IOS Password changer
Netstudent
Member Posts: 1,693 ■■■□□□□□□□
in CCNP
I need a script or a program that will go out and change passwords on a lot of routers and switches.
I know they're out there, but I want a recommendation from someone who has already used one with success. I would hate to load up faulty code and lock myself out of my own network.
Thanks.
I know they're out there, but I want a recommendation from someone who has already used one with success. I would hate to load up faulty code and lock myself out of my own network.
Thanks.
There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
Comments
-
Pash
Member Posts: 1,600 ■■■■■□□□□□
Didn't know this was possible, i guess you can do it using CNA with ease but would be interested to hear more.DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me. -
Netstudent
Member Posts: 1,693 ■■■□□□□□□□
You can run perl scripts through the CLI. I don't have time to learn perl.
The Cisco Enhanced Dervice Interface Cisco E-DI allows you to manage a group of devices with the CLI as one entity.
Then through Cisco E-DI you can run a perl CLI script to modify the config on the group.
But I'm not sure if the Cisco E-DI is a requirement to run perl scripts in the CLI. Secondly I'm not sure how to get this EDI interface. As far as I know it is a client/server type connection from the EDI server to the IOS.There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1! -
Rearden
Member Posts: 222
Netstudent, I can write up a perl script using expect if you want. Will you be able to install the Expect perl module on the machine running it from?
I did this for something once before. It goes out and actually logs in and enters commands to the CLI. so it would log on and do an 'enable secret <password>'
//you can probably also do it via snmp, which would be cleaner.More systems have been wiped out by admins than any cracker could do in a lifetime. -
Netstudent
Member Posts: 1,693 ■■■□□□□□□□
Can it go out and do a
username fartknocker privilege 15 password smells ?
And do I get 24 hour tech support on that code?
just kiddin.
I'm sure I could install a perl module if I had to.There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1! -
Rearden
Member Posts: 222
It can go out and do whatever command you put in it
As luck would have it, I have the one I used before here. Hop on AIM (Metsfan147) and tell me what method you need to use to get on it. I'll modify it accordingly and all you'll need to do is put the passwords into the file after I send it to you.
Although, I do suggest testing it on at least one thing first, just to make sure it's working as expected.
Actually, I would support my own code. If it breaks, I'll fix it for you. . . eventually
More systems have been wiped out by admins than any cracker could do in a lifetime. -
Rearden
Member Posts: 222
I need to head off to class, but I'll finish it tonight, making it general enough that it won't matter how you log on.
I'll post it when it's done as even though it might be too late for you to use it, others may find it useful.
Cheers.More systems have been wiped out by admins than any cracker could do in a lifetime. -
Netstudent
Member Posts: 1,693 ■■■□□□□□□□
Cool man, thanks a lot. I don't need it like now. It's not top priority, but my boss is asking me about it. we telnet to everything.There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
-
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
To make your authentication infrastructure more scaleable so you don't have this issue anymore would it be possible to set up something like RADIUS or TACACS authentication to a central server?The only easy day was yesterday! -
Netstudent
Member Posts: 1,693 ■■■□□□□□□□
actually yes that would be a better solution. A lot of our appliances use AD for authentication with LDAP. I will have to look into TACACS.There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
-
Rearden
Member Posts: 222
We use tacacs+ here as well. However, that doesn't help one bit if you want to go make a configuration change to every device in your network, which is what I'm writing this for. It just happened that in this case, the change was to modify the enable password.
If you have ldap set up already, I know you can have tacacs+ authenticate through PAM on a *nix machine and have PAM set up to use LDAP. I'm not sure if tacacs can directly talk to LDAP although I wouldn't be surprised if it could.More systems have been wiped out by admins than any cracker could do in a lifetime. -
Humper
Member Posts: 647
Rearden wrote:We use tacacs+ here as well. However, that doesn't help one bit if you want to go make a configuration change to every device in your network, which is what I'm writing this for. It just happened that in this case, the change was to modify the enable password.
If you have ldap set up already, I know you can have tacacs+ authenticate through PAM on a *nix machine and have PAM set up to use LDAP. I'm not sure if tacacs can directly talk to LDAP although I wouldn't be surprised if it could.
And that is why you purchase a license for CiscoWorks.Now working full time! -
mikearama
Member Posts: 749
I don't know if it's in your budget, but CiscoWorks made password changes to almost a hundred devices in under a minute. Even better, I was able to schedule it to do the change on Sunday at midnight.There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project. -
Rearden
Member Posts: 222
But why would I pay for that? Using Perl and cron, I can do scheduled password changes for free.More systems have been wiped out by admins than any cracker could do in a lifetime.
-
Humper
Member Posts: 647
Rearden wrote:But why would I pay for that? Using Perl and cron, I can do scheduled password changes for free.
Depends on how you want to maintain your devices. Thats not the only thing Ciscoworks does.
Do you work for a small shop? I can understand if its just a small company...If you work for a large enterprise Ciscoworks is a necessity.Now working full time! -
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
Rearden wrote:We use tacacs+ here as well. However, that doesn't help one bit if you want to go make a configuration change to every device in your network, which is what I'm writing this for. It just happened that in this case, the change was to modify the enable password.
If you have ldap set up already, I know you can have tacacs+ authenticate through PAM on a *nix machine and have PAM set up to use LDAP. I'm not sure if tacacs can directly talk to LDAP although I wouldn't be surprised if it could.
Using a central authentication server would eliminate the need to make password changes on the individual devices, that was my point.The only easy day was yesterday! -
Rearden
Member Posts: 222
I work for a college. There's 150 or so closets, 2 - 4 switches per closet. I just really like coding.
//dtlokee replied while I was typing. TACAS+ is great. It's made life so much easier. When someone else needs access to the devices ( new person is hired, etc ) just give them an acconut on the tacacs+ server and go on about your business.
This whole automated telnet/ssh session started a year or two ago when I was trying to suck VLAN configs out of 3com 3300s. Those don't have the ability to copy their config to a tftp server, so I had to find a way to script a session.
I've since found the correct SNMP OIDs to do it via SNMP, but the thing was already implemented and working so I didn't bother to rewrite it.
Since then, I've used that option possibly too often, but you have to admit that it's kind of cool to sit there wataching automated sessions going.More systems have been wiped out by admins than any cracker could do in a lifetime.
