Cisco vro local password cracking

Different vro models and different cracking methods:
The general method is the same:
Enter monitoring mode: 1. Press ctrl + break 2 within 60 seconds, the register value starts with 0x0, and directly enters monitoring mode
Modify the register value to 0x2142. Load IOS directly without loading the configuration file.
Summary steps:
1. Restart ctrl + break
2. confreg 0x2142 modify the register value to 0x2142
Reset restart
3. copy startup-config running-config to copy the startup information to the running information.
4. enable password 123 set the password
5. Router (config) # config-register 0x2102 restore the value of the storage
6. copy run start = write
 
The test procedure is as follows:

Self decompressing the image:
######
Monitor: command "boot" aborted due to user interrupt
Rommon 1> confreg 0x2142
Rommon 2 & gt; reset
System Bootstrap, Version 12.1 (3r) T2, release software (fc1)
Copyright (c) 2000 by cisco Systems, Inc.
Cisco 2811 (MPC860) processor (revision 0x200) with 60416 K/5120 K bytes of memory
Self decompressing the image:
######################################## ################################## [OK]
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
Subject to restrictions as set forth in subparagraph
(C) of the specified cial Computer Software-Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(C) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4 (15) T1, release software (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 18-Jul-07 06:21 by pt_rel_team
Image text-base: 0x400A925C, data-base: 0x4372CE20
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
Use. Delivery of Cisco cryptographic products does not imply
Third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible
Compliance with U. S. and local country laws. By using this product you
Agree to comply with applicable laws and regulations. If you are unable
To comply with U. S. and local laws, return this product immediately.
A summary of U. S. laws governing Cisco cryptographic products may be found:
Http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further authentication ance please contact us by sending email
Export@cisco.com.
Cisco 2811 (MPC860) processor (revision 0x200) with 60416 K/5120 K bytes of memory
Processor board ID jad051_mtz (4292891495)
M860 processor: part number 0, mask 49
2 FastEthernet/IEEE 802.3 interface (s)
239 K bytes of non-volatile configuration memory.
62720 K bytes of ATA CompactFlash (Read/Write)
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4 (15) T1, release software (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 18-Jul-07 06:21 by pt_rel_team
--- System Configuration Dialog ---
Continue with configuration dialog? [Yes/no]: no
Router & gt; enable
Router # config t
Enter configuration commands, one per line. End with CNTL/Z.
Router (config) # enable password 123
Machine (config) # config-register 0x2102
Router (config) # exit
Router # write
Building configuration...
[OK]
Router #
After the password is cracked, set the password according to the following password policy:
Note the following points when creating a vro password for cisco:
1. The password must be 1-25 characters long. It must contain numbers, letters, and characters.
2. The first letter of the password cannot be a number.
3. the space in the password will be ignored,
4. periodically change passwords based on security policies
To prevent dictionary attacks, cisco recommends using a strong password policy.
1. At least 10 Characters
2. Mixed upper and lower case letters
3. letters, numbers, and character Mixing
4. No user name or word is used
5. Do not use dictionary words
6. Generate a random password
You can also set certain permissions according to the user when setting the password.
Refer to the configuration below: these are my basic account security tests.
Router (config) # security authentication failure rate 2 log set the number of logon attempts
Router (config) # security password min-length 8 set the password length
Router (config) # enable password 123
% Password too short-must be at least 8 characters. Password configuration failed prompt that the Password is too short
Router (config) # enable password 12345678 set a simple password
Router (config) # no enable password remove the privileged password (from the user to the privileged password)
Router (config) # enable password 8 @ 1 # 163.com
Router (config) # line vty 0 4
Router (config-line) # password 3 $ % # @ hotmail
Router (config-line) # login
Router (config-line) # exit
Router (config) # line console 0
Router (config-line) # password 6 ^ & * yaho.com
Router (config-line) # exit
Router (config) # line aux 0
Router (config) # line aux 0
Router (config-line) # modem inOut
Router (config-line) # speed 9600
Router (config-line) # transport input all
Router (config-line) # flowcontrol hardware
Router (config-line) # password 79 () $ 123ghs
Router (config-line) # login
Router (config-line) # exit
Router (config) # service password-encryption password description
Except for the enable secret password, all other routers are automatically saved in the vro configuration by default. You can see these passwords using show running-config, using TFTP to transmit configuration files in an untrusted network connection, sniffer can also get these passwords.
Service passwor-encryption can encrypt the password of the router configuration file. Based on the vigenere algorithm, the configuration file is represented by number 7, a dedicated cisco algorithm. Without MD5 security, the user password and discovery process will be slowed down. This algorithm is a simple character replacement method, first originated in the 16th century. This algorithm can be cracked using a simple script program. You can place a peek password in the form of a screen or a print file.
Router (config) # username jintian secret password 123 (MD5 encryption for Local Accounts)
Service password-recovery implementation, protection of ROMMON, and password cracking of local Routers
Router (config-line) # exec-timeout 3 sets the time-out period to 3 minutes when no one in the console or the status is running
Set the privilege level: the device can set a specific level for the Administrator. Different levels have different access permissions. 0-15 levels, 16 levels.
Level 0: in user mode, five commands are supported: disable, enable, exit, help, and logout.
Level1: commands in user mode
Level2-level14 can use custom Permissions
Level15: configuration and monitoring rights
1-14 is the right to monitor
Router (config) # privilege exec level 2 ping set command Association for this level
Router (config) # enable secret level 2 santian set the password for this level
 
However, in terms of security policy, linux and cisco devices are not as good as Microsoft's windows, and similar products are not as good as H3C and Huawei products. Personally, at least cisco and linux are not very user-friendly in these aspects.