Re: [c-nsp] disable break on boot for IOS??
This is good advice for newer machines but I've got a UBR 924 with 12.1T code on it - 'no service password-recover' isn't an option for me. Which config-register setting will do what I need? None. You cannot disable break during the first minute (or so) with a config register. Seems like maybe 0x8102 would do it The disable break 0x0100 disables break after the initial one-minute (or so) window. Ivan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] disable break on boot for IOS??
Hi, I have a situation with a former employee who still has legitimate physical access to a shared space where we have some Cisco equipment. Today one of our field guys located a UBR924 attached to our cable modem plant with the cutest little rogue Linux machine attached to its ethernet port. do you have any proof on the install time of this box? it could have been a legitimate install done during their time at your place - and may have been used for eg remote access login during times of issue - especially if the place has draconian law about supported/allowed devices. i have several Linux boxes that have saved my bacon countless times with their serial interface. I recall that a machine can be set such that the break during boot will not permit password recovery, but it isn't clear to me how I do it. I'd disabling password recovery? its a one-way process - once done there is no way back TACACS+ authentication is a way to handle all authentication via vty/con/etc. if password recovery mech is set there is no way to unset it without a visit to the factory. really like to get this machine secured so I can dig in to what he is doing. grab the linux box and use many of the boot CD methods to get access. read the shell history, see the tools present etc. alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] disable break on boot for IOS??
If you are running a newer IOS and newer ROMMON you can disable password-recover (i.e. break during boot) using no service password-recovery. Make sure to read http://www.cisco.com/en/US/docs/ios/12_3/12_3y/12_3ya8/gtnsvpwd.html completely, you can brick a router otherwise. Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of neal rauhauser Sent: Monday, July 13, 2009 5:11 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] disable break on boot for IOS?? I have a situation with a former employee who still has legitimate physical access to a shared space where we have some Cisco equipment. Today one of our field guys located a UBR924 attached to our cable modem plant with the cutest little rogue Linux machine attached to its ethernet port. I had them recover the router's password as the first step and now I'm puzzling over this: http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note 09186a008022493f.shtml I recall that a machine can be set such that the break during boot will not permit password recovery, but it isn't clear to me how I do it. I'd really like to get this machine secured so I can dig in to what he is doing. I'd already isolated this cable plant because I knew intrusion was possible but I want to see what other mischief he uses our facilities for - a little spice for the already meaty intrusion case against him this spring. -- mailto:n...@layer3arts.com // GoogleTalk: nrauhau...@gmail.com IM: nealrauhauser ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] disable break on boot for IOS??
This is good advice for newer machines but I've got a UBR 924 with 12.1T code on it - 'no service password-recover' isn't an option for me. Which config-register setting will do what I need? Seems like maybe 0x8102 would do it, but I'm in no mood to experiment across twenty miles, especially when I'm monitoring activity for law enforcement. This guy, he is a giant pain where I sit and has been since I started at the first of the year. On Mon, Jul 13, 2009 at 4:31 PM, Matthew Huff mh...@ox.com wrote: If you are running a newer IOS and newer ROMMON you can disable password-recover (i.e. break during boot) using no service password-recovery. Make sure to read http://www.cisco.com/en/US/docs/ios/12_3/12_3y/12_3ya8/gtnsvpwd.htmlcompletely, you can brick a router otherwise. Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of neal rauhauser Sent: Monday, July 13, 2009 5:11 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] disable break on boot for IOS?? I have a situation with a former employee who still has legitimate physical access to a shared space where we have some Cisco equipment. Today one of our field guys located a UBR924 attached to our cable modem plant with the cutest little rogue Linux machine attached to its ethernet port. I had them recover the router's password as the first step and now I'm puzzling over this: http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note 09186a008022493f.shtml I recall that a machine can be set such that the break during boot will not permit password recovery, but it isn't clear to me how I do it. I'd really like to get this machine secured so I can dig in to what he is doing. I'd already isolated this cable plant because I knew intrusion was possible but I want to see what other mischief he uses our facilities for - a little spice for the already meaty intrusion case against him this spring. -- mailto:n...@layer3arts.com // GoogleTalk: nrauhau...@gmail.com IM: nealrauhauser ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- mailto:n...@layer3arts.com // GoogleTalk: nrauhau...@gmail.com IM: nealrauhauser ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] disable break on boot for IOS??
Just make sure you test the feature (for each ROMMON release you're using) with a known enable password first. It's somewhat impossible to break into some ROMMON versions. http://blog.ioshints.info/2007/12/recovering-from-disabled-password.html Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Matthew Huff [mailto:mh...@ox.com] Sent: Monday, July 13, 2009 11:31 PM To: 'neal rauhauser'; 'cisco-nsp@puck.nether.net' Subject: Re: [c-nsp] disable break on boot for IOS?? If you are running a newer IOS and newer ROMMON you can disable password-recover (i.e. break during boot) using no service password-recovery. Make sure to read http://www.cisco.com/en/US/docs/ios/12_3/12_3y/12_3ya8/gtnsvpw d.html completely, you can brick a router otherwise. Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of neal rauhauser Sent: Monday, July 13, 2009 5:11 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] disable break on boot for IOS?? I have a situation with a former employee who still has legitimate physical access to a shared space where we have some Cisco equipment. Today one of our field guys located a UBR924 attached to our cable modem plant with the cutest little rogue Linux machine attached to its ethernet port. I had them recover the router's password as the first step and now I'm puzzling over this: http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_not e 09186a008022493f.shtml I recall that a machine can be set such that the break during boot will not permit password recovery, but it isn't clear to me how I do it. I'd really like to get this machine secured so I can dig in to what he is doing. I'd already isolated this cable plant because I knew intrusion was possible but I want to see what other mischief he uses our facilities for - a little spice for the already meaty intrusion case against him this spring. -- mailto:n...@layer3arts.com // GoogleTalk: nrauhau...@gmail.com IM: nealrauhauser ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
