Have you ever inherited network equipment either from procuring a used switch on ebay or ran into a situation where poor documentation lead to no records of documenting password(s) for your network devices? I ran into this situation when replacing my organizations Layer 2 switches. I needed these passwords in order to lookup current configuration settings so I could plan and design our new network appliances but they were no where to be found. So what do you do? Here is a tutorial that will show you  how to recover passwords from Cisco Cataylst Fixed Configutation Layer 2 and Layer 3 switches.

Disclaimer: Use at your own risk. These instructions are here for reference and before you take these measures you should backup current configuration files and/or consult with Cisco support.

Introduction

This document describes the password recovery procedure for the Cisco Catalyst Layer 2 fixed configuration switches 2900XL/3500XL, 2940, 2950/2955, 2960, and 2970 Series, as well as the Cisco Catalyst Layer 3 fixed configuration switches 3550, 3560, and 3750 Series.

Before You Begin

Conventions

For more information on document conventions, see the Cisco Technical Tips Conventions.

Prerequisites

There are no specific prerequisites for this document.

Step-by-Step Procedure

Follow the password recovery procedure below.

1. Attach a terminal or PC with terminal emulation (for example, Hyper Terminal) to the console port of the switch.Use the following terminal settings:
   • Bits per second (baud): 9600
   • Data bits: 8
   • Parity: None
   • Stop bits: 1
   • Flow Control: Xon/Xoff

   Note: For additional information on cabling and connecting a terminal to the console port, refer to Connecting a Terminal to the Console Port on Catalyst Switches.

2. Unplug the power cable.
3. Power the switch and bring it to the switch: prompt:For 2900XL, 3500XL, 2940, 2950, 2960, 2970, 3550, 3560, and 3750 series switches, do this:Hold down the mode button located on the left side of the front panel, while you reconnect the power cable to the switch.
   

   Catalyst Switch Series	LED Behavior and Mode Button Release Action
   2900XL, 3500XL, 3550	Release the Mode button when the LED above Port1x goes out.
   2940, 2950	Release the Mode button after approximately 5 seconds when the Status (STAT) LED goes out. When you release the Mode button, the SYST LED blinks amber.
   2960, 2970	Release the Mode button when the SYST LED blinks amber and then turns solid green. When you release the Mode button, the SYST LED blinks green.
   3560, 3750	Release the Mode button after approximately 15 seconds when the SYST LED turns solid green. When you release the Mode button, the SYST LED blinks green.

   Note: LED position may vary slightly depending on the model.

   Catalyst 3524XL

   

   Catalyst 2950-24

   

   For 2955 series switches only:

   The Catalyst 2955 series switches do not use an external mode button for password recovery. Instead the switch boot loader uses the break-key detection to stop the automatic boot sequence for the password recovery purposes. The break sequence is determined by the terminal application and operating system used. Hyperterm running on Windows 2000 uses Ctrl + Break. On a workstation running UNIX, Ctrl-C is the break key. For more information, refer to Standard Break Key Sequence Combinations During Password Recovery.

   The example below uses Hyperterm to break into switch: mode on a 2955.

   C2955 Boot Loader (C2955-HBOOT-M) Version 12.1(0.0.514), CISCO DEVELOPMENT TEST
   VERSION
   Compiled Fri 13-Dec-02 17:38 by madison
   WS-C2955T-12 starting...
   Base ethernet MAC Address: 00:0b:be:b6:ee:00
   Xmodem file system is available.
   Initializing Flash...
   flashfs[0]: 19 files, 2 directories
   flashfs[0]: 0 orphaned files, 0 orphaned directories
   flashfs[0]: Total bytes: 7741440
   flashfs[0]: Bytes used: 4510720
   flashfs[0]: Bytes available: 3230720
   flashfs[0]: flashfs fsck took 7 seconds.
   ...done initializing flash.
   Boot Sector Filesystem (bs:) installed, fsid: 3
   Parameter Block Filesystem (pb:) installed, fsid: 4
   
   *** The system will autoboot in 15 seconds ***
   Send break character to prevent autobooting.
   
   
   !— Wait until you see this message before
   !— you issue the break sequence.
   !— Ctrl+Break is entered using Hyperterm.
   
   
   The system has been interrupted prior to initializing the flash file system to finish
   loading the operating system software:
   
   flash_init
   load_helper
   boot
   switch:

4. Issue the flash_init command.
   

   switch: flash_init
   Initializing Flash…
   flashfs[0]: 143 files, 4 directories
   flashfs[0]: 0 orphaned files, 0 orphaned directories
   flashfs[0]: Total bytes: 3612672
   flashfs[0]: Bytes used: 2729472
   flashfs[0]: Bytes available: 883200
   flashfs[0]: flashfs fsck took 86 seconds
   ….done Initializing Flash.
   Boot Sector Filesystem (bs:) installed, fsid: 3
   Parameter Block Filesystem (pb:) installed, fsid: 4
   switch:
   
   !— This output is from a 2900XL switch. Output from
   !— other switches will vary slightly.
   

5. Issue the load_helper command.
   

   switch: load_helper
   switch:

6. Issue the dir flash: command.Note: Make sure to type a colon “:” after the dir flash.The switch file system is displayed:
   

   switch: dir flash:
   Directory of flash:/
   2    -rwx  1803357   <date>               c3500xl-c3h2s-mz.120-5.WC7.bin
   
   !— This is the current version of software.
   
   4    -rwx  1131      <date>               config.text
   
   !— This is the configuration file.
   
   5    -rwx  109       <date>               info
   6    -rwx  389       <date>               env_vars
   7    drwx  640       <date>               html
   18   -rwx  109       <date>               info.ver
   403968 bytes available (3208704 bytes used)
   switch:
   
   !— This output is from a 3500XL switch. Output from
   !— other switches will vary slightly.
   

7. Type rename flash:config.text flash:config.old to rename the configuration file.
   

   switch: rename flash:config.text flash:config.old
   switch:
   
   !— The config.text file contains the password
   !— definition.
   

8. Issue the boot command to boot the system.
   

   switch: boot
   Loading “flash:c3500xl-c3h2s-mz.120-5.WC7.bin”…###############################
   ################################################################################
   ######################################################################
   File “flash:c3500xl-c3h2s-mz.120-5.WC7.bin” uncompressed and installed, entry po
   int: 0×3000
   executing…
   
   !— Output suppressed.
   !— This output is from a 3500XL switch. Output from other switches
   !— will vary slightly.
   

9. Enter “n” at the prompt to abort the initial configuration dialog.
   

   --- System Configuration Dialog ---
   At any point you may enter a question mark '?' for help.
   Use ctrl-c to abort configuration dialog at any prompt.
   Default settings are in square brackets '[]'.
   Continue with configuration dialog? [yes/no]: n
   
   !— Type “n” for no.
   
   Press RETURN to get started.
   
   !— Press Return or Enter.
   
   Switch>
   
   !— The Switch> prompt is displayed.
   

10. At the switch prompt, type en to enter enable mode.
    

    Switch>en
    Switch#

11. Type rename flash:config.old flash:config.text to rename the configuration file with its original name.
    

    Switch#rename flash:config.old flash:config.text
    Destination filename [config.text]
    
    !— Press Return or Enter.
    
    Switch#

12. Copy the configuration file into memory.
    

    Switch#copy flash:config.text system:running-config
    Destination filename [running-config]?
    
    !— Press Return or Enter.
    
    1131 bytes copied in 0.760 secs
    Sw1#

    The configuration file is now reloaded.

13. Overwrite the current passwords that you do not know. Choose a strong password with at least one capital letter, one number, and one special character.Note: Overwrite the passwords which are necessary. You need not overwrite all of the mentioned passwords.
    

    Sw1# conf t
    
    
    !— To overwrite existing secret password
    
    Sw1(config)#enable secret <new_secret_password>
    
    
    
    !— To overwrite existing enable password
    
    Sw1(config)#enable password <new_enable_password>
    
    
    
    !— To overwrite existing vty password
    
    Sw1(config)#line vty 0 15
    Sw1(config-line)#password <new_vty_password>
    
    Sw1(config-line)#login
    
    
    !— To overwrite existing console password
    
    Sw1(config-line)#line con 0
    Sw1(config-line)#password <new_console_password>
    

14. Write the running configuration to the configuration file with the write memory command.
    

    Sw1#write memory
    Building configuration…
    [OK]
    Sw1#

Technology | No Comments »

Disclaimer: This technique should be used only to create backup copies of movies you have legally purchased and/or own. You should not backup or copy media or copyrighted material without authorized permission or consent from the publisher.

Most DVDs are protected or encrypted to make it impossible for users to copy or backup DVD media. In order to backup a DVD you must decrypt the DVD before copying it to blank DVD media. Unlike copying most CD media, where a one-to-one copy is typically used, one-to-one copies of protected/encrypted DVDs are nearly impossible. Blank DVD media. Depending on your home DVD player you may need to verify supported DVD formats (i.e. DVD+R or DVD-R). The best rule of thumb is to purchase at least 2 different brands and find which one works best. Once you find the media works consistently, dont’ deviate on brand and type.Tools used for this tutorial:

Step 1:

Download DVD Decrypter from the link above and install it.

Step 2:

Start DVD Decrypter

Step 3:

Insert DVD you wish to backup. You will receive asking you that a region code has not been set. Click “Yes”, select your region and click “OK”.

Step 4:

Once you select your region code as shown in Step 3 you will notice that the right hand listbox will populate with various files with various file extensions (mainly .IFO, .BUP and .VOB)

Step 5:

Select your destination or leave the defaulted destination path (C:\[DVDTITLE]\VIDEO_TS).

Step 6:

Click on the following DVD -> Hard Disk icon to begin the decryption process. This will decrypt the files displayed in your listbox to your right to the destination you specified in Step 5.

Step 7:

Grab a beer and relax. This process should take anywhere between 25-40 minutes. Once the decryption process has completed move on to Step 8.

Step 8:

Browse to your destination path you specified in Step 5 to verify files. If you specified C:\MOVIE\VIDEO_TS you would click the following –> Double-click “My Computer” -> “Local Disk (C:) –> MOVIE –> VIDEO_TS. At this point if you have files (.IFO, .BUP, and .VOB) in your destination folder you have successfully decrypted your DVD. The next step is to burn it to media.

Step 9:

Open Nero or Roxio and create a “DATA DVD”

Step 10:

Create two empty folders in your empty project called “VIDEO_TS” and “AUDIO_TS”

Step 11:

Open the “VIDEO_TS” folder you created in Step 10 and add the entire contents from your decrypted movie. Make sure you only copy the contents of C:[MOVIETITLE]\VIDEO_TS and not the VIDEO_TS folder itself. The AUDIO_TS folder should be left empty.

Step 12:

Click “Burn DVD”

Step 13:Congratulations you have successfully backed up a copy of your DVD!

Technology | No Comments »

Yesterday I administered the Final Exam for my Advanced Visual Basic.NET programming course. This concluded my first class as an Adjunct Professor for Chaffey Community College (Rancho Cucamonga). My overall thoughts are that teaching is definitely my ultimate career goal. I enjoy the environment, the work, and the overall satisfaction that my students will take the material they learned in my course with them for their entire careers. When I look back at my first couple of classes, I was a bit nervous and hesitant. I didn’t know if I would be able to articulate the difficult concepts involved with programming. Furthermore, I was a bit overwhelmed to look out and see students twice my age gazing up to me for direction and insight. After I shook off the edge, I was able to acclimate myself and formulate lessons that were both informative and meaningful. After the final exam, one student approach me and said, “I’ve learned a lot in this class, Thank you.” That simple comment allowed me to fully appreciate what I was doing as well as let me know that what I prepared for night in and night out was for something. Let me tell you, it’s a rewarding and satisfying feeling and I know I will continue with this challange for years to come. Heck, I might make this a full time gig in the future.

To view my course syllabus, visit my course site at http://www.andyhyeun.com/cisprog403.

Teaching, Technology | No Comments »

Author: Andy Yeun
theDisclaimer v1.0

disclaimer: This article is for informational and educational purposes only. Hacking into a private security enable wireless network is illegal and is not the intent of this article.

With the advent of Wifi technology and the use of 802.11x it is very likely that your Wifi enabled device (laptop, pda, etc.) lights up like the 4th of July when you power it on. Many Wifi networks are not secured to begin with (not because users don’t see the relevance, rather because end-users are typically oblivious to the security ramifications of having an open door into their own private networks). In today’s technology age, where malicious users are around every corner, more and more people are seeing the benefits of security. For most end-users, with little or no computer experience, setting up wireless networks is as simple as going to the nearest brick and mortar (i.e., Bestbuy) and having an in-house technician (i.e., Geek Squad) come out to your place of residence and setting up your wireless router. Although most of these individuals will not leave you completely vulnerable to malicious users on the Internet, they will however take the easiest route to create a perception of security. Most of these technicians will recommend that you should set up wireless security and their first line of defense is always WEP key encryption. The explanation of Wired Equivalent Privacy (WEP) is beyond the scope of this article; click here if you would like to read more about this technology.  Security in any sense (whether it be network security, application security, etc.) is best when layered, and simply creating a single point of failure is not always “best practice”. This article will discuss how to crack WEP encryption using an open source to utility called Airowizard. Airowizard is a GUI enabled utility (written on top of CommView) that will allow you to crack or recover a lost or misplaced WEP key. Although this utility seems like a very useful tool, in the wrong hands it can provide malicious users the ability to crack your WLAN security in a matter of minutes. First you need to install the Commview driver that is included in the .rar file shown above (verify if your wirless device is compatible from the CommView site).

1. Start Airowizard and refresh/enable your Wifi adapter you just installed in the “Adapter List and MAC Changer”.
2. Click the ”Monitor Mode” tab. Under the “Airserv-ng” section click the Debug mode check box and click the “Start Airserv-ng” button.
3. A command prompt will appear and ask you to verify the adapter, type ‘Y’ for yes and click enter.
4. Next, click “Start Airodump-ng” button under the Airodump-ng initial scan section. You will see a list of available networks. Click Ctr+C to stop the scan and note the following information; 1) Channel, 2) MAC, and 3) SSID.
5. On the AP details and Airodump-ng tab enter the Channel, MAC, and SSID in the appropriate fields and click “Start Autodump-ng”.
6. On the Authentication and packet replay\injection tab click the “advanced” checkbox under the Fake Authentication section and apply when the dialogue box appears. Next click “Authenticate”.  Wait until an association is successful (this should appear in a command prompt after you click the Authenticate button).
7. Next, click the Fragmentation button to retrieve an XOR stream (that is what we want). Note this XOR stream (unique number). After you have successfully retrieved an XOR stream, you want to create an ARP packet by clicking the “Create Packet” button.  A dialogue box will appear asking for a file name, you want to name it so it’s easily identifiable (I like to name it the SSID).
8. Next, click Inject and select the file you just created.
9. You will notice that it is bombarding the AP with data packets at the rate of 5000 ppm.
10. Refresh your Airodump-ng under the AP details and Airodump-ng tab to show the number of received packets. Wait 5-10 minutes until the AP has received 50,000 packets (no less). Once this has occured click Ctrl+C to stop Airodump-ng. When you stop this process Airowizard will have created 2-3 dump files with a .cap extension.
11. Close out all other command prompts (do not close AiroWizard).
12. Under the WEP crack\recovery tab, under “WEP crack” click the ellipse to select your dump files.
13. Click “Start Aircrack-ng” (DO NOT check Disable PTW).
14. If you have done everything successfully, Airowizard should crack WEP in a matter of seconds.
15. Test your WEP key by trying to authenticate to the wireless network.

So what’s the point of this article? The point of this article is not to breed hackers; it’s to prove a point. Security is best dealt in layers. In today’s technology centric society, where many can be victims of identity theft or fraud, we need to take a proactive stance in protecting our data and intangible assets. Ask questions, don’t be naive and most importantly take added measure to protect what is most important to you.

Technology | 1 Comment »