Cisco路由器交換機密碼破解(小妞作品)
路由器設備型號:2621XM
實驗步驟:
Router>show version
…………………
cisco 2621XM (MPC860P) processor (revision 0x200) with 126976K/4096K bytes of memory.
Processor board ID JAE075202KQ (2960342124)
M860 processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
2 FastEthernet/IEEE 802.3 interface(s)
4 Low-speed serial(sync/async) network interface(s)
32K bytes of non-volatile configuration memory.
32768K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
注意:0x2102 是指開機時加載配置文件
0x2142 是指開機時不加載配置文件
斷電重啓,在超級終端裏按下ctr+break鍵,進入畫面(break鍵就是esc鍵)
System Bootstrap, Version 12.2(8r) [cmong 8r], RELEASE SOFTWARE (fc1)
Copyright (c) 2003 by cisco Systems, Inc.
PC = 0xfff0ac3c, Vector = 0x500, SP = 0x680127c0
C2600 platform with 131072 Kbytes of main memory
PC = 0xfff0ac3c, Vector = 0x500, SP = 0x80004884
monitor: command "boot" aborted due to user interrupt
rommon 1 >
把寄存器值改成0x2142
rommon 1 > ?
….
confreg configuration register utility
…..
rommon 2 > confreg
Configuration Summary
(Virtual Configuration Register: 0x2102)
enabled are:
load rom after netboot fails
console baud: 9600
boot: image specified by the boot system commands
or default to: cisco2-C2600
do you wish to change the configuration? y/n [n]: y
enable "diagnostic mode"? y/n [n]: n
enable "use net in IP bcast address"? y/n [n]: n
disable "load rom after netboot fails"? y/n [n]: n
enable "use all zero broadcast"? y/n [n]: n
enable "break/abort has effect"? y/n [n]: n
enable "ignore system config info"? y/n [n]: y
change console baud rate? y/n [n]: n
change the boot characteristics? y/n [n]: n
Configuration Summary
(Virtual Configuration Register: 0x2142)
enabled are:
load rom after netboot fails
ignore system config info
console baud: 9600
boot: image specified by the boot system commands
or default to: cisco2-C2600
do you wish to change the configuration? y/n [n]:
You must reset or power cycle for new config to take effect
rommon 3 >
用命令重啓路由器
rommon 3 > reset
開機之後
Router>sh ver
Cisco Internetwork Operating System Software
………
Configuration register is 0x2142
Router#sh run 會發現是初始配置
Router#copy startup-config run
Destination filename [running-config]?
Slot is empty or does not support clock participate
WIC slot is empty or does not support clock participate
853 bytes copied in 0.956 secs (892 bytes/sec)
Router#sh run
Building configuration...
enable password xunbo
!
Router#config
Router(config)#no enable pass
Router(config)#end
Router#sh ru
Router# copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#config 0x2102
Router(config)#end
這樣重啓之後只是刪了密碼,但是配置還在。
交換機型號2950系列
交換機與路由器不一樣,與寄存器無關
準備工作:
Switch(config)#enable pass xunbo
Switch#copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
Switch#dir /all
Directory of flash:/
2 -rwx 916 Mar 01 1993 00:04:09 +00:00 vlan.dat
3 -rwx 3117090 Mar 01 1993 00:03:17 +00:00 c2950-i6q4l2-mz.121-22.EA7.bin
4 drwx 4160 Mar 01 1993 00:03:50 +00:00 html
375 -rwx 5 Mar 01 1993 00:26:31 +00:00 private-config.text
376 -rwx 831 Mar 01 1993 00:26:31 +00:00 config.text
Switch#more config.text
!
enable password xunbo
重啓之後
Switch>en
Password:
需要密碼,現在我們假如不知道密碼
1)斷電重啓,在啓動的過程按住mode鍵,直到進入
The system has been interrupted prior to initializing the
flash filesystem. The following commands will initialize
the flash filesystem, and finish loading the operating
system software:
flash_init
load_helper
boot
switch:
2)
switch: flash_init
Initializing Flash...
flashfs[0]: 371 files, 4 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 7741440
flashfs[0]: Bytes used: 4739072
flashfs[0]: Bytes available: 3002368
flashfs[0]: flashfs fsck took 7 seconds.
...done initializing flash.
Boot Sector Filesystem (bs:) installed, fsid: 3
Parameter Block Filesystem (pb:) installed, fsid: 4
3)switch: dir flash:
Directory of flash:/
2 -rwx 916 <date> vlan.dat
3 -rwx 3117090 <date> c2950-i6q4l2-mz.121-22.EA7.bin
4 drwx 4160 <date> html
375 -rwx 5 <date> private-config.text
376 -rwx 831 <date> config.text
4)
switch: rename flash:config.text flash:config.old
switch: dir flash:
Directory of flash:/
2 -rwx 916 <date> vlan.dat
3 -rwx 3117090 <date> c2950-i6q4l2-mz.121-22.EA7.bin
4 drwx 4160 <date> html
375 -rwx 5 <date> private-config.text
376 -rwx 831 <date> config.old
5)
switch: boot//重啓
Switch>en
Switch#
00:01:31: %LINK-5-CHANGED: Interface Vlan1, changed state to administratively down
Switch#
Switch#
Switch#sh run
恢復出廠配置
6)
Switch#rename flash:config.old flash:config.text
Switch#copy start run
%% Non-volatile configuration memory invalid or not present //不知道爲什麼行不通
Switch#copy flash:config.text system:running-config
Destination filename [running-config]?
831 bytes copied in 0.716 secs (1161 bytes/sec)
Switch#sh run
hostname Switch
!
enable password xunbo
7)接下來刪掉密碼
Switch# conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#no enable pass xunbo
Switch(config)#end
Switch#
00:09:05: %SYS-5-CONFIG_I: Configured from console by console
Switch#write
Building configuration...
[OK]
Switch#dir flash:
Directory of flash:/
2 -rwx 916 Mar 01 1993 00:04:09 +00:00 vlan.dat
3 -rwx 3117090 Mar 01 1993 00:03:17 +00:00 c2950-i6q4l2-mz.121-22.EA7.bin
4 drwx 4160 Mar 01 1993 00:03:50 +00:00 html
374 -rwx 5 Mar 01 1993 00:09:16 +00:00 private-config.text
376 -rwx 809 Mar 01 1993 00:09:16 +00:00 config.text
大功告成!!!
記住要點:交換機與路由器的破解不一樣。
交換機與寄存器無關。
破解交換機的步驟:把原來的配置改名,斷電重啓,按住mode鍵,把命名後的密碼重新導入。