[c-nsp] disable break on boot for IOS??

Discussion:

neal rauhauser

2009-07-13 21:10:44 UTC

I have a situation with a former employee who still has legitimate
physical access to a shared space where we have some Cisco equipment. Today
one of our field guys located a UBR924 attached to our cable modem plant
with the cutest little rogue Linux machine attached to its ethernet port.

I had them recover the router's password as the first step and now I'm
puzzling over this:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note09186a008022493f.shtml

I recall that a machine can be set such that the break during boot will
not permit password recovery, but it isn't clear to me how I do it. I'd
really like to get this machine secured so I can dig in to what he is doing.
I'd already isolated this cable plant because I knew intrusion was possible
but I want to see what other mischief he uses our facilities for - a little
spice for the already meaty intrusion case against him this spring.

--
mailto:***@layer3arts.com //
GoogleTalk: ***@gmail.com
IM: nealrauhauser
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

A***@lboro.ac.uk

2009-07-13 21:27:24 UTC

Permalink

Hi,

Post by neal rauhauser
I have a situation with a former employee who still has legitimate
physical access to a shared space where we have some Cisco equipment. Today
one of our field guys located a UBR924 attached to our cable modem plant
with the cutest little rogue Linux machine attached to its ethernet port.

do you have any proof on the install time of this box?
it could have been a legitimate install done during their time
at your place - and may have been used for eg remote access login
during times of issue - especially if the place has draconian
law about supported/allowed devices. i have several Linux boxes
that have saved my bacon countless times with their serial
interface.

Post by neal rauhauser
I recall that a machine can be set such that the break during boot will
not permit password recovery, but it isn't clear to me how I do it. I'd

disabling password recovery? its a one-way process - once done there is no way
back.... TACACS+ authentication is a way to handle all authentication
via vty/con/etc. if password recovery mech is set there is no way to unset it
without a visit to the factory.

Post by neal rauhauser
really like to get this machine secured so I can dig in to what he is doing.

grab the linux box and use many of the boot CD methods to get access.
read the shell history, see the tools present etc.

alan
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Matthew Huff

2009-07-13 21:31:10 UTC

Permalink

If you are running a newer IOS and newer ROMMON you can disable password-recover (i.e. break during boot) using "no service password-recovery". Make sure to read http://www.cisco.com/en/US/docs/ios/12_3/12_3y/12_3ya8/gtnsvpwd.html completely, you can brick a router otherwise.

----
Matthew Huff | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com | Phone: 914-460-4039
aim: matthewbhuff | Fax: 914-460-4139

-----Original Message-----
Sent: Monday, July 13, 2009 5:11 PM
Subject: [c-nsp] disable break on boot for IOS??
I have a situation with a former employee who still has legitimate
physical access to a shared space where we have some Cisco equipment. Today
one of our field guys located a UBR924 attached to our cable modem plant
with the cutest little rogue Linux machine attached to its ethernet port.
I had them recover the router's password as the first step and now I'm
http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note
09186a008022493f.shtml
I recall that a machine can be set such that the break during boot will
not permit password recovery, but it isn't clear to me how I do it. I'd
really like to get this machine secured so I can dig in to what he is doing.
I'd already isolated this cable plant because I knew intrusion was possible
but I want to see what other mischief he uses our facilities for - a little
spice for the already meaty intrusion case against him this spring.
--
IM: nealrauhauser
_______________________________________________
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

neal rauhauser

2009-07-14 01:26:49 UTC

Permalink

This is good advice for newer machines but I've got a UBR 924 with 12.1T
code on it - 'no service password-recover' isn't an option for me. Which
config-register setting will do what I need? Seems like maybe 0x8102 would
do it, but I'm in no mood to experiment across twenty miles, especially when
I'm monitoring activity for law enforcement. This guy, he is a giant pain
where I sit and has been since I started at the first of the year.

Post by Matthew Huff
If you are running a newer IOS and newer ROMMON you can disable
password-recover (i.e. break during boot) using "no service
password-recovery". Make sure to read
http://www.cisco.com/en/US/docs/ios/12_3/12_3y/12_3ya8/gtnsvpwd.htmlcompletely, you can brick a router otherwise.
----
Matthew Huff | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com | Phone: 914-460-4039
aim: matthewbhuff | Fax: 914-460-4139

Ivan Pepelnjak

2009-07-14 05:47:59 UTC

Permalink

Post by neal rauhauser
This is good advice for newer machines but I've got a UBR
924 with 12.1T code on it - 'no service password-recover'
isn't an option for me. Which config-register setting will do
what I need?

None. You cannot disable break during the first minute (or so) with a config
register.

Post by neal rauhauser
Seems like maybe 0x8102 would do it

The "disable break" 0x0100 disables break after the initial one-minute (or
so) window.

Ivan

_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Ivan Pepelnjak

2009-07-14 05:43:08 UTC

Permalink

Just make sure you test the feature (for each ROMMON release you're using)
with a known enable password first. It's somewhat impossible to break into
some ROMMON versions.

http://blog.ioshints.info/2007/12/recovering-from-disabled-password.html

Ivan

http://www.ioshints.info/about
http://blog.ioshints.info/

-----Original Message-----
Sent: Monday, July 13, 2009 11:31 PM
Subject: Re: [c-nsp] disable break on boot for IOS??
If you are running a newer IOS and newer ROMMON you can
disable password-recover (i.e. break during boot) using "no
service password-recovery". Make sure to read
http://www.cisco.com/en/US/docs/ios/12_3/12_3y/12_3ya8/gtnsvpw
d.html completely, you can brick a router otherwise.
----
Matthew Huff | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com | Phone: 914-460-4039
aim: matthewbhuff | Fax: 914-460-4139

-----Original Message-----
Sent: Monday, July 13, 2009 5:11 PM
Subject: [c-nsp] disable break on boot for IOS??
I have a situation with a former employee who still has

legitimate

physical access to a shared space where we have some Cisco

equipment.

Today
one of our field guys located a UBR924 attached to our cable modem
plant with the cutest little rogue Linux machine attached to its
ethernet port.
I had them recover the router's password as the first

step and now
http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_not

e
09186a008022493f.shtml
I recall that a machine can be set such that the break

during boot

will not permit password recovery, but it isn't clear to me

how I do

it. I'd really like to get this machine secured so I can dig in to
what he is doing.
I'd already isolated this cable plant because I knew intrusion was
possible but I want to see what other mischief he uses our

facilities

for - a little spice for the already meaty intrusion case

against him

this spring.
--
IM: nealrauhauser
_______________________________________________
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Continue reading on narkive:

Search results for '[c-nsp] disable break on boot for IOS??' (Questions and Answers)

replies

Question about jailbreaking iPhone!!?

started 2013-08-06 10:56:41 UTC

cell phones & plans

replies

Can I unlock my iPhone 4 on ios5?

started 2012-04-21 16:56:00 UTC

cell phones & plans

replies

My toshiba c660 will not boot up just a black screen with cursor on screen would a recovery disk repair this.?