When I configure a bunch of Cisco gears in lab environment, just for fun or testing some new feature, I like the ability to get CLI access with telnet without having to authenticate myself with any username nor password. You can achieve this level of “insecurity” which is totally great for a lab only use simply by changing the VTY’s configuration.
In normal situations you configure VTY to allow remote CLI access to your device like:
Router>
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#line vty 0 4
Router(config-line)#password Cisco
Router(config-line)#login
and then you login to your device (10.0.0.1) with telnet like:
> telnet 10.0.0.1
Trying 10.0.0.1 ... Open
User Access Verification
Password:
Router>
Router>enable
% No password set
(Don’t forget to set up enable password, otherwise you will not reach the privileged exec mode.)
So, to overcome the login screen, and to gain access without authentication it’s enough to turn off the “login”, simple as:
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#line vty 0 4
Router(config-line)#no login
And then the telnet looks like this:
> telnet 10.0.0.1
Trying 10.0.0.1 ... Open
Router>
Well, if you want to make your work even faster, configure a VTY line, so that you will be put directly into a privileged exec mode by setting a VTY’s privilege level to level 15. And don’t forget to turn on one of the greatest CLI feature – the “logging synchronous”. The final configuration then looks like:
Router#sh run | section line vty
line vty 0 4
privilege level 15
logging synchronous
no login
and a telnet login then looks like:
> telnet 10.0.0.1
Trying 10.0.0.1 ... Open
Router#
Update (30.8.2008):
I forgot to add the “exec-timeout 0” command. By default, after 15 minutes of inactivity, the device will automatically disconnect your telnet session. With the “exec-timeout” command you can change the default value. If you set it to 0, the device will never try to disconnect your telnet session. It’s very useful on labs. So the final configuration would be:
Router#sh run | section line vty
line vty 0 4
privilege level 15
exec-timeout
logging synchronous
no login
Hello Jozef,
ReplyDeleteWe have also remember to add
router#terminal moniotor
to enable logging on vty sessions.
What we are using in our lab environment it is secondary address on ethernet interfaces. It allows us to have "profiles in putty" and connect to router with our address, which are not in conflict with lab.
int f0/0
no shut
ip add 10.0.0.4 255.255.255.0
ip add 1.0.0.4 255.255.255.0 secondary
It also quite useful to use configure replace command:
To avoid restarting of the router use the replace config command instead.
Firstly save config in flash. Be careful TO NOT DELETE FLASH.
copy run flash:startup.cfg
Secondly replace the running configuration with previously saved in flash
conf replace flash:startup.cfg
Secondly if you want to replace
Now the router should use the saved configuration from flash. The old running config should be erased.
ReplyDeleteNote: Sometimes with RSA keys conf replace don’t clear all running config.
or add command:
ReplyDelete"no exec-timeout"
This software works very easily to load up before Windows does, change the stored password settings on your system, and then allow your computer to log in as a result.reset windows 10 password
ReplyDelete