Has anybody ever tried resetting a vty or the enable secret password via SNMP? I've read that there is something you can do with pullling back the running-config and comparing it to startup-config....via snmp assuming you know the RW Community-string.
But I was sure there was another method available whereby you could (if you knew snmp community-name) reset the passwords remotely using snmp?
To change the vty password, it is necessary to know the Read-Write (RW) community string, since the procedure needs to write information in some of the OIDs.
This is the link with the information about How To Copy Configurations To and From Cisco Devices Using SNMP:
You can create a .txt file with just the lines you want to send to the device and these ones will be added to the configuration you already have.
I will prepare an example for you and post it so you can take a look.
This is the example I have for you:
We need to make is to create a new ROW in the device within the ccCopyTable Mib, where all the values are going to be stored in order to replace the line we want in the configuration:
The procedure to recover password via snmp only, instead of referencing a file with an entire configuration the contents of the file would be
simply the password information that you want to change to. It won't leave you with a one line config. It will just overwrite the one line
that is in your current running config. The rest should stay the same.
For example, create a .txt file with just these 2 lines in the TFTP boot directory of your TFTP application:
enable password newpass
*** Note: the end statement is totally necessary.
Step 1 (Creating the Row).
Please look into MIB ccCopyEntryRowStatus
snmpset -v 2c -c private 10.10.10.2 220.127.116.11.18.104.22.168.22.214.171.124.1.14.222 i 5
NOTE: var_type is "i" for Interger
Value is 5 for createAndWait
In the MIB the last .222 is the entry index in the table. If the row is occupied then please destroy it first and try to create it and wait again.
Step 2 (Setting the protocol).
We are going to use TFTP to transfer the device configuration with the OID ccCopyProtocol.
Please look into MIB ccCopyProtocol
snmpset -v 2c -c private 10.10.10.2 126.96.36.199.188.8.131.52.184.108.40.206.1.2.222 i 1
NOTE: Value is 1 for tftp
Step 3 (Specifying the Source).
We are going to specify that what we want to copy is the file in your PC.
Please look into MIB ccCopySourceFileType
snmpset -v 2c -c private 10.10.10.2 220.127.116.11.18.104.22.168.22.214.171.124.1.3.222 i 1
NOTE: Value is 1 for networkFile
Step 4 (Specifying the Destination).
Once we have specified the Source, we need to tell what would be the destination to where
we are copying the file.
Please look into MIB ccCopyDestFileType
snmpset -v 2c -c private 10.10.10.2 126.96.36.199.188.8.131.52.184.108.40.206.1.4.222 i 4
NOTE: Value is 4 for runningConfig
Step 5 (TFTP Server's Address).
Let's now setup the IP address of the server where the TFTP service is currently running and where the configuration is going to get copied.
Please look into MIB ccCopyServerAddress
snmpset -v 2c -c private 10.10.10.2 220.127.116.11.18.104.22.168.22.214.171.124.1.5.222 a
NOTE: var_type is "a" for IP address
Value is the TFTP server's IP address
Step 6 (Specifying the File name in the TFTP Server).
Now, we need to tell the name of the file where the data is going to be sent to or stored (the one you create with the 2 lines).
Please look into MIB ccCopyFileName
snmpset -v 2c -c private 10.10.10.2 126.96.36.199.188.8.131.52.184.108.40.206.1.6.222 s
NOTE: var_type is "s" for Display String. Sometimes the name could need " "
Value is the file name in the TFTP boot previously created with full privileges
Step 7 (Deploy the settings and run it).
Last thing is deploying the settings so the config archive takes place. Before activating the row 222, we must double-check that the TFTP service is up and running.
Is the service running?
If yes, then activate the row with the following snmpset.
Please look into MIB ccCopyEntryRowStatus
snmpset -v 2c -c private 10.10.10.2 220.127.116.11.18.104.22.168.22.214.171.124.1.14.222 i 1
NOTE: Value is 1 for active.
Step 8 (Check the results).
Check if the transfer was successful.
do a snmpwalk to 126.96.36.199.188.8.131.52.184.108.40.206.1.10.222
Step 9.(Try to access the device).
This should be more than enough to change an specific line in the configuration using SNMP.
I hope this answered your question.
No, it would not work, you have to set the IP address of the TFTP server in the ccCopyServerAddress OID; that is the value that will be used for the transfer.
So I if all my interfaces have "vrf forwarding" and I didn't have the "ip tftp source-interface" command I wouldn't be able to pull the text file down to the router.
What I mean in my previous post is that you don't need that command, the TFTP transference is done by SNMP, therefore all the details about the TFTP transference needs to be configured/set in the OIDs of the ccCopyTable Mib. Obviosly, between the device and the PC in which you have the TFTP application you needs to have the TFTP protocol open ( no firewalls or ACLs blocking it)
If you need further assistance with the procedure I strongly recommend you to open a TAC service request.
this work great on IOS 12.0 and above. Thanks for the instructions.
I am having issues with 4507 IOS-XE and its not working. Do you know the mibs value for 4507 as well.
I tried to do this many years back with no success. Today I have managed to carry out the process with no issues! I had to try 2 times before it finally worked as the 1st time I messed up the path to the file and the second time I needed "enable secret" instead of "enable password". Also, each whole set of SNMP commands requires a different SNMP "row" number else you will get an error if you attempt to reuse "222".
Also, each whole set of SNMP commands requires a different SNMP "row" number else you will get an error if you attempt to reuse "222".
As the final step you should always set the ccCopyEntryRowStatus to "destroy" (6):
snmpset -v 2c -c private 10.10.10.2 220.127.116.11.18.104.22.168.22.214.171.124.1.14.222 i 6
After that you can reuse the same random number.