Re: [c-nsp] No Service Password Recovery
It might have something to do with the version? CAT2924Switch#sh run Building configuration... Current configuration: ! version 12.0 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname CAT2924Switch ! enable secret 5 $1$yWj2$gSWok9LpvLZcLKeV6qUV5/ Hey all, I've been googling and ciscocom searching and have found nothing so far. I was to 'no service password-recovery' on a old Catalyst 2924. Does anyone know of a way? It is in a delicate environment and it doesn't support 'secret', so if its password recovered people would be able to crack the 'password' level passwords. ...Skeeve -- Skeeve Stevens, CEO eintellego Pty Ltd - The Networking Specialists ske...@eintellego.net / www.eintellego.net Phone: 1300 753 383, Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 / skype://skeeve www.linkedin.com/in/skeeve ; facebook.com/eintellego -- eintellego - The Experts that the Experts call - Juniper - HP Networking - Cisco - Brocade - Arista - Allied Telesis Disclaimer: Limits of Liability and Disclaimer: This message is for the named person's use only. It may contain sensitive and private proprietary or legally privileged information. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. eintellego Pty Ltd and each legal entity in the Tefilah Pty Ltd group of companies reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity. Any reference to costs, fee quotations, contractual transactions and variations to contract terms is subject to separate confirmation in writing signed by an authorised representative of eintellego. Whilst all efforts are made to safeguard inbound and outbound e-mails, we cannot guarantee that attachments are! virus-free or compatible with your systems and do not accept any liability in respect of viruses or computer problems experienced. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] No Service Password Recovery
If the environment is that important, you might want to upgrade the switch. That switch has been EoL for a long time and probably has a whole load of caveats that are unresolved. As others have pointed out, if the switch is accessible by 'bad guys' then they can pull the plug or swap it out. Mack -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Skeeve Stevens Sent: Wednesday, November 17, 2010 3:10 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] No Service Password Recovery Hey all, I've been googling and ciscocom searching and have found nothing so far. I was to 'no service password-recovery' on a old Catalyst 2924. Does anyone know of a way? It is in a delicate environment and it doesn't support 'secret', so if its password recovered people would be able to crack the 'password' level passwords. ...Skeeve -- Skeeve Stevens, CEO eintellego Pty Ltd - The Networking Specialists ske...@eintellego.net / www.eintellego.net Phone: 1300 753 383, Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 / skype://skeeve www.linkedin.com/in/skeeve ; facebook.com/eintellego -- eintellego - The Experts that the Experts call - Juniper - HP Networking - Cisco - Brocade - Arista - Allied Telesis Disclaimer: Limits of Liability and Disclaimer: This message is for the named person's use only. It may contain sensitive and private proprietary or legally privileged information. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. eintellego Pty Ltd and each legal entity in the Tefilah Pty Ltd group of companies reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity. Any reference to costs, fee quotations, contractual transactions and variations to contract terms is subject to separate confirmation in writing signed by an authorised representative of eintellego. Whilst all efforts are made to safeguard inbound and outbound e-mails, we cannot guarantee that attachments are! virus-free or compatible with your systems and do not accept any liability in respect of viruses or computer problems experienced. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] No Service Password Recovery
On 11/18/10 2:28 AM, si...@pitwood.org wrote: It might have something to do with the version? CAT2924Switch#sh run Building configuration... Current configuration: ! version 12.0 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption password-encryption != password-recovery And password-encryption == password-encryption only for very small values of encryption. This really should be called password-obfuscation as it is trivial to reverse. The original poster didn't specify the specific problem he was trying to solve. If the bad guys have unmonitored physical access to the switch they could swap it out with their own device entirely even if the configuration is locked down. It's not like 2924XLs are expensive or hard to get. Mitigate with RANCID, etc. If the concern is that the same access password on the switch which could be recovered is used elsewhere in the OP's network and bad guys recovering that password could use it to attack other devices... Don't do that, then. Mitigate with unique passwords, TACACS+, etc. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] No Service Password Recovery
Hey all, I've been googling and ciscocom searching and have found nothing so far. I was to 'no service password-recovery' on a old Catalyst 2924. Does anyone know of a way? It is in a delicate environment and it doesn't support 'secret', so if its password recovered people would be able to crack the 'password' level passwords. ...Skeeve -- Skeeve Stevens, CEO eintellego Pty Ltd - The Networking Specialists ske...@eintellego.net / www.eintellego.net Phone: 1300 753 383, Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 / skype://skeeve www.linkedin.com/in/skeeve ; facebook.com/eintellego -- eintellego - The Experts that the Experts call - Juniper - HP Networking - Cisco - Brocade - Arista - Allied Telesis Disclaimer: Limits of Liability and Disclaimer: This message is for the named person's use only. It may contain sensitive and private proprietary or legally privileged information. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. eintellego Pty Ltd and each legal entity in the Tefilah Pty Ltd group of companies reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity. Any reference to costs, fee quotations, contractual transactions and variations to contract terms is subject to separate confirmation in writing signed by an authorised representative of eintellego. Whilst all efforts are made to safeguard inbound and outbound e-mails, we cannot guarantee that attachments are! virus-free or compatible with your systems and do not accept any liability in respect of viruses or computer problems experienced. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] No Service Password Recovery
Skeeev Hot sure i fully understand the question but i'm pretty sure 12.0 does not support this feature. Rgds James On 17 Nov 2010, at 22:10, Skeeve Stevens wrote: Hey all, I've been googling and ciscocom searching and have found nothing so far. I was to 'no service password-recovery' on a old Catalyst 2924. Does anyone know of a way? It is in a delicate environment and it doesn't support 'secret', so if its password recovered people would be able to crack the 'password' level passwords. ...Skeeve -- Skeeve Stevens, CEO eintellego Pty Ltd - The Networking Specialists ske...@eintellego.net / www.eintellego.net Phone: 1300 753 383, Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 / skype://skeeve www.linkedin.com/in/skeeve ; facebook.com/eintellego -- eintellego - The Experts that the Experts call - Juniper - HP Networking - Cisco - Brocade - Arista - Allied Telesis Disclaimer: Limits of Liability and Disclaimer: This message is for the named person's use only. It may contain sensitive and private proprietary or legally privileged information. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. eintellego Pty Ltd and each legal entity in the Tefilah Pty Ltd group of companies reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity. Any reference to costs, fee quotations, contractual transactions and variations to contract terms is subject to separate confirmation in writing signed by an authorised representative of eintellego. Whilst all efforts are made to safeguard inbound and outbound e-mails, we cannot guarantee that attachments a! re! virus-free or compatible with your systems and do not accept any liability in respect of viruses or computer problems experienced. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] No Service Password Recovery
On 11/17/2010 14:10, Skeeve Stevens wrote: Hey all, I've been googling and ciscocom searching and have found nothing so far. I was to 'no service password-recovery' on a old Catalyst 2924. Does anyone know of a way? It is in a delicate environment and it doesn't support 'secret', so if its password recovered people would be able to crack the 'password' level passwords. The older switches don't have 'no service password-recovery'. ~Seth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] No Service Password Recovery
Fill the console port with super glue and cotton balls. Good luck trying to break into rommon after trying to clean that interface :) On Wed, Nov 17, 2010 at 6:26 PM, Seth Mattinen se...@rollernet.us wrote: On 11/17/2010 14:10, Skeeve Stevens wrote: Hey all, I've been googling and ciscocom searching and have found nothing so far. I was to 'no service password-recovery' on a old Catalyst 2924. Does anyone know of a way? It is in a delicate environment and it doesn't support 'secret', so if its password recovered people would be able to crack the 'password' level passwords. The older switches don't have 'no service password-recovery'. ~Seth ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] No Service Password Recovery
On 11/17/10 2:10 PM, Skeeve Stevens wrote: Hey all, I've been googling and ciscocom searching and have found nothing so far. I was to 'no service password-recovery' on a old Catalyst 2924. Does anyone know of a way? It is in a delicate environment and it doesn't support 'secret', so if its password recovered people would be able to crack the 'password' level passwords. If the bad guys have access to its power cord and console port, it's pretty much game over anyway, but you can mitigate with... * AAA to a remote tacacs+ server. * Sync with NTP and use RANCID to track config changes and/or last save. * Unique passwords for that device. * It should support enable secret even if not password secret. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/