Thursday, June 16, 2011

Reset Administrator Password On A Cisco Router With SNMP

What is Cisco SNMP Tool?

“Cisco SNMP Tool” is not made by Cisco. Instead, it is a free SNMP application available for download on the Internet. It is made by someone calling himself “Billy the Kid”. Despite the fact that its appearance is rough, it does its job quite well. It can perform full modification of a Cisco router’s running and startup configuration. Additionally, it can reboot the router remotely. This can all be done with only the SNMP write password (called a community string).

How do I obtain “Cisco SNMP Tool”?

To find this tool, I went to googled “cisco snmp tool”. I found that it was available for download from a number of sites. However, the homepage and source for the latest version is at:
http://www.geocities.com/billytk06/
I downloaded and extracted the tool. Inside the zipped download were these files:

It is made up of only a single executable and some text files. There was no installation to be performed at all. Once running, the tool looks like this:

It can only perform a few basic tasks:
  • Telnet to Host
  • Reboot device
  • Upload Running & Startup Configuration
  • Download Running & Startup Configuration
  • Reset Passwords
  • Write NVRAM

How can I reset a lost Cisco IOS enable password with Cisco SNMP Tool?

To reset a lost Cisco IOS enable password with Cisco SNMP tool, let’s look at an example. I have a test router and I have configured an enable password of “lostpassword”. I have a SNMP write community string of “SnmpPassword1”.

On the router, these commands would look like this: Router(config)# enable secret lostpassword Router(config)# snmp-server community SnmpPassword1 RW Router(config)# line vty 0 4 Router

(config-line)# password lostpassword

To use “Cisco SNMP Tool” to change the enable password, I first have to add my router to the tool. To do this, type in the IP address of my device, the hostname, and the SNMP write community string. Next I click Add/Update Device, like this:

Once the device is added on the left hand side, I want to test SNMP communication with it. To do this, I click Device Commands -> Test SNMP String.

From this test, you should see the message in the SNMP log that “Your SNMP Read/Write COMMUNITY is CORRECT”, like this:

Now that you know you have full administrative capabilities to this device, using SNMP, you can proceed with whatever you need to do. From here, you can choose to reset passwords on the router. To do this, go to Configuration Commands -> Reset Passwords, like this:

When you do this, in reality, you are just uploading a configuration file from the config tab to the router’s running-configuration. You could create your own config file and upload it yourself. By default, the configuration will change the enable secret password to billy and the line vty password to billy. Also note that you only copied these changes to the running configuration, not the startup-configuration. So, you need to login with these passwords, change the passwords to what they should be and save that configuration with copy run start or wr. Now, let’s see if we can login to our router and change back these passwords:

Now, let me offer a couple of notes on how this tool works. The version of SNMP that is used by default is unencrypted. Thus, the SNMP community string (password) with full write privileges to your router is going across the network in the clear. That means that the password could be sniffed, and a malicious attacker could use this same tool against you. Another important piece is that you must have, ahead of time, configured a SNMP read/write community string on the router. Without that, this tool is never going to work.

No comments:

Post a Comment

Dear Reader, if you like My Blog content, feel free to comment on our blog posts.