Shulou(Shulou.com)06/01 Report--

A Cisco 4506 switch in the user's real environment could not log in, and the maintenance staff could not remember the modified password, so they had to crack the system.

Environment:

Cisco Catalyst 4506E switch, engine WS-X45-SUP8-E, system version cat4500es8-UNIVERSAL-M

Cracking steps:

Restart the switch and press ctrl+c to abort the switch startup process, as follows:

Verifying FPGA (P) Signature. PASSED

Verifying ROMMON (P) Signature. PASSED

* * *

* *

* Rom Monitor *

* Copyright (c) 2012-2013 by Cisco Systems, Inc.

* All rights reserved. *

* *

* * *

Rom Monitor (P) Version 15.1 (1r) SG1

Compiled Wed 14-Aug-13 17:15 [RLS]

System: WS-X45-SUP8-E Slot [1]

Chassis: WS-C4506*E Mod [3] [6]

Revision: CPU 2.1 BOARD 4.0 FPGA 3.15F2.9155

Memory: 4096 MB

Date: Sun Mar 05 21:32:01 2017

Type Control-C to prevent autobooting....

[CTRL-C]

Autoboot cancelled.!!!

Rommon 0 >

View the current environment variables of the system through the set command as follows:

Rommon 0 > set

PS1=rommon! >

Fa1Enable=1

RommonVer=15.1 (1R) SG1

ConfigReg=0x2101

BOOT=bootflash:cat4500es8-universal.SPA.03.03.00.XO.151-1.XO.binjol 1

DiagMonitorAction=Normal

RET_2_RTS=14:59:24 GMT Sat Aug 27 2016

RET_2_RCALTS=

BootedFileName=flash2:/USER/cat4500es8-universal.SPA.03.03.00.XO.151-1.XO.bin

ConsecPostPassedCnt=34

Notice that the register value is 0x2101

Use the confreg command to configure the system as follows:

Rommon 1 > confreg

Configuration Summary:

= > load rom after netboot fails

= > console baud: 9600

= > autoboot from: the first file from internal flash device

Do you wish to change the configuration? Y/n [n]: y

Enable "diagnostic mode"? Y/n [n]: n

Enable "use net in IP bcast address"? Y/n [n]:

Disable "load rom after netboot fails"? Y/n [n]:

Enable "use all zero broadcast"? Y/n [n]:

Enable "break/abort has effect"? Y/n [n]:

Enable "ignore system config info"? Y/n [n]: y

Change console baud rate? Y/n [n]:

Change the boot characteristics? Y/n [n]:

Configuration Summary:

= > load rom after netboot fails

= > ignore system config info

= > console baud: 9600

= > autoboot from: the first file from internal flash device

Do you wish to save this configuration? Y/n [n]: y

You must reset or power cycle for new configuration to take effect

Other options can be entered directly. After configuration, it is prompted that you must restart to take effect. However, you can check the environment variables again with the set command before restarting, as shown below:

Rommon 2 > set

PS1=rommon! >

Fa1Enable=1

RommonVer=15.1 (1R) SG1

BOOT=bootflash:cat4500es8-universal.SPA.03.03.00.XO.151-1.XO.binjol 1

DiagMonitorAction=Normal

RET_2_RTS=14:59:24 GMT Sat Aug 27 2016

RET_2_RCALTS=

BootedFileName=flash2:/USER/cat4500es8-universal.SPA.03.03.00.XO.151

-1.XO.bin

ConsecPostPassedCnt=34

ConfigReg=0x2141

At this point, you will find that the value of the front and back registers has changed, and you can restart the system with the boot command.

After reboot:

Press RETURN to get started!

Switch >

At this point, you can see that the system bypassed the configuration file, and later we can go through the

Switch#copy startup-config running-config

Load the configuration into the system, and then change the password directly through the command. Of course, we have to modify the register value after completion.

Config-register 0x2101

Restart the system and you will find that the password has been cracked.

*

In fact, the password cracking method of the sup8 engine is similar to that of other series of engines, which can be viewed by referring to the official documents. However, if the VSS is done by two systems, then the password cracking process will be somewhat different. However, the official also gives the corresponding documents, please refer to the details.

*

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.