In a lot of previous security-related articles on this site, we have focused on different security technologies mainly from a configuration standpoint. Now let’s put our knowledge to practice. Troubleshooting can be fun – if you understand the technology. We will cover several technologies including AAA, firewalls, ACLs, etc.

We will begin with basic (beginner-level) troubleshooting scenarios and move on to ‘advanced’ scenarios. Answers will be given in the next article after you’ve been given time to work through the scenarios. Remember to put your answers in the comment section.

TBS stands for Troubleshooting Beginner Scenario. The general network diagram for all the scenarios looks like this:

Ready to gain bragging rights?

TBS #1 (10 pts)

Scenario

As the national network administrator for your network, one of the network administrators under your subdivision sends you a mail explaining that he cannot remember the administrator password to a core router under his domain. He sends an attachment with the most recent backed-up configuration file of the router and tells you that the configuration has not been altered since this last backup.

Below is a snippet of the configuration file he sent in the attachment:

version 12.4
service password-encryption
no service password-recovery
!
hostname Router-Jersey
!
no aaa new-model
!
username administrator password 7 14011B0C090A2F3921
!
interface FastEthernet0/0
 ip address 192.168.10.1 255.255.255.0
!
interface FastEthernet0/1
 ip address 41.11.121.25 255.255.255.252
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
end

Looking at the above configuration, how can you (or direct him to) retrieve access to this router?
(Click Here For The Answer)

TBS #2 (20 pts)

Scenario

You have just begun a job as the new network administrator of an organization and you discover that that the former administrator did not remember to give you the administrative username and password to one of the devices; he only gave you the configuration file. The configuration file is shown below:

version 12.4
service password-encryption
no service password-recovery
!
hostname CoreRouter
!
no aaa new-model
!
username administrator password 7 14011B0C090A2F3921
!
interface FastEthernet0/0
 ip address 192.168.10.1 255.255.255.0
!
interface FastEthernet0/1
 ip address 41.11.121.25 255.255.255.252
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 login local
line vty 0 4
 login
!
end

You are connected to the same LAN of the above router (Fa0/0). Assuming that the configuration file is still valid, how can you retrieve access to this router? Give detailed steps. (Look closely, this scenario is not the same as the first one).

Click here for the answer.

TBS #3 (30 pts)

Scenario

As the head of network divisions for your organization, you discover that one of your former network employees made an unauthorized change to the administrative (username admin) password of a main Cisco router. Luckily, you have a backup configuration file that shows the change:

version 12.4
service password-encryption
no service password-recovery
!
hostname CoreRouter
!
no aaa new-model
!
username admin secret 5 $1$pbOl$cwrZokbriXghfrxsrkPK..
!
interface FastEthernet0/0
 ip address 192.168.10.1 255.255.255.0
! 
interface FastEthernet0/1
 ip address 41.11.121.25 255.255.255.252
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 login local
line vty 0 4
 login
 privilege level 15
 password 7 110A1016141D
!
end

You are connected to the same LAN of the above router (Fa0/0). Give detailed steps showing how you can retrieve console access to this device. Let your mind run free – there are two possible options.

Click here for answer

TBS #4 (40 pts)

This last scenario will be the toughest of these scenarios but with just a little bit of attention, you’d get it.

Scenario

Your organization just purchased a new router for one of its branches and you are to configure that router to be sent off to the site. You figure you’d need remote connection to the device so you configure a username and password and also enable line authentication using the local database. However, just before the day the router is sent out, you try to log in remotely from home and you face a problem when you try to configure a routing protocol even though you were able to log in with your username/password.

The configuration you made is as shown below:

version 12.4
service password-encryption
no service password-recovery
!
hostname CoreRouter
!
no aaa new-model
!
username admin secret 5 $1$pbOl$cwrZokbriXghfrxsrkPK..
!
interface FastEthernet0/0
 ip address 192.168.10.1 255.255.255.0
! 
interface FastEthernet0/1
 ip address 41.11.121.25 255.255.255.252
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 login local
line vty 0 4
 login
 privilege level 15
 password 7 110A1016141D
!
end

Looking at the configuration above, what problem will you face and how will you resolve this?

Click here for the answer

Summary

We have come to the end of these scenarios that have focused on password management. I’m having fun, I hope you are *grin*. We will also look at troubleshooting scenarios for several other topics, such as AAA, Firewall, ACLs, and so on.

It seems we may have to change the naming convention to reflect the topic we are focusing on. For example, these scenarios should have been “TS-PM, i.e. Troubleshooting Scenario – Password Management.”

Till then, keep breaking and fixing stuff.


Solution (TBS #1 (10 pts))

This troubleshooting scenario is about restoring access to a router with a lost password. The first thing you notice is that ROMMON mode is disabled because of the no service password-recovery command. It means you can’t tell the administrator to enter the break combination at start-up. But the great thing is that you don’t need to!

From the configuration, you will discover three things:

  • The username “administrator” is configured with the password option, meaning it is either in clear text or it will be encrypted using the Vigenère algorithm. The “7” after the password option tells you that Vigenère is being used (because of the service password-encryption command).
  • Looking at the VTY lines, you notice that the only command under it is the “login” command:

    It means that, without a password configured under those lines, you will get the “Password required, but none set” message when you try to login via a remote connection and the connection will be terminated. This also tells you that, even if you recover your administrator account password, it will not be useful for remote connections.

  • Finally, take a look at the console line configuration.

    There is no password configured for console access. Also, with the “privilege level 15” command under that line, anyone who logs in through that line will be placed at a privilege level of 15 (because there are no other authentication/authorization commands configured).

    Aha! You found your opening. You should tell the administrator to connect via the console line and reset the password (if required) and possibly also configure a password or login local for the VTY lines.

    Return to Question #2

Solution to TBS #2 (20 pts):

This scenario looks almost like the first one above but with a key difference: The console line has the login local command configured. This means that even if you connect to the console, you will be required to enter a username and password combination and the only one you have is the “administrator” account whose password you can’t remember.

This is where a normal enemy known as “7” becomes your friend. It is an enemy because it is a security weakness, but this weakness works for your good. As we mentioned before, the “7” tells you that it is encrypted with the Vigenère algorithm. All you have to do is go online (or some other tool) and crack the password. There’s one here at: http://www.ifm.net.nz/cookbooks/passwordcracker.html. A snippet of the webpage is shown below:

Now you can take that password (“vigenere”) and log in via the console with the “administrator” username.

Return to question 3

Solution to TBS #3 (30 pts)

If you notice, this scenario is also similar to the one before it. However, there are some differences:

  • The username is hashed with MD5 as revealed by the “5” after the secret option. This is a reminder of the difference between password and secret. It means you cannot crack this password (as easily) as you would a Vigenère-encrypted password. Therefore, there’s no solution here.
  • The console line has the “login local” command configured and, since we can’t crack the configured user’s secret, there’s no solution here either.
  • Lastly, the VTY lines have a password configured. This password can be cracked easily because it is encrypted using the Vigenère algorithm.

    Cracking this password will reveal it to be “cisco.” Now you can just open a remote connection to your router and log in using the password. You will also be put in privilege EXEC mode because of the privilege level 15 command.

If you stop here, I’m afraid you have missed the point, because the question asked is to “retrieve CONSOLE access”. So there is more to do. Tricky, huh? Once you have logged in via the remote connection, there are two things you can do:

  1. Change the secret of the “admin” user. You don’t need to know the old password to do it. You will then be able to connect to the console using the admin user and the newly configured secret.
  2. A second method is to remove the login local command under the console line. Depending on your security policy, this may or may not be acceptable.

Return to question 4

Solution to TBS #4 (40 pts):

This scenario focuses on remote connections, so we should not have to worry about the console line (for now). As the question mentions, you will indeed be able to login using the username that is configured. This is because of the “login local” command that is under the VTY line configuration.

However, the problem that the administrator will face is that upon login, he will not be placed in privilege EXEC mode, the reason being that the “admin” username does not have a “privilege” option assigned to it. If he then tries to get into that mode using the enable command, it will not work because there’s no enable secret/password! The error message will be “% No password set.

Therefore, the administrator needs to configure an enable password/secret or add a privilege option to the username.

Return to summary