1300 11 77 16 [email protected]

Decrypt Cisco type 7 Passwords right in the IOS

OK. Admit it. How often do you need to recover a type 7 password quickly? about once a month for me (he said embarrassed). ūüėź

there are a few site that let you do it from a page but what if you don’t have easy access to the Web? Well, help is at hand. Here’s how to do it from right there in the IOS…

Let’s assume it’s something basic like your ISP password, but any password stored insecurely on the router with type 7 encryption is a candidate

interface Dialer3
 ppp chap password 7 094D4D1B1815070B1B0D17393C2B3A37
  1. Create a temporary Key Chain
  2. Add a Key to the chain
  3. Add a type 7 key-string to the key
  4. Show the chain to reveal the un-encrypted string
  5. Remove the Key Chain so as not to clutter your config with rubbish.
Router1(config)#key chain temp

Router1(config-keychain)#key 1

Router1(config-keychain-key)#key-string 7 094D4D1B1815070B1B0D17393C2B3A37
Router1(config)#do sh key chain temp
Key-chain temp:
    key 1 -- text "acrappypassword"
        accept lifetime (always valid) - (always valid) [valid now]
        send lifetime (always valid) - (always valid) [valid now]
Router1(config)#no key chain temp
Router1(config)#

And there you have it! Proof that passwords stored with type 7 encryption in the config really are crappy. ūüôā

Lion Serial Console Cable update.

As previously mention in this article, I had been happily using a serial console cable on my Macs (here after known as an SCC) (mine is an Aten UC-232A) without incident, until I upgraded my Mac Book Air to Lion.  Then it all broke again.

Here’s what I had to do to fix it…

First, I had to download the new 1.4.0 driver from here.  But that is only the start of it.  You need to follow the instructions contained in the Zip file and once the driver is installed, boot the Mac.

Next you need to edit the Plist file to reflect your actual hardware. ¬†It is owned by root so you will need to sudo to be able to edit it. You need to plug your SCC and use System Profiler to get it’s Product ID and Vendor ID. ¬†Remember these are in Hex, but when you edit the Info.plist the entries are in Decimal. ¬†I found it easier to create a whole new <dict> entry rather than trashing the original installed by the driver.

Mine looks like this in System Profiler

Product ID: 0x2008
Vendor ID: 0x0557  (ATEN International Co. Ltd.)
Version: 3.00
Speed: Up to 12 Mb/sec
Manufacturer: Prolific Technology Inc.
Location ID: 0x04100000 / 4
Current Available (mA): 500
Current Required (mA): 100

So…

sudo vi /System/Library/Extensions/ProlificUsbSerial.kext/Contents/Info.plist

I added the following section after the original <key>067B_2303</key> Section

<key>0557_2008</key>
<dict>
   <key>CFBundleIdentifier</key>
   <string>com.prolific.driver.PL2303</string>
   <key>IOClass</key>
   <string>com_prolific_driver_PL2303</string>
   <key>IOProviderClass</key>
   <string>IOUSBInterface</string>
   <key>bConfigurationValue</key>
   <integer>1</integer>
   <key>bInterfaceNumber</key>
   <integer>0</integer>
   <key>idProduct</key>
   <integer>8200</integer>
   <key>idVendor</key>
   <integer>1367</integer>
</dict>

Once this is complete and saved you need to unplug the the SCC (very important) and load the edited kext file.

sudo kextload /System/Library/Extensions/ProlificUsbSerial.kext

Plug the SCC back in and do an ls on /dev and you should see your SCC in there now. ¬†Mine looks like this…

crw-rw-rw-  1 root    wheel      18,   6  9 Feb 13:42 tty.usbserial

So if all has gone well you can now connect to your serial device again. For me that is any number of Cisco Routers or switches and the command is…

screen /dev/tty.usbserial 9600

Have Fun!

Cisco 867w Wireless Configuration

The Product

Recently I purchased a nice new Cisco 867w as I needed another router, and it didn’t really warrant the expense of an 887w or larger for the task at hand. I am reasonably familiar with configuring Cisco switches, security devices (ASA, PIX etc) and routers, and can find my way around the IOS fairly well, or so I thought. I haven’t really had much to do with Cisco Wireless APs and general AiroNet products as I am still not a great wireless fan apart from where necessary. I have configured lots of 87xW series and 18xxw series with integrated wireless capabilities and the general concept of bridging the Wireless interface to the Vlan or FE interfaces is pretty straight forward.

But the 867w (and 887w) has a full Cisco AP embedded in to the router. The AP has it’s own IOS and needs a full configuration, and even more alarmingly, I could not find any sample wireless configurations anywhere on the net, including on the Cisco.com site. There is a good configuration guide on the Cisco site but it falls way short of the mark to configure the router from scratch. It is much better as a reference guide. I couldn’t find any reference in it to how the 867w’s AP actually integrated, and hence, communicated with the router itself.

Another major issue for me was that the router shipped with an old IOS and apart from that absolutely nothing in the flash. (Pretty sloppy Cisco!)

The Problem

My problem, in a nutshell, was how to bridge the AP to the router’s vlan. Sounds simple enough doesn’t it. But I couldn’t see an obvious solution and couldn’t find any relevant documentation. I posted on a couple of quality forums to see if anyone else had had a similar issue, and yes lots of people had. What was the solution? None given. Grrr… There are loads of posts pointing to the concept of bridging VLANs and the concept of configuring a router but no wireless sample configs. Personally I find it beneficial when faced with a new device to see a working Config, pull it apart and figure out why it works. I learn the most that way.

So I did the only logical thing I could do, and went to the cupboard and got out an old 877w and ran it up instead. Aaahhhh… the comfort of familiarity. But of course I love technology so I couldn’t let it beat me.

To cut a very long story short, there is a Wlan-GigabitEthernet 0 interface visible in both the Router and the AP configuration and this is the glue that binds the Router to the AP. So, below I have included the running config for each of my relevant interfaces on both the Router and the embedded AP.

Don’t forget that, until you configure a management ip on the AP’s BVI1 the only way to configure the AP is by logging on to the router and the using

Router# service-module wlan-ap 0 session

to get into the AP config. Once in there the only way to get back is to use

AP# <Shift>+<Ctrl>+6 X

to get back to the Router’s Configuration mode. This leaves the AP config session open. If you subsequently want to close that session you also need to type

Router# disconnect

to close it completely.

The Solution

On the Router…
interface Vlan1
 ip address 192.168.xx.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
end
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
end
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip unnumbered Vlan1
 arp timeout 0
end
!
interface Dialer0
 description PPPoA Dialer for Int ATM0
 ip address negotiated
 ip access-group aclInternetInbound in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 ppp authentication chap callin
 ppp chap hostname
 ppp chap password
 ppp ipcp dns request accept
 ppp ipcp route default
 ppp ipcp address accept
 no cdp enable
 crypto map
end

Of course there is no necessity for the

ip route 0.0.0.0 0.0.0.0

due to the ip ipcp route default on the dialer interface.

On the AP
interface Dot11Radio0
 no ip address
 no ip route-cache
 encryption mode ciphers aes-ccm tkip
 broadcast-key change 3600
 ssid
 antenna gain 0
 speed  basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
 station-role root ap-only
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
end
!
interface GigabitEthernet0
 description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
 no ip address
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
end
!
interface BVI1
 ip address 192.168.xx.2 255.255.255.0
 no ip route-cache
end

And on the AP you will need a default route, so you will need a

AP(config)# ip default-gateway 192.168.xx.1

to tell the outside bound traffic how to get out to the world at large through the Router’s VLAN interface.

Edit:¬† A few people have asked for a full AP config to get started with so here is a “Bare Bone” one to get you started…

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
hostname AP
logging buffered 132000 notifications
enable secret 0 <PutAGoodPasswordHere>
no aaa new-model
clock timezone AEST 10
clock save interval 8
dot11 syslog
dot11 ssid SSID
   authentication open 
   authentication key-management wpa version 2
   guest-mode
   wpa-psk ascii 0 <PutAGoodPasswordHere>
username me privilege 15 secret 0 <PutAGoodPasswordHere>
bridge irb
interface Dot11Radio0
 no ip address
 no ip route-cache
 encryption mode ciphers aes-ccm tkip 
 broadcast-key change 3600
 ssid SSID
 antenna gain 0
 speed  basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
 station-role root ap-only
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
interface GigabitEthernet0
 description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
 no ip address
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
interface BVI1
 ip address 192.168.xx.2 255.255.255.0
 no ip route-cache
ip default-gateway 192.168.xx.1
no ip http server
no ip http secure-server
bridge 1 route ip
line con 0
 no activation-character
line vty 0 2
 exec-timeout 20 0
 login local
 transport preferred none
 transport input telnet
line vty 3 4
 exec-timeout 20 0
 login local
 transport preferred none
 transport input ssh
 transport output all
sntp server <IPofSntpServer>

I hope that helps.

OS-X Serial connection to Cisco Console

Update: You may also want to read this after this article…

Ever needed to use a USB to Serial adapter to telnet in to your Cisco Console on a Mac OSX and gone…¬†¬† Ummm…¬† I might use a PC instead.¬† Well fortunately it is way easier than you may think.¬† It just isn’t quite as intuitive as it should be.

We will assume that you have a USB to Serial adapter that shows up in your /dev after you install it.  You may need to download a driver, and for some chipsets I have not been able to get them running on Intel OS-X (Phillips/MCT chipset in particular.  The Belkin F5U409 is one of these).  I found the UC-232A type which use the Prolific PL2303 chipset, plugged straight in and worked with very little effort and a straight driver download.

Suffice to say if you ls /dev and see a entry like tty.PL2303.xxxxx  all is well.  It is worth copying this to the clip board as you will need it in a moment.

Next comes the wonderful screen command.  Man screen will give you a little more info, albeit, fairly sterile and confusing, but information none the less.  Goolge it to give you a better insight.

Hook your console cable to the USB – Serial adapter and the router and then from a terminal window simply type

screen /dev/<Insert device name here> 9600

(obviously this bit is whatever your device is called) and hey presto,  you are consoled in to your router.

Now it does have some gotchas.¬† I am used to using <Ctrl>+A to move to the start of the line for when I forget to use “do” or general typos, but <Ctrl>+A is screen‘s primary command.¬† You issue it prior to all other screen commands.¬† So for example if you go <Ctrl>+A and start typing do in a screen session, you will only get as far as the d and your screen session will disconnect, as <Ctrl>+A+D is the screen command to disconnect the session.¬† You will then need to type screen -r to reconnect to the session.

So, it is not a Telnet or even ssh Session.¬† But it is very useful…

Update: ¬†Grrrr… ¬†I updated my SL MacBook Air to Lion and the Serial Console Cable would no longer work. ¬†See my new article on what I had to do to fix it.

A Lion coughed my Bootcamp partition back up.

Recently I wrote how the Lion upgrade to my beloved iMac 27″ trashed my Boot Camp partition and the ability for VMware to use it.
Well fortunately the fix was fairly straight forward. It seems my pet Lion hadn’t done any such thing. Even though the Boot Camp Assistant reported that there was no Boot Camp partition, and the VMWare Fusion VM said there was no partition, and I could no longer boot into windows @ boot time (don’t ask), good ol’ fsck disagreed with them all.
All I did to remedy the problems was…

  1. In VMWare Fusion 3.1.x I deleted the virtual machine referencing my Boot Camp Partition
  2. In Fusion, open the Virtual Machine Library (??L)
  3. After you have deleted the original VM, click on the Home button to display the setup options
  4. Create a new VM off your Boot Camp Partition (which is still there but hiding after the Lion ate it)
  5. It will now tell you that it is setting up the partition so that VMWare can access it properly.  This seems to be the crucial step!
  6. Hey presto, it is all back and running properly.  You can even boot into the Boot Camp partition again at boot time.

I am not sure what Lion breaks (eats) or why this fixes it exactly as I don’t have time to research it enough, but suffice to say it is working and I am happy again.