IOS Password changer

I need a script or a program that will go out and change passwords on a lot of routers and switches.

I know they're out there, but I want a recommendation from someone who has already used one with success. I would hate to load up faulty code and lock myself out of my own network.

Thanks.

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

Pash

Didn't know this was possible, i guess you can do it using CNA with ease but would be interested to hear more.

Netstudent

You can run perl scripts through the CLI. I don't have time to learn perl.

The Cisco Enhanced Dervice Interface Cisco E-DI allows you to manage a group of devices with the CLI as one entity.

Then through Cisco E-DI you can run a perl CLI script to modify the config on the group.

But I'm not sure if the Cisco E-DI is a requirement to run perl scripts in the CLI. Secondly I'm not sure how to get this EDI interface. As far as I know it is a client/server type connection from the EDI server to the IOS.

Rearden

Netstudent, I can write up a perl script using expect if you want. Will you be able to install the Expect perl module on the machine running it from?

I did this for something once before. It goes out and actually logs in and enters commands to the CLI. so it would log on and do an 'enable secret <password>'

//you can probably also do it via snmp, which would be cleaner.

Netstudent

Can it go out and do a

username fartknocker privilege 15 password smells ?

And do I get 24 hour tech support on that code?

just kiddin.

I'm sure I could install a perl module if I had to.

Rearden

It can go out and do whatever command you put in it

As luck would have it, I have the one I used before here. Hop on AIM (Metsfan147) and tell me what method you need to use to get on it. I'll modify it accordingly and all you'll need to do is put the passwords into the file after I send it to you.

Although, I do suggest testing it on at least one thing first, just to make sure it's working as expected.

Actually, I would support my own code. If it breaks, I'll fix it for you. . . eventually

Rearden

I need to head off to class, but I'll finish it tonight, making it general enough that it won't matter how you log on.

I'll post it when it's done as even though it might be too late for you to use it, others may find it useful.

Cheers.

Netstudent

Cool man, thanks a lot. I don't need it like now. It's not top priority, but my boss is asking me about it. we telnet to everything.

dtlokee

To make your authentication infrastructure more scaleable so you don't have this issue anymore would it be possible to set up something like RADIUS or TACACS authentication to a central server?

Netstudent

actually yes that would be a better solution. A lot of our appliances use AD for authentication with LDAP. I will have to look into TACACS.

Rearden

We use tacacs+ here as well. However, that doesn't help one bit if you want to go make a configuration change to every device in your network, which is what I'm writing this for. It just happened that in this case, the change was to modify the enable password.

If you have ldap set up already, I know you can have tacacs+ authenticate through PAM on a *nix machine and have PAM set up to use LDAP. I'm not sure if tacacs can directly talk to LDAP although I wouldn't be surprised if it could.

Humper

Rearden wrote:

We use tacacs+ here as well. However, that doesn't help one bit if you want to go make a configuration change to every device in your network, which is what I'm writing this for. It just happened that in this case, the change was to modify the enable password.

If you have ldap set up already, I know you can have tacacs+ authenticate through PAM on a *nix machine and have PAM set up to use LDAP. I'm not sure if tacacs can directly talk to LDAP although I wouldn't be surprised if it could.

And that is why you purchase a license for CiscoWorks.

mikearama

I don't know if it's in your budget, but CiscoWorks made password changes to almost a hundred devices in under a minute. Even better, I was able to schedule it to do the change on Sunday at midnight.

Rearden

But why would I pay for that? Using Perl and cron, I can do scheduled password changes for free.

Humper

Rearden wrote:

But why would I pay for that? Using Perl and cron, I can do scheduled password changes for free.

Depends on how you want to maintain your devices. Thats not the only thing Ciscoworks does.

Do you work for a small shop? I can understand if its just a small company...If you work for a large enterprise Ciscoworks is a necessity.

dtlokee

Rearden wrote:

We use tacacs+ here as well. However, that doesn't help one bit if you want to go make a configuration change to every device in your network, which is what I'm writing this for. It just happened that in this case, the change was to modify the enable password.

If you have ldap set up already, I know you can have tacacs+ authenticate through PAM on a *nix machine and have PAM set up to use LDAP. I'm not sure if tacacs can directly talk to LDAP although I wouldn't be surprised if it could.

Using a central authentication server would eliminate the need to make password changes on the individual devices, that was my point.

Rearden

I work for a college. There's 150 or so closets, 2 - 4 switches per closet. I just really like coding.

//dtlokee replied while I was typing. TACAS+ is great. It's made life so much easier. When someone else needs access to the devices ( new person is hired, etc ) just give them an acconut on the tacacs+ server and go on about your business.

This whole automated telnet/ssh session started a year or two ago when I was trying to suck VLAN configs out of 3com 3300s. Those don't have the ability to copy their config to a tftp server, so I had to find a way to script a session.

I've since found the correct SNMP OIDs to do it via SNMP, but the thing was already implemented and working so I didn't bother to rewrite it.

Since then, I've used that option possibly too often, but you have to admit that it's kind of cool to sit there wataching automated sessions going.