Password Recovery---"command authorization failed"

[burtsbees]

I just bought a 2620 off of Ebay, and the first thing I did was send it a break, confreg 2142 at the rommon prompt, reset, and copy start run. I do this so I can see the config, just for kicks, and to look at any special commands I am not familiar with.
I then tried to change the passwords, and it came back with "command authorization failed", with a logging message. It would not even let me do any show commands...only verify. I had never come across this before, so I power cycled the router, and before I did a copy start run, I did a sh start, and copied the config to a text file, since it had the enable secret command. I got the passwords by using an online-cracker, but cannot get the secret password. So if anyone comes across this, remember you can still copy the config to a text file and reload it with a different secret by manually changing it in the text file.

Burt

 

[burtsbees]

By the way, here is the online cracker (one of them) that I used...

http://www.ifm.net.nz/cookbooks/passwordcracker.html

Burt

 

[plshlpme]

so did this router have some tacacs config in or some other AAA that required you to be logged in as a local user at that point? after you loaded the startup into memory your credentials must not have been good enough to run any exec commands.

 

[burtsbees]

I was at the priv exec prompt after the password recovery, and yes, it was configured to authorize thru TACACS+. Here's the config, minus IP addresses...

version 12.0
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname xxxxxxxxxxxx
!
logging buffered 4096 debugging
aaa new-model
aaa authentication login RMC group tacacs+ local
aaa authentication login Console local
aaa authorization exec default group tacacs+ local
aaa authorization exec Console local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
enable secret 5 $1$JEDG$WOChWAZQGu04PVILZMhkr/
!
username cctech password 7 xxxxxxxxxxxxxxxx
username rmctech password 7 xxxxxxxxxxxxxxxxxx
!
!
!
!
ip subnet-zero
no ip source-route
no ip finger
ip name-server xxxxxxxxxxxxxx
ip name-server xxxxx1xxxxxxxxxxxxxxxx
!
no ip bootp server
!
!
!
interface FastEthernet0/0
description connection to customer LAN
ip address xxxxxxxxxxxxxxxxxxxxxxxxxxx
ip access-group 103 in
no ip redirects
no ip directed-broadcast
duplex auto
speed auto
no cdp enable
!
interface Serial0/0
description connection to AKRNOH25 RAR1 (DHEC.253189..ATI)
bandwidth 128
ip address xxxxxxxxxxxxxxxxxxxxxxxxxxxx
ip access-group 101 in
no ip directed-broadcast
encapsulation ppp
no ip mroute-cache
fair-queue 64 256 0
service-module t1 timeslots 1-2
service-module t1 remote-alarm-enable
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
no ip http server
!
access-list 90 permit xxxxxxxxxxxxx
access-list 90 permit xxxxxx1xxxxxxxxxxxxxxxxx
access-list 90 permit xxxxxxxxxxxxxxxx
access-list 95 permit xxxxxxxxxx
access-list 95 permit xxxxxxxxxxxxxx
access-list 95 permit xxxxxxxxxxxxxxxx
access-list 96 deny any
access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny pim any any
access-list 101 deny ip xxxxxxxxxxxxxxxxxx any log
access-list 101 deny ip xxxxxxxxxxxxxxx any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 permit ip xxxxxxxxxxxxxxxxxx any
access-list 101 deny udp any any eq snmp
access-list 101 deny udp any any eq snmptrap
access-list 101 permit ip any any
access-list 103 deny 53 any any
access-list 103 deny 55 any any
access-list 103 deny 77 any any
access-list 103 deny pim any any
access-list 103 permit ip any any
access-list 199 permit ip xxxxxxxxxxxxxxxx any
access-list 199 permit ip xxxxxxxxxxxxxxxxxxxany
access-list 199 permit ip xxxxxxxxxxxxxxxx5 any
access-list 199 permit ip xxxxxxxxxxxxxxxxxxxxx any
access-list 199 permit ip xxxxxxxxxxxxxxxx any
access-list 199 permit ip xxxxxxxxxxxxxxxx any
no cdp run
tacacs-server host 12.38.168.110
tacacs-server host 12.38.168.109
tacacs-server attempts 2
tacacs-server timeout 10
tacacs-server key xxxxxxxxxxxxxxxxx
snmp-server engineID local 000000090200000BFD7AFA20
snmp-server community xxxxxxxxxxxxx
snmp-server community xxxxxxxxxxxxxxxxx
snmp-server community xxxxxxxxxxxxxx
snmp-server community xxxxxxxxxxxxxxxxxxx
snmp-server community xxxxxxxxxxxxxxxxxxxx
snmp-server location xxxxxxxxxxxxxxxxxxx
snmp-server contact AT&T BCC, Piscataway, Customer Care Center
snmp-server enable traps snmp
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps envmon
snmp-server enable traps bgp
snmp-server enable traps rsvp
snmp-server enable traps frame-relay
snmp-server enable traps rtr
snmp-server enable traps syslog
snmp-server host xxxxxxxxxxxxxxxxxxxx snmp
snmp-server tftp-server-list 95
banner motd ^C
*********************
* AT&T LEGAL NOTICE *
*********************
This system is restricted solely to AT&T authorized users for legitimate
purposes only. The actual or attempted access, use, or modification of
this system is strictly prohibited by AT&T. Unauthorized users are subject
to Company disciplinary proceedings and/or criminal and civil penalties
under state, federal, or other applicable domestic and foreign laws. The use
of this system may be monitored and recorded for administrative and security
reasons. Anyone accessing this system expressly consents to such monitoring
and is advised that if such monitoring reveals possible evidence of criminal
activity, AT&T may provide the evidence of such activity to law enforcement
officials. All users must comply with AT&T Corporate Instructions regarding the
protection of AT&T and customer information assets.^C
!
line con 0
session-timeout 30
exec-timeout 30 0
password 7 xxxxxxxxxxxxxxx
authorization exec Console
login authentication Console
transport input none
line aux 0
session-timeout 30
access-class 199 in
exec-timeout 30 0
password 7 xxxxxxxxxxxxxxxx
authorization exec Console
login authentication Console
transport input all

Burt

 

[plshlpme]

ya thats similar to how our routers respond in the field..
if the link is down.. or routing is down for that matter.. you have to login with the local admin account.. as soon as bgp routing comes up though and the router can talk to the tacacs server the admin accounts privileges are taken away and you cant even exit the router.

 

[burtsbees]

I'm sure AT&T would be happy to know that they sold me a router with a customer's name and IP address, as well as encrypted (easily cracked) passwords...

Burt