to change password: hook up console cable, establish session. boot router hit "break key" within 60 seconds of bootup at the > prompt, type:confreg 0x2142 type "i" to reboot router router will boot up and not require a password type"enable" type"copy start run" type "conf te" type "enable secret <new password>" hit CNTRL-Z type "copy run start" reboot send me a check.
that should do it. ----- Original Message ----- From: "isa vaul" <[EMAIL PROTECTED]> To: "petard" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, December 05, 2003 10:30 AM Subject: Re[2]: [Full-Disclosure] cisco acl > Hello petard, > > Friday, December 5, 2003, 3:35:19 PM, you wrote: > > p> On Fri, Dec 05, 2003 at 01:45:31PM +0100, isa vaul wrote: > >> Hello full-disclosure, > >> > >> I've got a little problem with a cisco router. > >> It has obviously been compromised. How do i know, well the password > >> has changed. So I want to retrieve the ACL from the RAM (not NVRAM) > >> to see what else maybe got compromised. > >> Does anyone know how this could be done? > >> > >> thanks for any suggestions in advance... > p> You'll probably get better answers if you: > > p> 1. google for "cisco router forensics" > p> 2. ask this question to a cisco list > p> 3. ask this question to cisco tech support. they're quite good. > > p> Assuming you've determined the changed password and the enable password, the command: > p> # show running-config > p> will display the current configuration from RAM, including any ACLs > p> IIRC. > > p> HTH, > p> petard > > p> -- > p> If your message really might be confidential, download my PGP key here: > p> http://petard.freeshell.org/petard.asc > p> and encrypt it. Otherwise, save bandwidth and lose the disclaimer. > > thanks for all the replies. > and i am aware of the 3 given possibilities. > but i thought maybe someone on the list has some quick answer as > well?!? and as it is a little urgent i just wanted to give it a try! > > Unfortunately I do not know the new password! otherwise there wouldn't > be a problem at all. > and more unfortunately it is not my network and had nothing to do with > the setup. or else i would have, as Mort pointed out, a tftp in > place. > > -- > Best regards, > nonleft mailto:[EMAIL PROTECTED] > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
