How To Hack A Smart Or Managed Ethernet Switch Part 1

TYPICAL DAY OF YOUR LIFE

I love those days, when the manager in your day job, pops up and ask you: 

  • “Do you have time to do something for me?”. 

You think to yourself: 

  • “S**t, I am bloody busy and have a stack of work to do! Do you think I am on vacation here?”

but you say politely: 

  • Yeah, what’s the problem?” 

Then, they lead you to the massive crate, filled with different kind of ethernet switches.

  • This! Needs to be cleaned/removed/destroyed (pick your poison) from any of the client’s information on them. We cannot move them if they contain any information.”

You think to yourself:

  • “Hell YES! That’s going to be a fricking FUN!!!”

But you’ll say:

  • “Yeah… I’ll see what I can do with it…”

THE FUN BEGINS WITH LINKSYS/CISCO SRW2008MP

On top of the stack, I see one of the older versions of the Linksys/Cisco business powered gigabit switch SRW2008MP. Glance over, and I already want it for myself. It has powered 8x 1-gigabit ports, and it’s “smart” – meaning it has a web interface to configure it—unfortunately, no power supply. 

Another look at the back and I see 48V DC 3.1A. Bingo! Amazon.co.uk and I can find 48V 5A bricks for about £15. 

There is a male serial/console port connector, so there is a chance to get some access to it. Pulling up the manual for this model is telling me that the defaults are:

Bits per Second: 38400
Databits: 8
Parity: None
Stop bits: 1
Flow control: None

From my experience, 99% of the time (especially on the modern switches with web configuration), no one like to touch the console; however, it should be there running defaults. If it’s not, then we can scroll trough most the typical speeds: 9600, 14400, 19200, 38400, 57600, 115200. Easy.

Powering up this puppy via an external power supply and we have the first hiccup: it sounds like a jet engine with a small fan spinning on its last legs. How come there is this much noise from such a tiny fan? No idea, but we will address this later. 

Connected USB to Serial adapter and rebooted. I always like to see the output from all devices, as you can see a lot of information. Finally, there is a console, but it will prompt you with the password. Typed default “admin” and pressed Enter. Kaboom, we are inside. Tip for you: always change default access to any device, now you know why.

It was too easy, so searched all menus, and there we go: “System Configuration -> Restore System Defaults.” It should come back with the standard configuration website at IP address 192.168.1.254

Change the IP number on your PC’s network card to the same 192.168.1.0 network as the switch and give your computer IP number of, let say 192.168.1.50. Otherwise, you will not be able to communicate with it.

Open Chrome and log in to this address, and there is a second hiccup: it will log in just fine, but there is nothing on the screen. Again, Linksys employees are showing their coding skills. The webpage’s broken in so many places that no popular modern web browser will be able to show you the menu.

Mark my words: “modern” is the key. Let us do some more fixing here. Start old, trusty (never safe), Internet Explorer. Go to the IP and see what’s going there. The same story, nothing new. Can’t get to the menu.

Go to Settings->Compatibility View Settings, Add 192.168.1.254 to the Compatibility list. Linksys open up its menu in full view. Here you can make all your adjustments, including PoE settings and web config IP address. 

It’s worth mentioning that any emulation of the Internet Explorer 5 or 6 will work in this situation. Linksys’ developers hardcoded stuff from IE5 web engine, so any other web browser cannot read it correctly. So you have to use IE5-IE7 even if just emulated.

MAKE IT MORE COMPLICATED

Let say, you don’t have a serial connector, or switch is not responding to the console via a serial port. Smart switches usually have a backup plan and only a few “usually” don’t have them turned ON as default setting. Those connections are:

  1. Telnet – old, unencrypted way of connecting to servers. Tip for you: if anyone else is connecting to the same network, any password you send via Telnet is visible in clear text, so bear this in mind when using it.
  2. SSH – newer, encrypted way of connecting to servers.

Unfortunately, we don’t know the IP address this switch is responding to the previous owner might change config from default settings, so we have to find it first. From the manual, we understand that the default network is on 192.168.1.0 and the switch should be on 192.168.1.254, so set up IP on your PC’s network card as 192.168.1.50

Start my favourite program, Wireshark: the network snooper. Select your network card connected to the troubled switch.

Press, Start and wait. In a few seconds, you should be receiving different packages. You are looking for any other IP address than your 192.168.1.50 (our PC), 239.x.x.x, 169.x.x.x, 255.x.x.x, those are broadcasts or other stuff on your network.

For this SRW2008MP, you can type “ssdp” in the filter bar. It runs through all messages and gives you M-SEARCH or NOTIFY packets only. Here we go, the “other IP” is here, the web interface is on 192.168.1.254.

I will also look at “arp” and “icmp” filters if there are none of the HTTP headers. On some devices, you will get only ARP or ICMP packets, but it’s worth to know.

So, we know that other interfaces are on the same (in 99% of the time) IP address. Let start Putty, and try to get Telnet first, with port 23. Reason? Network admins usually don’t check it, so there is a chance to have it with a default password. 

Tip for you: each of the protocols, may have different logins, via different passwords, so web access may not have the same username/password what Telnet does. Pretty popular on some Netgear switches. I had one, I could not get to the web interface, yet Telnet was on with default username and password.

GET IT DOWN TO THE CORE

Another (and many times the easiest) method to reset password in many switches/routers is to beak up the boot sequence. Many times, they contain additional options usually not readily available. In our case, Linksys/Cisco has boot options if you stop it at the right time.

Run Putty, set the chosen serial port (in my case it’s COM3) with the previous default serial connection settings. I just changed speed to 38400bps and started console.

Press that and then choose to reboot the machine again. This time when asked for a password, just press Enter, and you will have access to the switch.

Choose to Restore System Default Settings, and then Reboot System option to reboot it again (you may need to choose twice somehow to actually reboot). Now, when you back in the login page, you can just use the default login: admin, and press Enter.

Now you can log in with default credentials via the web portal. Just remember about emulating Internet Explorer 5-7 in your browser if you can, as it will have trouble to load the page past login screen.

Next time, we will look at something more… complicated.

You may also like...