-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is all true, and shows one of the security issues with brining broadband access to the uneducated user. Since this is sort of related. I had to do a password recovery on a 675, which is an undocumented procedure( or at least not in the manual.) To recover the password you do the following steps: 1. Reboot the Cisco 675 2. Access the device through the serial Console (Speed: 34000, 8, N,1) 3. Issue the break command, <CTRL>-C 4. The Cisco 675 should be display a prompt => 5. Issue the command: ES 6 (Erase Page? 6) 6. Issue the command: M0 (Turn of monitor mode.) 7. Issue the command: go 8. The modem should reboot, with exec and ena passwords removed. *NOTE: You will also loose your entire config. Apparently the whole ROM monitor mode on the 675 is a bit strange, most likely due to it being a former NetSpeed product. Bodie <DISCLAIMER>Views expressed here are not those of Space Imaging.</DISCLAIMER> > -----Original Message----- > From: DeMoNx [mailto:demonxat_private] > Sent: Saturday, July 31, 1999 2:58 PM > To: BUGTRAQat_private > Subject: Cisco 675 password nonsense > > > (First of all please forgive me if you dis-approve of my use > of the word > router. I just think it's a bot more appropriate term than > 'modem' for the > hardware being discussed.) > > Is your DSL router an open book??? > > When a certain long distance provider/isp in my area began forcefully > switching all non-business/special adsl accounts over to > using PPP rather > than bridging mode for 'security reasons', I got a little > suspicious. With > bridging mode enabled on a Cisco 675, one used to be able to hook up > seemingly limitless machines (provided you have the hubs), to one dsl > connection using dhcp. Now with PPP, your dhcp server becomes > 10.10.10.0...your 675, which in turn uses dhcp or ipcp to handle > traffic between itself and your isp....blah blah blah etc. > > My point is, with all this wonderfully confusing hubub, many > people I'm > sure are pulling their hair out trying to fathom the first 5 > pages of the > 'CBOS Users Guide', trying in vain to set up their dsl to > avoid paying $90 > to the guys that will end up coming to their house and > setting it up for > them. The problem is, *most* of these guys don't set passwords on the > 675's. It is very simple to compromise an unpassworded 675. simply hit > 'enter' at the password prompt after telnetting in, if you get a cbos> > promt you are half way there, NOT GOOD. If there is no exec > mode password > set, then there most likely won't be an enable(superuser) > mode password > either. So, at this prompt you simply type 'enable' and hit > enter twice. > If you are in enable mode, your prompt will change to the # > symbol, and > you have full access to all the router's settings. ISP's are > letting this > happen, people are buying this technology without any > knowlege that they > may be at this kind of risk. Below is a log of one such Cisco 675. The > ip's and hostnames have been changed to protect the > irresponsible *and* > the uninformed. > > --- > > > $telnet adslppp93.lame.isp.net Trying 296.161.127.93... > Connected to adslppp93.lame.isp.net. > Escape character is '^]'. > > User Access Verification > Password: (Just hit enter, whoa! No password!) > > cbos>enable (with just 8 keystrokes full > access is given) > > Password: > > cbos#stats ppp (Hmm, who's 675 is this?) > > VC VPI/VCI STATE MRU USERNAME RADIUS TX RX > wan0-0 01/01 Opened State 2048 poorsap disabled > 358673 358956 > > cbos#exit > Connection closed by foreign host. > > now, to change these passwords (the easiest way of securing > the router) > > type 'enable' hit enter to enter administration mode > > then type 'set password exec clear NEWPASSWORD exec' to keep em out > > and then 'set password enable clear NEWPASSWORD enable' to change the > superuser password. > > This is what the person who setup the 675 *SHOULD* have done prior to > leaving the jobsite. > > Bill Watts > -----BEGIN PGP SIGNATURE----- Version: PGP 6.0.2 iQA/AwUBN6cKI2TMguO+vON8EQLN5gCePv90Igjn6r6OFk5fPSwxIGhM160An2gt FwdHlGjPN2AKYsw3kVN+blIq =+GE5 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:55:00 PDT