[c-nsp] Regain CLI access with snmp sets?

Lee ler762 at gmail.com
Sat Sep 10 16:19:51 EDT 2011


On 9/10/11, Persio Pucci <persio at gmail.com> wrote:
> Lee,
>
> I'll give it a try later using your suggestion. As for limiting, I already
> limit both TFTPs and who can RW into it.

Good.  When I first wrote the script we didn't limit tftp but did have
an acl on all snmp community strings.  It took me less than 10 minutes
to put my laptop on a user subnet, spoof my IP address & upload a new
config to the router that disabled all security.  Sure, I already knew
what IP address would work as well as the RW community string, but it
was still a bit of a surprise seeing just how easy it was with a bit
of knowledge.

Lee


>
> On Sat, Sep 10, 2011 at 2:14 PM, Lee <ler762 at gmail.com> wrote:
>
>> On 9/10/11, Persio Pucci <persio at gmail.com> wrote:
>> > Here is my steps:
>> >
>> > persio.pucci at tacacs:/tftpboot$snmpset -v2c -c COMUNITY 10.20.30.1
>> >> .1.3.6.1.4.1.9.9.96.1.1.1.1.2.200 integer 1
>> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.2.200 = INTEGER: 1
>> >> persio.pucci at tacacs:/tftpboot$ snmpset -v2c -c COMUNITY 10.20.30.1
>> >> .1.3.6.1.4.1.9.9.96.1.1.1.1.3.200 integer 1
>> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.3.200 = INTEGER: 1
>> >> persio.pucci at tacacs:/tftpboot$ snmpset -v2c -c COMUNITY 10.20.30.1
>> >> .1.3.6.1.4.1.9.9.96.1.1.1.1.4.200 integer 4
>> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.4.200 = INTEGER: 4
>> >> persio.pucci at tacacs:/tftpboot$ snmpset -v2c -c COMUNITY 10.20.30.1
>> >> .1.3.6.1.4.1.9.9.96.1.1.1.1.5.200 address 10.10.10.1
>> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.5.200 = IpAddress: 10.10.10.1
>> >> persio.pucci at tacacs:/tftpboot$ snmpset -v2c -c COMUNITY 10.20.30.1
>> >> .1.3.6.1.4.1.9.9.96.1.1.1.1.6.200 string user
>> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.6.200 = STRING: "user"
>> >> persio.pucci at tacacs:/tftpboot$ snmpset -v2c -c COMUNITY 10.20.30.1
>> >> .1.3.6.1.4.1.9.9.96.1.1.1.1.14.200 integer 4
>> >> Error in packet.
>> >> Reason: inconsistentValue (The set value is illegal or unsupported in
>> some
>> >> way)
>> >> Failed object: SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.14.200
>> >
>> >
>> > As you can see, the object gets created, but it does not accepts the
>> active
>> > command
>>
>> I'm guessing the row already exists.  For createAndGo(4) to work (your
>> last snmpset) the row has to be created in one call & you've got
>> multiple snmpsets
>>
>> Try deleting the row, doing a create & wait on the row, set the other
>> variables and then set the row status to active(1)
>>
>> Take a look at the description of ccCopyEntry in CISCO-CONFIG-COPY-MIB
>> and of RowStatus in SNMPv2-TC for a full explanation.
>>
>> And I'd strongly suggest that you restrict which hosts the router
>> allows tftp to/from.  See the
>> snmp-server tftp-server-list command.
>>
>> Regards,
>> Lee
>>
>>
>> >
>> >  persio.pucci at tacacs:/tftpboot$ snmpwalk -v2c -c COMUNITY 10.20.30.1
>> >> .1.3.6.1.4.1.9.9.96.1.1.1.1
>> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.2.200 = INTEGER: 1
>> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.3.200 = INTEGER: 1
>> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.4.200 = INTEGER: 4
>> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.5.200 = IpAddress: 10.10.10.1
>> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.6.200 = STRING: "user"
>> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.9.200 = INTEGER: 2
>> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.10.200 = INTEGER: 4
>> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.11.200 = Timeticks: (1836298009)
>> >> 212
>> >> days, 12:49:40.09
>> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.12.200 = Timeticks: (1836302109)
>> >> 212
>> >> days, 12:50:21.09
>> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.13.200 = INTEGER: 3
>> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.14.200 = INTEGER: 1
>> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.15.200 = INTEGER: 1
>> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.16.200 = STRING: "10.10.10.1"
>> >> persio.pucci at tacacs:/tftpboot$
>> >
>> >
>> > On Fri, Sep 9, 2011 at 10:12 PM, Lee <ler762 at gmail.com> wrote:
>> >
>> >> On 9/9/11, Persio Pucci <persio at gmail.com> wrote:
>> >> > Anybody would have a working recipe for routers, specialy 7200? I've
>> >> > been trying the ones posted at Cisco (specially the one where you
>> >> > need
>> >> > several commands) but the final "activate" command gets an error
>> >> > response...
>> >>
>> >> echo "processing $DEV"
>> >> echo "     delete row 3"
>> >> $SNMPSET $community -m CISCO-CONFIG-COPY-MIB $DEV
>> >> ccCopyEntryRowStatus.3
>> i
>> >> 6
>> >> echo "     create row 3 & wait"
>> >> $SNMPSET $community -m CISCO-CONFIG-COPY-MIB $DEV
>> >> ccCopyEntryRowStatus.3
>> i
>> >> 5
>> >>
>> >> $SNMPSET $community -m CISCO-CONFIG-COPY-MIB $DEV ccCopyProtocol.3 i 1
>> >> #   use tftp
>> >> $SNMPSET $community -m CISCO-CONFIG-COPY-MIB $DEV
>> >> ccCopySourceFileType.3
>> i
>> >> 1
>> >> #   1=networkFile  3=startupConfig   4=runningConfig
>> >> $SNMPSET $community -m CISCO-CONFIG-COPY-MIB $DEV ccCopyDestFileType.3
>> >> i
>> 4
>> >> #   1=networkFile  3=startupConfig   4=runningConfig
>> >> $SNMPSET $community -m CISCO-CONFIG-COPY-MIB $DEV
>> >> ccCopyServerAddress.3 a $TFTPHOST
>> >> $SNMPSET $community -m CISCO-CONFIG-COPY-MIB $DEV ccCopyFileName.3 s
>> $FILE
>> >> $SNMPSET $community -m CISCO-CONFIG-COPY-MIB $DEV
>> >> ccCopyNotificationOnCompletion.3 i 1
>> >> #  1: true  2: false
>> >> $SNMPSET $community -m CISCO-CONFIG-COPY-MIB $DEV
>> >> ccCopyEntryRowStatus.3
>> i
>> >> 1
>> >> #  make it active
>> >> echo "Done!"
>> >>
>> >>
>> >> Regards,
>> >> Lee
>> >>
>> >>
>> >>
>> >>
>> >> > Em 08/09/2011, às 18:44, Mike <mike-cisconsplist at tiedyenetworks.com>
>> >> > escreveu:
>> >> >
>> >> >> Hello,
>> >> >>
>> >> >>    I am sure this can be done and am calling on my fellows to help
>> >> >> light
>> >> >> the way!
>> >> >>
>> >> >>    I have a cisco 2970 switch newly installed in a remote,
>> inaccessible
>> >> >> location that presently lacks OOB serial access. Due to a config
>> error,
>> >> I
>> >> >> cannot telnet into the unit due to missing config elements:
>> >> >>
>> >> >> Escape character is '^]'.
>> >> >>
>> >> >>
>> >> >> Password required, but none set
>> >> >> Connection closed by foreign host.
>> >> >>
>> >> >>
>> >> >>    I do have, however, a writable snmp community string. So I am
>> >> wondering
>> >> >> if it would be possible to update the running config using snmp in
>> >> >> order
>> >> >> to give me telnet access to this unit? It would beat a trip back out
>> >> there
>> >> >> and would serve my cisco education well too. So how about it, any
>> >> takers?
>> >> >>
>> >> >> Mike-
>> >> >> _______________________________________________
>> >> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> >> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> >> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> >> >
>> >> > _______________________________________________
>> >> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> >> > https://puck.nether.net/mailman/listinfo/cisco-nsp
>> >> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>> >> >
>> >>
>> >
>>
>



More information about the cisco-nsp mailing list