Cisco Catalyst 4506E Switch Password cracking

A Cisco 4506 switch in the user's actual environment could not log on, and the system could only be cracked because the maintenance staff did not remember the modified password.

Environment:

Cisco Catalyst 4506E switch, engine for WS-X45-SUP8-E, system version is cat4500es8-universal-m

Crack steps:

To restart the switch, press CTRL + C to abort the switch's boot process as follows:

Verifying FPGA (P) Signature ......... ....... PASSED
Verifying ROMMON (P) Signature ... PASSED
************************************************************
*                                                          *
* Rom Monitor *
* Copyright (c) 2012-2013 by Cisco Systems, Inc. *
* All rights reserved. *
*                                                          *
************************************************************
Rom Monitor (P) Version 15.1 (1r) SG1
Compiled Wed 14-aug-13 17:15 [RLS]
SYSTEM:WS-X45-SUP8-E Slot [1]
Chassis:ws-c4506*e Mod [3][6]
REVISION:CPU 2.1 BOARD 4.0 FPGA 3.15f2.9155
memory:4096 MB
Date:sun Mar 05 21:32:01 2017
Type control-c to prevent autobooting ....
[Ctrl-c]
Autoboot cancelled ...!!!.
Rommon 0 >

The current environment variables of the system are viewed by the SET command as follows:

Rommon 0 >set
Ps1=rommon! >
Fa1enable=1
rommonver=15.1 (1r) SG1
Configreg=0x2101
Boot=bootflash:cat4500es8-universal. spa.03.03.00.xo.151-1.xo.bin,1;
Diagmonitoraction=normal
Ret_2_rts=14:59:24 GMT Sat 27 2016
ret_2_rcalts=
Bootedfilename=flash1:/user/cat4500es8-universal. Spa.03.03.00.xo.151-1.xo.bin
Consecpostpassedcnt=34

Note that the register value is 0x2101

Use the Confreg command to configure the system as follows:

Rommon 1 >confreg
Configuration Summary:
= = Load rom after netboot fails
= Console baud:9600
= Autoboot from:the first file from internal flash device
wish to change the configuration? y/n [n]: y
Enable "diagnostic mode"? y/n [n]: N
Enable "Use NET in IP bcast address"? y/n [n]:
Disable "Load ROM after netboot fails"? y/n [n]:
Enable "Use all zero broadcast"? y/n [n]:
Enable "Break/abort has effect"? y/n [n]:
enable "Ignore system config Info"? y/n [n]: y
Change console baud rate? y/n [n]:
Change the boot characteristics? y/n [n]:
Configuration Summary:
= = Load rom after netboot fails
= = Ignore System config Info
= Console baud:9600
= Autoboot from:the first file from internal flash device
does wish to save this configuration? y/n [n]: y
Must reset or power cycle for new configuration to take effect

Other options can be entered directly, the configuration after the prompt must be restarted to take effect, but before restarting you can use the SET command to review the environment variables, as follows:

Rommon 2 >set
Ps1=rommon! >
Fa1enable=1
rommonver=15.1 (1r) SG1
Boot=bootflash:cat4500es8-universal. spa.03.03.00.xo.151-1.xo.bin,1;
Diagmonitoraction=normal
Ret_2_rts=14:59:24 GMT Sat 27 2016
ret_2_rcalts=
Bootedfilename=flash1:/user/cat4500es8-universal. spa.03.03.00.xo.151
-1.xo.bin
Consecpostpassedcnt=34
configreg=0x2141

You will notice that the value of the front and back registers has changed, and you can restart the system by using the boot command

After reboot:

Press RETURN to get started!

Switch>

At this point you can see that the system bypasses the configuration file, which we can later

Switch#copy Startup-config Running-config

Load the configuration into the system, and then change the password directly by command, but we must modify the register value after completion.

Config-register 0x2101

Restart the system, you will find that the password has been cracked completed.

*************************************************************************

In fact, SUP8 engine password cracking similar to other series of engine password cracking method, can refer to the official documents to view, but if it is the VSS of two systems, then the password cracking process will be a little different, but the official also gave the corresponding documents, please refer to.

*************************************************************************

This article is from the "Crescent Landlord" blog, please be sure to keep this source http://05wylz.blog.51cto.com/126464/1904156

Cisco Catalyst 4506E Switch Password cracking