Locked down DoD 2950 switch

Delirious · May 2007

Well i finally got a 2950-12 off of ebay and it came today. Start it up and it loads great, then im presented with a huge banner stating this is DoD (department of defense) equipment blah blah blah.

Then a prompt for user name and password.

I tried using the Break key and Ctrl+break with no luck.

I tried holding down the mode button on the switch while it loaded, that worked but i cant do anything cause it says i dont have permission.

Is there anything i can do to make this useable? Or am i stuck with a $200.00 paper wieght

Heres the whole boot up sequence

C2950 Boot Loader (C2950-HBOOT-M) Version 12.1(11r)EA1, RELEASE SOFTWARE (fc1)
Compiled Mon 22-Jul-02 17:18 by antonino
WS-C2950-12 starting...
Base ethernet MAC Address: 00:12:da:82:e8:00
Xmodem file system is available.
Initializing Flash...
flashfs[0]: 373 files, 4 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 7741440
flashfs[0]: Bytes used: 5345280
flashfs[0]: Bytes available: 2396160
flashfs[0]: flashfs fsck took 8 seconds.
...done initializing flash.
Boot Sector Filesystem (bs:) installed, fsid: 3
Parameter Block Filesystem (pb:) installed, fsid: 4
Loading "flash:c2950-i6k2l2q4-mz.121-22.EA6.bin"...########

File "flash:c2950-i6k2l2q4-mz.121-22.EA6.bin" uncompressed and installed, entry point: 0x80010000
executing...

Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706

Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA6, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Fri 21-Oct-05 02:22 by yenanh
Image text-base: 0x80010000, data-base: 0x80676000

Initializing flashfs...
flashfs[1]: 373 files, 4 directories
flashfs[1]: 0 orphaned files, 0 orphaned directories
flashfs[1]: Total bytes: 7741440
flashfs[1]: Bytes used: 5345280
flashfs[1]: Bytes available: 2396160
flashfs[1]: flashfs fsck took 8 seconds.
flashfs[1]: Initialization complete.
Done initializing flashfs.
POST: System Board Test : Passed
POST: Ethernet Controller Test : Passed
ASIC Initialization Passed

POST: FRONT-END LOOPBACK TEST : Passed

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco WS-C2950-12 (RC32300) processor (revision R0) with 19973K bytes of memory.
Processor board ID FOC0851W0KC
Last reset from system-reset
Running Standard Image
12 FastEthernet/IEEE 802.3 interface(s)

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:12:DA:82:E8:00
Motherboard assembly number: 73-5782-13
Power supply part number: 34-0965-01
Motherboard serial number: FOC08512DU9
Power supply serial number: DAB0844KCVR
Model revision number: R0
Motherboard revision number: A0
Model number: WS-C2950-12
System serial number: FOC0851W0KC

Press RETURN to get started!

!!WARNING!!
"This is a Department of Defense computer system. This computer system,
including all related equipment, networks, and network devices
(specifically including Internet access) are provided only for authorized
U.S. Government use. DoD computer systems may be monitored for all lawful
purposes, including to ensure that their use is authorized, for management
of the system, to facilitate protection against unauthorized access, and to
verify security procedures, survivability, and operational security.
Monitoring includes active attacks by authorized DoD entities to test or
verify the security of this system. During monitoring, information may be
examined, recorded, copied, and used for authorized purposes. All information,
including personal information, placed or sent over this system may be
monitored. Use of this DoD computer system, authorized or unauthorized,
constitutes consent to monitoring of this system.

Unauthorized use may subject you to criminal prosecution. Evidence of
unauthorized use collected during monitoring may be used for administrative,
criminal, or other adverse action. Use of this system constitutes consent
to monitoring for these purposes."

IAW AFI 33-129

User Access Verification

Username:

georgemc · May 2007

http://www.cisco.com/en/US/products/hw/switches/ps628/products_password_recovery09186a0080094184.shtml

Remember, GOOGLE is your friend....

Darthn3ss · May 2007

georgemc wrote:

http://www.cisco.com/en/US/products/hw/switches/ps628/products_password_recovery09186a0080094184.shtml

Remember, GOOGLE is your friend....

i think reading is also your friend...

I tried holding down the mode button on the switch while it loaded, that worked but i cant do anything cause it says i dont have permission.

but what does it say when you get to the "switch:" prompt?

Delirious · May 2007

georgemc wrote:

http://www.cisco.com/en/US/products/hw/switches/ps628/products_password_recovery09186a0080094184.shtml

Remember, GOOGLE is your friend....

I actually had read that cisco article before i posted.

but what does it say when you get to the "switch:" prompt?

Im at work now and i dont remember exactly what it said but i couldn't use most of the commands that were available.

I had gotten this far:

Issue the flash_init command.

switch: flash_init
Initializing Flash...
flashfs[0]: 143 files, 4 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 3612672
flashfs[0]: Bytes used: 2729472
flashfs[0]: Bytes available: 883200
flashfs[0]: flashfs fsck took 86 seconds
....done Initializing Flash.
Boot Sector Filesystem (bs:) installed, fsid: 3
Parameter Block Filesystem (pb:) installed, fsid: 4
switch:

!--- This output is from a 2900XL switch. Output from
!--- other switches will vary slightly.

Issue the load_helper command.

switch: load_helper
switch:Issue the dir flash: command.

And it denied me access to the flash.

georgemc · May 2007

hmm...

Go to [url=http://72.14.209.104/search?q=cache:kJVRGMMxbioJ:www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_21112022.html+cisco+2950+dir+flash:+access+denied&hl=en&ct=clnk&cd=1&gl=us]this link [/url]and look at about halfway down the page. The problem sounds very similar to yours.

Georgemc

Delirious · May 2007

georgemc wrote:

hmm...

Go to this link and look at about halfway down the page. The problem sounds very similar to yours.

Georgemc

Seems like he gets to the same point i did after holding down the mode button during boot.

The thing is this switch runs fine but its locked down so tight i cant use any of the commands(atleast the few i thought would be useful).

Im at work now Darby and wont be home till 23:00 EST.

If you think its possible to get full access to the switch then class is in session.

I've already learned a few things after playing with it for just 30 min.

Rearden · May 2007

DarbyWeaver wrote:

You need my number?

Or you can get me and we can make this a lesson for every one.

If you have some time.

Darby, I'd be interested to see the answer to this. . . If he gets in touch with you, can you post how it is solved?

jvax · May 2007

Rearden wrote:

DarbyWeaver wrote:

You need my number?

Or you can get me and we can make this a lesson for every one.

If you have some time.

Darby, I'd be interested to see the answer to this. . . If he gets in touch with you, can you post how it is solved?

+1

malweth · May 2007

Wow... a DoD piece of equpment should not have been sold without the memory erased first! Probably not much you could find out on a switch, but it's likely still fouo!

Webmaster · May 2007

Yes, let's try and keep topics useful to others and future readers as well instead of turning it in to one-on-one sessions.

Delirious · May 2007

malweth wrote:

Wow... a DoD piece of equpment should not have been sold without the memory erased first! Probably not much you could find out on a switch, but it's likely still fouo!

My thoughts exactly.

Webmaster wrote:

Yes, let's try and keep topics useful to others and future readers as well instead of turning it in to one-on-one sessions.

I would like others to benefit from this if it ever can be solved.

Delirious · May 2007

Ok.... i got into it!

Followed these steps:

1.Hold down mode during boot.
2.Issue the flash_init command.
3.Issue the load_helper command.
5.i was supposed to issue the "dir flash:" command but i didn't have permission it said. This is where i stopped on previous attempts as i assumed i couldn't go any further but this time i decided to skip this step to see if the next would work.

6.rename flash:config.text flash:config.old (it worked!!)
7.Issue the boot command to boot the system.

I was able to get into enable mode without a password and do my bidding.

kafifi13 · May 2007

Good stuff guys. Thanks for sharing. I'm ordering equipment on Ebay now and they should arrive shorlty. I'm sure i'll have the same problem.

Darthn3ss · May 2007

post the config.old before you erase it.

jvax · May 2007

Darthn3ss wrote:

post the config.old before you erase it.

yeah definitely curious to see it.

mistervince · May 2007

Wow, simply amazing. That IOS feed is killer. I would probally not be that upset... realize that you now have a good dinner story... costed you 200 bucks and only CCNA's and network security nerds like myself will appreciate it. I think you however can recover the password.

I just hope you left that ebayer who sold it VERY NEGATIVE feedback. >.<

Delirious · May 2007

Darthn3ss wrote:

post the config.old before you erase it.

I didnt even think to look at it, sorry guys. Dont think there would be anything interesting in it do you?

mistervince wrote:

Wow, simply amazing. That IOS feed is killer. I would probally not be that upset... realize that you now have a good dinner story... costed you 200 bucks and only CCNA's and network security nerds like myself will appreciate it. I think you however can recover the password.

I just hope you left that ebayer who sold it VERY NEGATIVE feedback. >.<

Well it was listed as untested and it was from a govt surplus company.

Delirious · May 2007

DarbyWeaver wrote:

Sorry I got tied up a bit - but I see you found the solution.

Chances are the old config.old file is still there.

Do this:

sh flash:

Then this:

more flash:config.old

Copy and paste it...

You got it - it could be educational - I save every config I come across, never know when you are gonna find a tasty bone to chew on.

Just checked and its not there, now i want to kick myself.

Locked down DoD 2950 switch

Comments