Blog: How-Tos

Cisco device config dumping

Andrew Tierney 26 Oct 2018

Quick guide to recovering configs from Cisco switches and routers

We have recently done work in situations where recovering the Cisco config from one device (e.g. an edge switch) can give us useful information.

This includes:

  • VLANs (even for VLANs that are not used on that piece of equipment)
  • Which ports are trunk/access.
  • Passwords – both type 5 (hashed) and type 7 (encrypted). These can be used to reconfigure the running switch and are often reused on other bits of gear.
  • Firewalling – including which IPs you shouldn’t be accessing
  • VPN endpoints

Many switches will have protection on SSH/web, with a password.

The first port of call is the serial console. This can be in the form of:

  • A micro USB port, which enumerates as a serial device.
  • A RJ45 serial console
  • A DB9 serial console

You need a USB-to-Serial adapter for the last two, and it has to be a genuine RS232 one, not TTL.

All Cisco stuff seems to use 9600 8N1.

Often with a serial cable you’ll get in immediately and can just run “show running-config” and you will have the configuration file.

Sometimes the serial console requires a password as well. Luckily Cisco have made it possible to work around this.

First, in classic IT Crowd style turn it off and on again, then look for two things:

  • “Password recovery is enabled” – this means we can perform the attack.
  • How long it takes to boot. Some Cisco gear takes a long time and it is good to know how long this is before you do something that makes you think you broke it.

The procedure then varies from device to device. Google for “cisco <> password recovery” and you should find instructions. There are three that I’ve seen:

Cisco switches

  1. Power down the switch
  2. Power up the switch with the “Mode” button on the front pressed.
  3. Wait. Either until the “Password recovery is enabled” or the green LED goes solid. Guides says “seconds” or “15 seconds”, and it can be 90s.
  4. You get a “switch:” prompt. Type “flash_init”
  5. Once a prompt comes back, type “cat flash:config.text” and it will dump the config.
  6. Type “boot” and the device will continue booting.

Cisco 29xx ISR routers

  1. Power down the router.
  2. Remove the compact flash card from the front – it is under a metal cover.
  3. Power up the router and wait for the “rommon 1>” prompt. Type “confreg 0x2142”.
  4. At “rommon 2>” type “reset”
  5. Wait for the router to restart. It now thinks it has no config and goes into a wizard. You MUST type no or press ctrl-C or you will overwrite the config.
  6. Type “enable”
  7. Type “configure memory” to copy the NVRAM into memory.
  8. Type “show running-config” to get the config.
  9. Type “config-register 0x2102” to put the device back to boot from NVRAM.
  10. Power cycle the device

Smaller routers

  1. Power down the router.
  2. Power up the router and press break (check your terminal documentation, ctrl-A F in Minicom) a lot whilst it boots.
  3. Wait for the “rommon 1>” prompt. Type “confreg 0x2142”.
  4. At “rommon 2>” type “reset”
  5. Wait for the router to restart. It now thinks it has no config and goes into a wizard. You MUST type no or press ctrl-C or you will overwrite the config.
  6. Type “enable”
  7. Type “configure memory” to copy the NVRAM into memory.
  8. Type “show running-config” to get the config.
  9. Type “config-register 0x2102” to put the device back to boot from NVRAM.
  10. Power cycle the device

None of this is without risk so be careful, you can easily delete the config by mistake.

Conclusion

So what’s the impact? During an engagement we gained access to an edge switch that only had a couple of ports patched, and nothing was connected. There was a chance that the device contained credentials that would be of use. A couple of minutes later, we have several Cisco type 5 passwords, which we can easily decrypt. The passwords were complex enough that we would never have found them by guessing or brute-force. And guess what? They worked across the entire estate of equipment – and not only Cisco gear.

How do you deal with this?

  • Use type 5 passwords (hashed, not encrypted)
  • Use complex passwords
  • Avoid re-using passwords across all equipment
  • Audit configs for sensitive data (VPN keys, VLANs)
  • Physically protect network assets
  • Disable password recovery (“no service password-recovery”)