Inc.Compiled Mon 19-Apr-04 21:42 by yenanhImage text-base: 0x00003000, data-base: 0x006B3454Initializing flashfs...flashfs[1]: 87 files, 4 directoriesflashfs[1]: 0 orphaned files, 0 orphaned directoriesflashfs[1]: Total bytes: 15998976flashfs[1]: Bytes used: 6642176flashfs[1]: Bytes available: 9356800flashfs[1]: flashfs fsck took 8 seconds.flashfs[1]: Initialization complete....done Initializing flashfs.POST: CPU Buffer Tests : BeginPOST: CPU Buffer Tests : End, Status PassedPOST: CPU Interface Tests : BeginPOST: CPU Interface Tests : End, Status PassedPOST: Switch Core Tests : BeginPOST: Switch Core Tests : End, Status PassedPOST: CPU Interface 2nd Stage Tests : BeginPOST: CPU Interface 2nd Stage Tests : End, Status PassedPOST: CAM Subsystem Tests : BeginPOST: CAM Subsystem Tests : End, Status PassedPOST: Ethernet Controller Tests : BeginPOST: Ethernet Controller Tests : End, Status PassedPOST: ILP Controller Tests : BeginPOST: ILP Controller Tests : End, Status PassedPOST: Loopback Tests : BeginPOST: Loopback Tests : End, Status Passedcisco WS-C3550-24-PWR (PowerPC) processor (revision H0) with 65526K/8192K bytes of memory.Processor board ID CAT0829Z301Last reset from warm-resetRunning Layer2/3 Switching ImageEthernet-controller 1 has 12 Fast Ethernet/IEEE 802.3 interfacesEthernet-controller 2 has 12 Fast Ethernet/IEEE 802.3 interfacesEthernet-controller 3 has 1 Gigabit Ethernet/IEEE 802.3 interfaceEthernet-controller 4 has 1 Gigabit Ethernet/IEEE 802.3 interface24 FastEthernet/IEEE 802.3 interface(s)2 Gigabit Ethernet/IEEE 802.3 interface(s)The password-recovery mechanism is enabled.384K bytes of flash-simulated non-volatile configuration memory.Base ethernet MAC Address: 00:11:93:A1:70:80Motherboard assembly number: 73-8100-08Power supply part number: 341-0029-03Motherboard serial number: CAT08290FL9Power supply serial number: DTH082326P8Model revision number: H0Motherboard revision number: A0Model number: WS-C3550-24PWR-SMISystem serial number: CAT0829Z301Press RETURN to get started!00:00:33: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan00:00:35: %SYS-5-CONFIG_I: Configured from memory by console00:00:36: %SYS-5-RESTART: System restarted --Cisco Internetwork Operating System SoftwareIOS (tm) C3550 Software (C3550-I9Q3L2-M), Version 12.1(20)EA1a, RELEASE SOFTWARE (fc1)Copyright (c) 1986-2004 by cisco Systems, Inc.Compiled Mon 19-Apr-04 21:42 by yenanh00:00:36: %SNMP-5-COLDSTART: SNMP agent on host Switch is undergoing a cold start00:00:37: %LINK-5-CHANGED: Interface Vlan1, changed state to administratively down00:00:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to downSwitch>
A single carriage return would bring a prompt or authentication sequence.
Cisco Switch Password Recovery
On the 3550 model switch, there is a button on the front console, which can be depressed during the power down to power up transition, which will bring the switch into ROM mode.Note: The "System" light may flash 22 times, and cease flashing. Release the "mode" switch.
Base ethernet MAC Address: 00:11:93:a1:70:80
Xmodem file system is available.
The password-recovery mechanism is enabled.
The system has been interrupted prior to initializing theflash filesystem. The following commands will initializethe flash filesystem, and finish loading the operatingsystem software:flash_initbootswitch:
After the mode switch is released, the "System" light may continue to blink. Perform a "flash_init"
Note: This may take about 12 seconds.
switch: flash_init
Initializing Flash...
flashfs[0]: 87 files, 4 directories
flashfs[0]: 0 orphaned files, 0 orphaned directoriesflashfs[0]: Total bytes: 15998976flashfs[0]: Bytes used: 6642176flashfs[0]: Bytes available: 9356800flashfs[0]: flashfs fsck took 16 seconds....done Initializing Flash.Boot Sector Filesystem (bs:) installed, fsid: 3switch:
Perform "load_helper", rename the configuration file holding the password.
Note: When the switch reboots, the file will be regenerated.
switch: dir flash:/
Directory of flash://
2 -rwx 0 env_vars3 -rwx 348 system_env_vars4 -rwx 5 private-config.text6 -rwx 616 vlan.dat8 drwx 192 c3550-i9q3l2-mz.121-20.EA1a7 -rwx 3940 config.text9356800 bytes available (6642176 bytes used)switch: rename flash:config.text flash:config.oldswitch: dir flash:/Directory of flash://2 -rwx 0 env_vars3 -rwx 348 system_env_vars4 -rwx 5 private-config.text6 -rwx 616 vlan.dat8 drwx 192 c3550-i9q3l2-mz.121-20.EA1a7 -rwx 3940 config.old9356800 bytes available (6642176 bytes used)switch:
Now, "boot" switch and "[control][c]" to gain user mode, if initial configuration is not needed.
switch: bootNote: the switch is now in unprivileged "user" mode.
Loading "flash:c3550-i9q3l2-mz.121-20.EA1a/c3550-i9q3l2-mz.121-20.EA1a.bin"...###########################################################################################################################################################################################################################################################################################################################################################################################################
File "flash:c3550-i9q3l2-mz.121-20.EA1a/c3550-i9q3l2-mz.121-20.EA1a.bin" uncompressed and installed, entry point: 0x3000
executing...
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco Internetwork Operating System Software
IOS (tm) C3550 Software (C3550-I9Q3L2-M), Version 12.1(20)EA1a, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Mon 19-Apr-04 21:42 by yenanh
Image text-base: 0x00003000, data-base: 0x006B3454
Initializing flashfs...
flashfs[1]: 87 files, 4 directories
flashfs[1]: 0 orphaned files, 0 orphaned directories
flashfs[1]: Total bytes: 15998976
flashfs[1]: Bytes used: 6642176
flashfs[1]: Bytes available: 9356800
flashfs[1]: flashfs fsck took 8 seconds.
flashfs[1]: Initialization complete.
...done Initializing flashfs.
POST: CPU Buffer Tests : Begin
POST: CPU Buffer Tests : End, Status Passed
POST: CPU Interface Tests : Begin
POST: CPU Interface Tests : End, Status Passed
POST: Switch Core Tests : Begin
POST: Switch Core Tests : End, Status Passed
POST: CPU Interface 2nd Stage Tests : Begin
POST: CPU Interface 2nd Stage Tests : End, Status Passed
POST: CAM Subsystem Tests : Begin
POST: CAM Subsystem Tests : End, Status Passed
POST: Ethernet Controller Tests : Begin
POST: Ethernet Controller Tests : End, Status Passed
POST: ILP Controller Tests : Begin
POST: ILP Controller Tests : End, Status Passed
POST: Loopback Tests : Begin
POST: Loopback Tests : End, Status Passed
cisco WS-C3550-24-PWR (PowerPC) processor (revision H0) with 65526K/8192K bytes of memory.
Processor board ID CAT0829Z301
Last reset from warm-reset
Running Layer2/3 Switching Image
Ethernet-controller 1 has 12 Fast Ethernet/IEEE 802.3 interfaces
Ethernet-controller 2 has 12 Fast Ethernet/IEEE 802.3 interfaces
Ethernet-controller 3 has 1 Gigabit Ethernet/IEEE 802.3 interface
Ethernet-controller 4 has 1 Gigabit Ethernet/IEEE 802.3 interface
24 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)
The password-recovery mechanism is enabled.
384K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:11:93:A1:70:80
Motherboard assembly number: 73-8100-08
Power supply part number: 341-0029-03
Motherboard serial number: CAT08290FL9
Power supply serial number: DTH082326P8
Model revision number: H0
Motherboard revision number: A0
Model number: WS-C3550-24PWR-SMI
System serial number: CAT0829Z301
--- System Configuration Dialog ---
Would you like to enter the initial configuration dialog? [yes/no]:
00:00:33: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
00:00:37: %SYS-5-RESTART: System restarted --
Cisco Internetwork Operating System Software
IOS (tm) C3550 Software (C3550-I9Q3L2-M), Version 12.1(20)EA1a, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Mon 19-Apr-04 21:42 by yenanh
00:00:37: %SNMP-5-COLDSTART: SNMP agent on host Switch is undergoing a cold start
Press RETURN to get started!
00:01:29: %LINK-5-CHANGED: Interface Vlan1, changed state to administratively down
00:01:30: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
Switch>
Configuration work can be done from the "enable" privileged mode.
Switch> enableSwitch# show running-configBuilding configuration...Current configuration : 1995 bytes!version 12.1no service padservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname Switch!!ip subnet-zero!!spanning-tree mode pvstspanning-tree extend system-id!!!!interface FastEthernet0/1switchport mode dynamic desirable!interface FastEthernet0/2switchport mode dynamic desirable!interface FastEthernet0/3switchport mode dynamic desirable!interface FastEthernet0/4switchport mode dynamic desirable!interface FastEthernet0/5switchport mode dynamic desirable!interface FastEthernet0/6switchport mode dynamic desirable!interface FastEthernet0/7switchport mode dynamic desirable!interface FastEthernet0/8switchport mode dynamic desirable!interface FastEthernet0/9switchport mode dynamic desirable!interface FastEthernet0/10switchport mode dynamic desirable!interface FastEthernet0/11switchport mode dynamic desirable!interface FastEthernet0/12switchport mode dynamic desirable!interface FastEthernet0/13switchport mode dynamic desirable!interface FastEthernet0/14switchport mode dynamic desirable!interface FastEthernet0/15switchport mode dynamic desirable!interface FastEthernet0/16switchport mode dynamic desirable!interface FastEthernet0/17switchport mode dynamic desirable!interface FastEthernet0/18switchport mode dynamic desirable!interface FastEthernet0/19switchport mode dynamic desirable!interface FastEthernet0/20switchport mode dynamic desirable!interface FastEthernet0/21switchport mode dynamic desirable!interface FastEthernet0/22switchport mode dynamic desirable!interface FastEthernet0/23switchport mode dynamic desirable!interface FastEthernet0/24switchport mode dynamic desirable!interface GigabitEthernet0/1switchport mode dynamic desirable!interface GigabitEthernet0/2switchport mode dynamic desirable!interface Vlan1no ip addressshutdown!ip classlessip http server!!line con 0line vty 5 15!!endSwitch#
The switch is ready to be configured.
A Simple Configuration
Name switch "C3550", encrypt "cisco" password in MD5, and save running configuration.
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# hostname C3550
C3550(config)# enable secret cisco
C3550# copy running-config startup-configDestination filename [startup-config]?Building configuration...[OK]C3550(config)# exit
Note: the simple "cisco" password above should not be used, choose a stronger password.
The saved password can be tested via a restart of the switch.
Show Saved Startup Configuration
The running and startup configuration should be the same. Show the startup configuration.C3550# show startup-config
Using 2041 out of 393216 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname C3550
!
enable secret 5 $1$nOpq$3Hg6AloyI74Vq0HV0uwTq0
!
ip subnet-zero
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
switchport mode dynamic desirable
!
interface FastEthernet0/2
switchport mode dynamic desirable
!
interface FastEthernet0/3
switchport mode dynamic desirable
!
interface FastEthernet0/4
switchport mode dynamic desirable
!
interface FastEthernet0/5
switchport mode dynamic desirable
!
interface FastEthernet0/6
switchport mode dynamic desirable
!
interface FastEthernet0/7
switchport mode dynamic desirable
!
interface FastEthernet0/8
switchport mode dynamic desirable
!
interface FastEthernet0/9
switchport mode dynamic desirable
!
interface FastEthernet0/10
switchport mode dynamic desirable
!
interface FastEthernet0/11
switchport mode dynamic desirable
!
interface FastEthernet0/12
switchport mode dynamic desirable
!
interface FastEthernet0/13
switchport mode dynamic desirable
!
interface FastEthernet0/14
switchport mode dynamic desirable
!
interface FastEthernet0/15
switchport mode dynamic desirable
!
interface FastEthernet0/16
switchport mode dynamic desirable
!
interface FastEthernet0/17
switchport mode dynamic desirable
!
interface FastEthernet0/18
switchport mode dynamic desirable
!
interface FastEthernet0/19
switchport mode dynamic desirable
!
interface FastEthernet0/20
switchport mode dynamic desirable
!
interface FastEthernet0/21
switchport mode dynamic desirable
!
interface FastEthernet0/22
switchport mode dynamic desirable
!
interface FastEthernet0/23
switchport mode dynamic desirable
!
interface FastEthernet0/24
switchport mode dynamic desirable
!
interface GigabitEthernet0/1
switchport mode dynamic desirable
!
interface GigabitEthernet0/2
switchport mode dynamic desirable
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip http server
!
!
line con 0
line vty 5 15
!
!
end
C3550#
Note: the added configuration lines above are easily identified.
Test Startup Configuration through Switch Reload
Reboot switch with "reload" to test simple configuration and privileged "enable" password.C3550# reloadNote: There is no remote access at this point and all interfaces are defaulted to VLAN1
Proceed with reload? [confirm]
01:02:58: %SYS-5-RELOAD: Reload requested
Base ethernet MAC Address: 00:11:93:a1:70:80
Xmodem file system is available.
The password-recovery mechanism is enabled.
Initializing Flash...
flashfs[0]: 88 files, 4 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 15998976
flashfs[0]: Bytes used: 6644224
flashfs[0]: Bytes available: 9354752
flashfs[0]: flashfs fsck took 16 seconds.
...done Initializing Flash.
Boot Sector Filesystem (bs:) installed, fsid: 3
Loading "flash:c3550-i9q3l2-mz.121-20.EA1a/c3550-i9q3l2-mz.121-20.EA1a.bin"...###########################################################################################################################################################################################################################################################################################################################################################################################################
File "flash:c3550-i9q3l2-mz.121-20.EA1a/c3550-i9q3l2-mz.121-20.EA1a.bin" uncompressed and installed, entry point: 0x3000
executing...
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco Internetwork Operating System Software
IOS (tm) C3550 Software (C3550-I9Q3L2-M), Version 12.1(20)EA1a, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Mon 19-Apr-04 21:42 by yenanh
Image text-base: 0x00003000, data-base: 0x006B3454
Initializing flashfs...
flashfs[1]: 88 files, 4 directories
flashfs[1]: 0 orphaned files, 0 orphaned directories
flashfs[1]: Total bytes: 15998976
flashfs[1]: Bytes used: 6644224
flashfs[1]: Bytes available: 9354752
flashfs[1]: flashfs fsck took 8 seconds.
flashfs[1]: Initialization complete.
...done Initializing flashfs.
POST: CPU Buffer Tests : Begin
POST: CPU Buffer Tests : End, Status Passed
POST: CPU Interface Tests : Begin
POST: CPU Interface Tests : End, Status Passed
POST: Switch Core Tests : Begin
POST: Switch Core Tests : End, Status Passed
POST: CPU Interface 2nd Stage Tests : Begin
POST: CPU Interface 2nd Stage Tests : End, Status Passed
POST: CAM Subsystem Tests : Begin
POST: CAM Subsystem Tests : End, Status Passed
POST: Ethernet Controller Tests : Begin
POST: Ethernet Controller Tests : End, Status Passed
POST: ILP Controller Tests : Begin
POST: ILP Controller Tests : End, Status Passed
POST: Loopback Tests : Begin
POST: Loopback Tests : End, Status Passed
cisco WS-C3550-24-PWR (PowerPC) processor (revision H0) with 65526K/8192K bytes of memory.
Processor board ID CAT0829Z301
Last reset from warm-reset
Running Layer2/3 Switching Image
Ethernet-controller 1 has 12 Fast Ethernet/IEEE 802.3 interfaces
Ethernet-controller 2 has 12 Fast Ethernet/IEEE 802.3 interfaces
Ethernet-controller 3 has 1 Gigabit Ethernet/IEEE 802.3 interface
Ethernet-controller 4 has 1 Gigabit Ethernet/IEEE 802.3 interface
24 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)
The password-recovery mechanism is enabled.
384K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:11:93:A1:70:80
Motherboard assembly number: 73-8100-08
Power supply part number: 341-0029-03
Motherboard serial number: CAT08290FL9
Power supply serial number: DTH082326P8
Model revision number: H0
Motherboard revision number: A0
Model number: WS-C3550-24PWR-SMI
System serial number: CAT0829Z301
Press RETURN to get started!
00:00:33: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
00:00:35: %SYS-5-CONFIG_I: Configured from memory by console
00:00:35: %SYS-5-RESTART: System restarted --
Cisco Internetwork Operating System Software
IOS (tm) C3550 Software (C3550-I9Q3L2-M), Version 12.1(20)EA1a, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Mon 19-Apr-04 21:42 by yenanh
00:00:35: %SNMP-5-COLDSTART: SNMP agent on host C3550 is undergoing a cold start
00:00:37: %LINK-5-CHANGED: Interface Vlan1, changed state to administratively down
00:00:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
C3550>
C3550>enable
Password:
C3550#
The switch needs a complex password, but it will operate when equipment is attached.
No comments:
Post a Comment