Tuesday, May 06, 2008

Cisco Switch 3500XL: password recovery

I found one Cisco Catalyst 3500 XL on the storage room, haven't been used for a while therefore we will play with it. After reboot I noticed it has a password (as it should) on it so the first step is to change it (I am sure the networking guys would not mind :) )

The process is as follows:
Cisco official information:
http://www.cisco.com/warp/public/474/pswdrec_2900xl.html


My notes:
Turn on the power of the Catalyst 3500XL while pressing the "MODE" button. Wait until the light on port 1 is off (and the rest still on). You should see the following information:

C3500XL Boot Loader (C3500-HBOOT-M) Version 12.0(5.2)XU, MAINTENANCE INTERIM SOF
TWARE
Compiled Mon 17-Jul-00 18:42 by ayounes
starting...
Base ethernet MAC Address: 00:04:c1:c4:ed:10
Xmodem file system is available.

The system has been interrupted prior to initializing the
flash filesystem. The following commands will initialize
the flash filesystem, and finish loading the operating
system software:

flash_init
load_helper
boot

switch: flash_init --------------> run the "flash_init" command
Initializing Flash...
flashfs[0]: 112 files, 3 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 3612672
flashfs[0]: Bytes used: 2776576
flashfs[0]: Bytes available: 836096
flashfs[0]: flashfs fsck took 3 seconds.
...done Initializing Flash.
Boot Sector Filesystem (bs:) installed, fsid: 3
Parameter Block Filesystem (pb:) installed, fsid: 4
switch: load_helper --------------> run the "load_helper" command
switch: dir flash: --------------> run the "dir flash:" command (colon included)
Directory of flash:/

2 -rwx 1645807 c3500XL-c3h2s-mz-120.5.2-XU.bin ----> current image loaded
3 -rwx 94680 c3500XL-diag-mz-120.5.2-XU
4 drwx 6784 html
111 -rwx 272 env_vars
112 -rwx 1020 vlan.dat
114 -rwx 25 snmpengineid
115 -rwx 5606 config.txt
116 -rwx 3436 config.text ----> configuration file loaded

836096 bytes available (2776576 bytes used)
switch:
switch: rename flash:config.text flash:config.old -----------> backup the current configuration file
switch: dir flash:
Directory of flash:/

2 -rwx 1645807 c3500XL-c3h2s-mz-120.5.2-XU.bin
3 -rwx 94680 c3500XL-diag-mz-120.5.2-XU
4 drwx 6784 html
111 -rwx 272 env_vars
112 -rwx 1020 vlan.dat
114 -rwx 25 snmpengineid
115 -rwx 5606 config.txt
116 -rwx 3436 config.old

836096 bytes available (2776576 bytes used)
switch:

switch: boot -----------> run the "boot" to initialize the system. The image will be loaded but no configuration file will be found forcing the system to enter into setup mode.

Loading "flash:c3500XL-c3h2s-mz-120.5.2-XU.bin"...##############################
################################################################################
#############################################

File "flash:c3500XL-c3h2s-mz-120.5.2-XU.bin" uncompressed and installed, entry p
oint: 0x3000
executing...

Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706



Cisco Internetwork Operating System Software
IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Vers
TERIM SOFTWARE
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Mon 17-Jul-00 18:29 by ayounes
Image text-base: 0x00003000, data-base: 0x00301F3C


Initializing C3500XL flash...
flashfs[1]: 112 files, 3 directories
flashfs[1]: 0 orphaned files, 0 orphaned directories
flashfs[1]: Total bytes: 3612672
flashfs[1]: Bytes used: 2776576
flashfs[1]: Bytes available: 836096
flashfs[1]: flashfs fsck took 3 seconds.
flashfs[1]: Initialization complete.
...done Initializing C3500XL flash.
C3500XL POST: System Board Tes
C3500XL POST: Daughter Card Test: Passed
C3500XL POST: CPU Buffer Test: Passed
C3500XL POST: CPU Notify RAM Test: Passed
C3500XL POST: CPU Interface Test: Passed
C3500XL POST: Testing Switch Core: Passed
C3500XL POST: Testing Buffer Table: Passed
C3500XL POST: Data Buffer Test: Passed
C3500XL POST: Configuring Switch Parameters: Passed
C3500XL POST: Ethernet Controller Test: Passed
C3500XL POST: MII Test: Passed
cisco WS-C3548-XL (PowerPC403) processor (revision 0x01) with 16384K/1024K bytes
of memory.
Processor board ID XXXHNNHHXXX, with hardware revision 0x00
Last reset from power-on

Processor is running Enterprise Edition Software
Cluster command switch capable
Cluster member switch capable
48 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:04:c1:c4:ed:10
Motherboard assembly number: 73-3903-07
Power supply part number: 34-0971-01
Motherboard serial number: XXXNNNNNXXX
Motherboard serial number: XXXNNNNNXXX
Model revision number: A0
Motherboard revision number: B0
Model number: WS-C3548-XL-EN
System serial number: XXXHNNHHXXX
C3500XL INIT: Complete

00:00:34: %SYS-5-RESTART: System restarted --
Cisco Internetwork Operating System Software
IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5.2)XU, MAINTENANCE IN
TERIM SOFTWARE
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Mon 17-Jul-00 18:29 by ayounes

--- System Configuration Dialog ---

At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.

Continue with configuration dialog? [yes/no]: n -----------> Enter "n" to not use the configuration dialog
Press RETURN to get started. -----------> PRESS ENTER


Switch>
Switch>enable -----------> Run the "enable" command to go into Privileged mode.
Switch#dir flash: -----------> Check the flash to see the "config.old" file is there.
Directory of flash:/

2 -rwx 1645807 Jul 18 2000 01:47:40 c3500XL-c3h2s-mz-120.5.2-XU.bin
3 -rwx 94680 Jul 18 2000 01:47:40 c3500XL-diag-mz-120.5.2-XU
4 drwx 6784 Jul 18 2000 01:47:41 html
111 -rwx 272 Jan 01 1970 00:00:21 env_vars
112 -rwx 1020 Mar 08 1993 04:11:03 vlan.dat
114 -rwx 25 Mar 17 2005 13:29:07 snmpengineid
115 -rwx 5606 Mar 01 1993 00:39:03 config.txt
116 -rwx 3436 Mar 08 1993 02:48:59 config.old

3612672 bytes total (836096 bytes free)
Switch#rename flash:config.old flash:config.text -----------> Restore the config.old to config.text
Destination filename [config.text]? -----------> PRESS ENTER
Switch#

Switch#rename flash:config.old flash:config.text
Destination filename [config.text]?
Switch#copy flash:config.text system:running-config -----------> Copy the configuration file into memory
Destination filename [running-config]? -----------> PRESS ENTER

Switch#
Switch# -----------> At this point you can run a "show running" command to check the configuration of the switch

witch#config t -----------> Enter the "config t" command to enter the configuration global mode.
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#enable secret secret -----------> change the enable password
Switch(config)#enable password password -----------> change the password password
Switch(config)#line vty 0 15 -----------> change the telnet password
Switch(config-line)#password telnet
Switch(config-line)#login
Switch(config-line)#^Z
Switch#
Switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#line con 0
Switch(config-line)#password console -----------> change the console password
Switch(config-line)#^Z
Switch#
Switch#write memory -----------> Save configuration into memory
Building configuration...
Switch#


Done, reboot the switch and now you have full access.

No comments: