Basic configuration
Router>ena
Router#show version
Router#show start
Router#show run
Router#show history
Router#show clock
Router#show users
Router#show flash
Router#show tech-support
Router#show interfaces
Router#show ip interface brief
Router#copy run start
Router#ping
Router#reload
Router#config t
Router(config)#ip host yasser 10.0.0.100
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip address 10.0.0.1 255.0.0.0
Router(config-if)#speed auto
Router(config-if)#duplex auto
Router(config-if)#no shutdown
Router(config-if)#exit
Secure Router & Setting Telnet connection
Router(config)#enable password 1111
Router(config)#no enable password
Router(config)#enable secret 1111
Router(config)#line console 0
Router(config-line)#password 2222
Router(config-line)#login
Router(config-line)#exit
Router(config)#line vty 0 4
Router(config-line)#password 3333
Router(config-line)#login
Router(config-line)#exit
Router(config)#service password-encryption
Router(config)#banner motd # dont login #
Router(config)#username yasser password 2222
Router(config)#username yasserramzy secret 2222
Router(config)#username yasserauda privilege 15 password 2222
Router(config)#username yasserramzyauda privilege 15 secret 2222
Router(config)#no ip domain-lookup
Cisco DISCOVERY PROTOCOL
Router(config)#cdp run
Router#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
Switch Fas 0/1 171 S 2960 Fas 0/1
Router Fas 0/0 122 R C2800 Fas 0/0
Router#show cdp interface
Vlan1 is administratively down, line protocol is down
Sending CDP packets every 60 seconds
Holdtime is 180 seconds
FastEthernet0/0 is up, line protocol is up
Sending CDP packets every 60 seconds
Holdtime is 180 seconds
FastEthernet0/1 is up, line protocol is up
Sending CDP packets every 60 seconds
Holdtime is 180 seconds
Router#show cdp entry *
Device ID: Switch
Entry address(es):
Platform: cisco 2960, Capabilities: Switch
Interface: FastEthernet0/1, Port ID (outgoing port): FastEthernet0/1
Holdtime: 148
Version :
Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(25)FX,
RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 12-Oct-05 22:05 by pt_team
advertisement version: 2
Duplex: full
---------------------------
Device ID: Router
Entry address(es):
IP address : 120.0.0.2
Platform: cisco C2800, Capabilities: Router
Interface: FastEthernet0/0, Port ID (outgoing port): FastEthernet0/0
Holdtime: 158
Version :
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version
12.4(15)T1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 18-Jul-07 06:21 by pt_rel_team
advertisement version: 2
Duplex: full
Password recovery
1- connect your router using console cable
2- turn off turn on your router
3- press ctrl + pause break
4- change confreg to 0x2142
5- reset
6- n
7- ena
8- copy start run
9- config t
10- use password commands to change or remove passwords
11- confgire-register 0x2102
12- exit
13- copy run start
BACKUP & RESTORE
Router#copy tftp flash
Router#copy flash tftp
Router#copy run tftp
Router#copy start tftp
Router(config)#boot system flash ?
WORD System image filename
note: Boot priority (system,flash,tftp,rxboot.rommon)
DHCP
Router(config)#ip dhcp pool me
Router(dhcp-config)#network 10.0.0.0 255.0.0.0
Router(dhcp-config)#default-router 10.0.0.10
Router(dhcp-config)#dns-server 10.0.0.11
Router(dhcp-config)#exit
Router(config)#ip name-server 10.0.0.11
Router(config)#ip dhcp excluded-address 10.0.0.100 10.0.0.200
Router(config)#exit
Router#show ip dhcp binding
IP address Client-ID/ Lease expiration Type Hardware address
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip address dhcp
SSH
Router(config)#username yasser password 2222
Router(config)#hostname alexrouter
alexrouter(config)#ip domain-name me.com
alexrouter(config)#ip ssh time-out 30
alexrouter(config)#ip ssh authentication-retries 3
alexrouter(config)#ip ssh version 2
Please create RSA keys (of at least 768 bits size) to enable SSH v2.
alexrouter(config)#crypto key generate rsa
The name for the keys will be: alexrouter.me.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 512
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
*Mar 1 0:1:26.828: RSA key size needs to be at least 768 bits for ssh version 2
*Mar 1 0:1:26.828: %SSH-5-ENABLED: SSH 1.5 has bee
Friday, September 17, 2010
How to Configure Passwords to Secure your Cisco Router
Types of Cisco Router Passwords
When it comes to basic password security, there are three basic types:
Line Passwords
Privileged mode Passwords (enable mode)
Username Passwords (optional)
Let’s explore these.
Line Passwords
Line passwords are configured on router lines. Examples of lines are:
Console Line - The console is the main serial administrative port on a router. This is where you configure the router when it is new and has no network configuration.
Aux Line – The aux line is an auxiliary port. Like the console, it is a physical port on every router. You can think of it as a backup console port. Besides being a backup console port, the aux port is periodically used for administrative console dial up access to the router.
VTY Lines – Vty lines are “virtual tty” lines and are used when you connect to the router via telnet or ssh. These are not physical lines on the router but virtual “inbound network lines”.
Async Lines – Async lines are asynchronous serial lines and are optional. These async lines are created when you insert an async serial card in a router. You can use the async serial lines to connect dumb-terminals (text-based terminals), serial printers, or modems.
All of these different lines need a password configured on them. Let’s find out how to configure Cisco router line passwords.
Configuring Cisco Router Line Passwords
There are two commands used to configure line passwords, no matter what kind of line you are using. The commands are password and login. The password command is used to set your line password. The login command, when entered by itself, is used to tell the router to use the password that is configured on the line. Here is an example of how this is configured on the console port:
As you can see in the graphic, we first set the password to cisco using password cisco, then enabled login using that password with the login command.
We repeat this on the aux port, like this:
Finally, we configure the same commands on the VTY lines. The catch to doing this is that there is more than one VTY. Because you don’t want to have to configure them one at a time, you use a VTY range when performing the configuration. Using a VTY range works by specifying your router’s starting and ending VTY number. Inside the configuration mode for this range of VTYs is where you are configuring the password and login commands. In the past, router only had 0-4, or 5, VTY lines. Today, most routers have 0-15, or 16, VTY lines. Make sure that you know how many VTY’s your router has so that there aren’t some lines that are left without a password. Here is what you do to tell how many lines your router has:
As you can see from the screenshot above, this router has 16 (actually 0 to 15) VTY lines. You know this because the last line number is 15.
Here is how you would configure the password and login commands on the VTY lines using the range of VTY’s:
Configuring Cisco Router Privileged mode Passwords
Another basic router security requirement is that you configure a password used to enter privileged mode (enable mode). The enable password is a well-known way to do this but it is not recommended anymore because it does not encrypt the password with a strong encryption mechanism.
The enable secret command does encrypt the password with a strong encryption mechanism and it also sets a password to enter enable mode. Here is how you configure an enable secret password:
Testing Password Configuration
To test our new password configuration from the console port, exit out of all IOS modes. Once logged off, press enter to log back in.
You will be prompted with the console login prompt. Enter your console line password, cisco. Once you are logged in, type enable and press enter. You will be prompted for your privilege mode password. Type Cisco! and press enter. You should now be logged in. Here is an example:
Username Passwords
Optionally, you can configure usernames and associated passwords on a Cisco router. This is a more advanced level of security than line passwords. Once configured on the lines, the line password is then ignored.
You configure the usernames with the username command and can add their password on the same command line. Optionally, you can configure the privilege level of that user. Level 15 is the administrative user.
Once you create the username, you need to tell each line to use the local username/password database, on the router. To do this, go back to each line and type login local.
Here is an example:
Now let’s test it out:
Notice that we were prompted for a username. We typed in one of the users we setup, admin. We were then prompted for admin’s password. Also, because we specified that admin’s privilege was 15, we were put directly into privileged mode, with full administrative privileges (and without having to type enable).
If we log out, and log back in, notice that user1 doesn’t have the # sign, telling us that we are already in privileged mode:
What you learned
In this article, you learned that there are line passwords and privileged mode passwords. The line passwords protect the console, aux, and vty lines. They are configured with the password and login command. The privileged mode password should be configured with enable secret. Optionally, you can configure usernames and use the login local command on the lines.
All routers should be protected by a password, at minimum. Additionally, privileged mode (and configuration mode) should be controlled by an additional password.
Your action: check each router for proper line and password security as this is the minimum level of security you should employ.
When it comes to basic password security, there are three basic types:
Line Passwords
Privileged mode Passwords (enable mode)
Username Passwords (optional)
Let’s explore these.
Line Passwords
Line passwords are configured on router lines. Examples of lines are:
Console Line - The console is the main serial administrative port on a router. This is where you configure the router when it is new and has no network configuration.
Aux Line – The aux line is an auxiliary port. Like the console, it is a physical port on every router. You can think of it as a backup console port. Besides being a backup console port, the aux port is periodically used for administrative console dial up access to the router.
VTY Lines – Vty lines are “virtual tty” lines and are used when you connect to the router via telnet or ssh. These are not physical lines on the router but virtual “inbound network lines”.
Async Lines – Async lines are asynchronous serial lines and are optional. These async lines are created when you insert an async serial card in a router. You can use the async serial lines to connect dumb-terminals (text-based terminals), serial printers, or modems.
All of these different lines need a password configured on them. Let’s find out how to configure Cisco router line passwords.
Configuring Cisco Router Line Passwords
There are two commands used to configure line passwords, no matter what kind of line you are using. The commands are password and login. The password command is used to set your line password. The login command, when entered by itself, is used to tell the router to use the password that is configured on the line. Here is an example of how this is configured on the console port:
As you can see in the graphic, we first set the password to cisco using password cisco, then enabled login using that password with the login command.
We repeat this on the aux port, like this:
Finally, we configure the same commands on the VTY lines. The catch to doing this is that there is more than one VTY. Because you don’t want to have to configure them one at a time, you use a VTY range when performing the configuration. Using a VTY range works by specifying your router’s starting and ending VTY number. Inside the configuration mode for this range of VTYs is where you are configuring the password and login commands. In the past, router only had 0-4, or 5, VTY lines. Today, most routers have 0-15, or 16, VTY lines. Make sure that you know how many VTY’s your router has so that there aren’t some lines that are left without a password. Here is what you do to tell how many lines your router has:
As you can see from the screenshot above, this router has 16 (actually 0 to 15) VTY lines. You know this because the last line number is 15.
Here is how you would configure the password and login commands on the VTY lines using the range of VTY’s:
Configuring Cisco Router Privileged mode Passwords
Another basic router security requirement is that you configure a password used to enter privileged mode (enable mode). The enable password is a well-known way to do this but it is not recommended anymore because it does not encrypt the password with a strong encryption mechanism.
The enable secret command does encrypt the password with a strong encryption mechanism and it also sets a password to enter enable mode. Here is how you configure an enable secret password:
Testing Password Configuration
To test our new password configuration from the console port, exit out of all IOS modes. Once logged off, press enter to log back in.
You will be prompted with the console login prompt. Enter your console line password, cisco. Once you are logged in, type enable and press enter. You will be prompted for your privilege mode password. Type Cisco! and press enter. You should now be logged in. Here is an example:
Username Passwords
Optionally, you can configure usernames and associated passwords on a Cisco router. This is a more advanced level of security than line passwords. Once configured on the lines, the line password is then ignored.
You configure the usernames with the username command and can add their password on the same command line. Optionally, you can configure the privilege level of that user. Level 15 is the administrative user.
Once you create the username, you need to tell each line to use the local username/password database, on the router. To do this, go back to each line and type login local.
Here is an example:
Now let’s test it out:
Notice that we were prompted for a username. We typed in one of the users we setup, admin. We were then prompted for admin’s password. Also, because we specified that admin’s privilege was 15, we were put directly into privileged mode, with full administrative privileges (and without having to type enable).
If we log out, and log back in, notice that user1 doesn’t have the # sign, telling us that we are already in privileged mode:
What you learned
In this article, you learned that there are line passwords and privileged mode passwords. The line passwords protect the console, aux, and vty lines. They are configured with the password and login command. The privileged mode password should be configured with enable secret. Optionally, you can configure usernames and use the login local command on the lines.
All routers should be protected by a password, at minimum. Additionally, privileged mode (and configuration mode) should be controlled by an additional password.
Your action: check each router for proper line and password security as this is the minimum level of security you should employ.
Reset Administrator Password On A Cisco Router With SNMP
What Is SNMP?
SNMP is a standard protocol for managing and monitoring network devices. SNMP works by having an agent run on a SNMP device, and having a SNMP manager run on a workstation or server. In our case, a Cisco IOS router will be the SNMP device. A Windows workstation with PRTG will be our SNMP manager.
SNMP is a standard defined by the IETF and is based on a number of RFC’s. Usually, the agent uses UDP port 161 and the manager uses UDP port 162. There are 3 versions of SNMP.
There are so many different types of SNMP managers available and they are all created to perform different functions. For example, some programs like Whatsup can alert you when a server is low on disk space, or when a printer runs out of toner.
As we don’t have room to go into all the details on SNMP, take a look at Wikipedia:SNMP for more information.
What is Cisco SNMP Tool?
“Cisco SNMP Tool” is not made by Cisco. Instead, it is a free SNMP application available for download on the Internet. It is made by someone calling himself “Billy the Kid”. Despite the fact that its appearance is rough, it does its job quite well. It can perform full modification of a Cisco router’s running and startup configuration. Additionally, it can reboot the router remotely. This can all be done with only the SNMP write password (called a community string).
How do I obtain “Cisco SNMP Tool”?
To find this tool, I went to googled “cisco snmp tool”. I found that it was available for download from a number of sites. However, the homepage and source for the latest version is at:
http://www.geocities.com/billytk06/
I downloaded and extracted the tool. Inside the zipped download were these files:
It is made up of only a single executable and some text files. There was no installation to be performed at all. Once running, the tool looks like this:
It can only perform a few basic tasks:
Telnet to Host
Reboot device
Upload Running & Startup Configuration
Download Running & Startup Configuration
Reset Passwords
Write NVRAM
How can I reset a lost Cisco IOS enable password with Cisco SNMP Tool?
To reset a lost Cisco IOS enable password with Cisco SNMP tool, let’s look at an example. I have a test router and I have configured an enable password of “lostpassword”. I have a SNMP write community string of “SnmpPassword1”.
On the router, these commands would look like this: Router(config)# enable secret lostpassword Router(config)# snmp-server community SnmpPassword1 RW Router(config)# line vty 0 4 Router(config-line)# password lostpassword
To use “Cisco SNMP Tool” to change the enable password, I first have to add my router to the tool. To do this, type in the IP address of my device, the hostname, and the SNMP write community string. Next I click Add/Update Device, like this:
Once the device is added on the left hand side, I want to test SNMP communication with it. To do this, I click Device Commands -> Test SNMP String.
From this test, you should see the message in the SNMP log that “Your SNMP Read/Write COMMUNITY is CORRECT”, like this:
Now that you know you have full administrative capabilities to this device, using SNMP, you can proceed with whatever you need to do. From here, you can choose to reset passwords on the router. To do this, go to Configuration Commands -> Reset Passwords, like this:
When you do this, in reality, you are just uploading a configuration file from the config tab to the router’s running-configuration. You could create your own config file and upload it yourself. By default, the configuration will change the enable secret password to billy and the line vty password to billy. Also note that you only copied these changes to the running configuration, not the startup-configuration. So, you need to login with these passwords, change the passwords to what they should be and save that configuration with copy run start or wr. Now, let’s see if we can login to our router and change back these passwords:
Now, let me offer a couple of notes on how this tool works. The version of SNMP that is used by default is unencrypted. Thus, the SNMP community string (password) with full write privileges to your router is going across the network in the clear. That means that the password could be sniffed, and a malicious attacker could use this same tool against you. Another important piece is that you must have, ahead of time, configured a SNMP read/write community string on the router. Without that, this tool is never going to work.
Summary
In this article, we learned the power that SNMP can offer a network administrator. I was impressed at how, using only SNMP, we could change the running configuration, change the startup configuration, or reboot the router. I hope you were as impressed as I was. I am going to send an email of thanks to the author of this tool and keep it in my toolbox for the next time I need it. You may want to do the same.
SNMP is a standard protocol for managing and monitoring network devices. SNMP works by having an agent run on a SNMP device, and having a SNMP manager run on a workstation or server. In our case, a Cisco IOS router will be the SNMP device. A Windows workstation with PRTG will be our SNMP manager.
SNMP is a standard defined by the IETF and is based on a number of RFC’s. Usually, the agent uses UDP port 161 and the manager uses UDP port 162. There are 3 versions of SNMP.
There are so many different types of SNMP managers available and they are all created to perform different functions. For example, some programs like Whatsup can alert you when a server is low on disk space, or when a printer runs out of toner.
As we don’t have room to go into all the details on SNMP, take a look at Wikipedia:SNMP for more information.
What is Cisco SNMP Tool?
“Cisco SNMP Tool” is not made by Cisco. Instead, it is a free SNMP application available for download on the Internet. It is made by someone calling himself “Billy the Kid”. Despite the fact that its appearance is rough, it does its job quite well. It can perform full modification of a Cisco router’s running and startup configuration. Additionally, it can reboot the router remotely. This can all be done with only the SNMP write password (called a community string).
How do I obtain “Cisco SNMP Tool”?
To find this tool, I went to googled “cisco snmp tool”. I found that it was available for download from a number of sites. However, the homepage and source for the latest version is at:
http://www.geocities.com/billytk06/
I downloaded and extracted the tool. Inside the zipped download were these files:
It is made up of only a single executable and some text files. There was no installation to be performed at all. Once running, the tool looks like this:
It can only perform a few basic tasks:
Telnet to Host
Reboot device
Upload Running & Startup Configuration
Download Running & Startup Configuration
Reset Passwords
Write NVRAM
How can I reset a lost Cisco IOS enable password with Cisco SNMP Tool?
To reset a lost Cisco IOS enable password with Cisco SNMP tool, let’s look at an example. I have a test router and I have configured an enable password of “lostpassword”. I have a SNMP write community string of “SnmpPassword1”.
On the router, these commands would look like this: Router(config)# enable secret lostpassword Router(config)# snmp-server community SnmpPassword1 RW Router(config)# line vty 0 4 Router(config-line)# password lostpassword
To use “Cisco SNMP Tool” to change the enable password, I first have to add my router to the tool. To do this, type in the IP address of my device, the hostname, and the SNMP write community string. Next I click Add/Update Device, like this:
Once the device is added on the left hand side, I want to test SNMP communication with it. To do this, I click Device Commands -> Test SNMP String.
From this test, you should see the message in the SNMP log that “Your SNMP Read/Write COMMUNITY is CORRECT”, like this:
Now that you know you have full administrative capabilities to this device, using SNMP, you can proceed with whatever you need to do. From here, you can choose to reset passwords on the router. To do this, go to Configuration Commands -> Reset Passwords, like this:
When you do this, in reality, you are just uploading a configuration file from the config tab to the router’s running-configuration. You could create your own config file and upload it yourself. By default, the configuration will change the enable secret password to billy and the line vty password to billy. Also note that you only copied these changes to the running configuration, not the startup-configuration. So, you need to login with these passwords, change the passwords to what they should be and save that configuration with copy run start or wr. Now, let’s see if we can login to our router and change back these passwords:
Now, let me offer a couple of notes on how this tool works. The version of SNMP that is used by default is unencrypted. Thus, the SNMP community string (password) with full write privileges to your router is going across the network in the clear. That means that the password could be sniffed, and a malicious attacker could use this same tool against you. Another important piece is that you must have, ahead of time, configured a SNMP read/write community string on the router. Without that, this tool is never going to work.
Summary
In this article, we learned the power that SNMP can offer a network administrator. I was impressed at how, using only SNMP, we could change the running configuration, change the startup configuration, or reboot the router. I hope you were as impressed as I was. I am going to send an email of thanks to the author of this tool and keep it in my toolbox for the next time I need it. You may want to do the same.
Subscribe to:
Posts (Atom)