There are many ways a Cisco Type-7 password could be decrypted. Look at the following encoded passwords.
It could be decoded using any of the following methods:
Had really annoying problem yesterday. Was busy setting up Role-Based TACACS access on Cisco ACS and happily configuring the NDG (Network Device groups), the Command Authorization Sets etc.
Started testing and kept on getting “% Authentication failed” on the CLI.
At first you realize you must have made a typo or forgot to do something. Double check the config, the ACS setup and confirm the passwords are correct with no Null Spaces. But still no luck.
Cisco always attempts to make our lives easier, or at least sometimes.
When you setup your last CE router, did you make sure all the necessary security measure were setup? Is it protected against DOS attacks, stack or buffer overflows? Aare you logging the correct info in case someone tries to access your network?
Cisco, quite some time ago, wrote a macro command combining what they believe to be the necessary and recommended features that should be enabled on every CE router.
There are two main parts of this command:
Just because this command could make your life easier, you should understand each action that is executed, or else you might disable or break a needed function.
If you need to upgrade the IOS on a FWSM (Firewall Switch Module), you will soon find out, that the upgrade works slightly different to routers. You don’t have the option of using multiple ‘boot system’ commands, nor can you copy more than one IOS image to the FWSM flash. But then what about failback, if you don’t have the old/current IOS version? (and no you can’t just tftp/ftp the current image from a FWSM when in-use). So now what?
A really neat yet fairly undocumented feature is how the FWSM addresses the space allocation of the Flash memory. Refer to the application partitions (cf:4 and cf:5), see a previous post that listed the partition break down.
Application Partition cf:4 is used by default, but cf:5 not. Because cf:5 provides a secondary partition to boot from, it allows you to test config on a new IOS version. If you boot of cf:5 appose to cf:4, you have a clean and fresh ‘dir flash:‘ to load a new IOS image on, while leaving the working ‘dir flash:‘ intact .
Just change the default boot partition to cf:5 from the switch, with
boot device module {MOD-NUMBER} cf:5
Then reload the module, and load the ‘test’ IOS image to flash (now cf:5) and do any tests necessary. Once happy remove the above command and upgrade to the new IOS on the default partition cf:4.
Password recovery on a router is easy, and it is even easier to find the steps if you dont know.
What if you forget the login and enable passwords, or you created a lockout situation because of AAA settings on a FWSM (Firewall Switch Module) blade inside a Cisco 6500 or Cisco 7600?
You have two options.
The Cisco way is not hard but needs understanding of the hardware. The FWSM has a 128-MB Flash memory card that stores the operating system, configurations, and other data. The Flash memory includes six partitions, referenced as ‘cf:n‘.
I discovered a real annoying limitation to the Fortigate firewalls today. And although this limitation wont be encountered on a daily basis, I know this is not a unusual setup, and above that I know that Cisco Pix Firewall support this, as I have done this before.
Suppose the the following scenario:
Suppose traffic from the Big Bad Internet is destined to company BOB’s application server at 170.1.1.1:8081.
On the Fortigate you create a port-nat to the server’s internal address of 192.168.102.1.
In order to see a tcp dump of information flowing through a fortigate, the diagnose sniffer command can be used from cli. The command syntax:
diagnose sniffer packet {interface | all} ‘net z.z.z.z/p and/or host x.x.x.x and/or port yyy’ [options]
You can narrow your search by filtering on any or the following:
net/prefix : print a whole netblock
host : print only one host
port : print only a specific port number
and/or : allows additional options
The Options field at the end are as follow:
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name
Option ‘4’ is particularly useful, in that it shows the associated interface for the directional traffic
Examples:
diagnose sniffer packet any ‘net 10.0.0.0/8 and host 172.16.16.14 and port 3389’
diagnose sniffer packet any ‘host 10.4.131.97 and host 172.16.16.14 and port 3389’ 4
I configure/support Fortigate firewalls on a daily basis, the baby 60DSL’s, the 200A’s, but mostly the big 3016B’s.
Although I do use the Fortimanager front-end extensively for revision history, I still prefer and often do work from the command line, so I tought I’ll share the commands I use often.
show
sh system interface
diagnose hardware deviceinfo nic
get system status
sh firewall policy 6
sh router policy
diagnose system session list
diagnose system session clear
diagnose ip arp list
get router info routing-table all
diagnose system top
diagnose system kill 9 <id>
diag test auth ldap <server_name> <username> <password>
Ok, so an interesting problem I came across today, I needed to confirm what the password for a IPSEC tunnel was on a pix, without changing it. The dilemma was that it shows as *******, not very useful!?
–snip–
crypto map IPSEC interface outside
isakmp enable outside
isakmp key ******** address 10.11.12.13 netmask 255.255.255.255 no-xauth
isakmp policy 100 authentication pre-share
–snip–
To find the password do the following
Setup a TFTP-server and create a file to upload the pix config to. Make sure you have write and access permission to that file, and also confirm that the pix can reach the tftp-server beforehand.
Then from the pix:
Pix 6.35 Syntax
tftp-server [<if_name>] <ip> <directory>
write net [<tftp_ip>]:<filename>
Example:
(config)# tftp-server outside 196.23.0.9 /
(config)# write net 196.1.1.1:myfw
Building configuration…
TFTP write ‘//myfw’ at 196.1.1.1 on interface 0
[OK]
The file containing the config “myfw” should list the password in plain text.
–snip–
crypto map IPSEC interface outside
isakmp enable outside
isakmp key qweRTY!@# address 10.11.12.13 netmask 255.255.255.255 no-xauth
isakmp policy 100 authentication pre-share
–snip–
Routing-Bits 