Which password would allow a user to establish a Telnet session with a Cisco device?

Technology: Security
Area: Device Hardening
Vendor: Cisco
Title: How to allow SSH only to Cisco device
Software: 12.X , 15.X
Platform: Catalyst switches, Routers

Telnet protocol enables TCP/IP connections to a host fro management purposes. To allow only telnet sessions to device use configuration under line vty as below.

To restrict Telnet Session one has to:

Router# configure terminal
Router(config)#line vty 0 4
Router(config-line)#transport input telnet

Verifying the command by trying to connect to telnet one has to Open Command Prompt:

PC> telnet 192.168.10.2
Trying 192.168.20.1 ……Open
User Access Verification
Password:

Verifying if ssh connection is possible:

PC> ssh -l admin 192.168.10.2
Timeout

Hint: remember to user telnet carefully. Telnet is a protocol that sends the content with clear text so is susceptible to sniffing attacks. You can verify telnet’s behavior easy with wireshark. Connect to any device with telnet, run the wireshark and login with user/pass. You should see your original password.

You would never allow anyone in the world to access your email so why would you allow anyone to access your network hardware? This lab will discuss and demonstrate the configuration and verification of basic password authentication.

Real World Application

Security is of the uttermost importance in a production network, especially an internet facing production network. Having an insecure Cisco Router and/or switch is exposing your network to virtually unlimited number of risks. This lab will teach you the basics of password authentication in the Cisco IOS software to secure your Cisco router and/or switch.

Lab Prerequisites

  • If you are using GNS3 than load the Free CCNA Workbook topology and start R1.
  • Establish a console session with Router 1.

Lab Objectives

  • Configure a Console line password so that anyone attempting to establish a console session to the device will be prompted for a password. Once completed, verify your configuration.
  • Configure the VTY line 0-4 password so that anyone attempting to establish a telnet/ssh session to the device will be prompted for a password. Once completed, verify your configuration.
  • Configure an enable password and enable secret. Once completed, verify these configurations.
  • Configure a Auxiliary line password so that anyone attempting to established an auxiliary line session to the device (routers only) will be prompted for a password.

Lab Instruction

Step 1. – To meet the first objective of protecting the console line with a console password you’ll need to navigate to the console line configuration mode as shown below;

         --- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: no

Press RETURN to get started!

Router>enable
Router#configure terminal
Router(config)#line console 0
Router(config-line)#

Once in console line configuration mode, you can set the password by executing the password passwordgoeshere As shown below, the password is being set to Cisco123;

Router(config-line)#password Cisco123

Simply setting the password does not enable password authentication. You’ll need to tell the router to prompt incoming sessions on the console line to require a password. This is done by executing the login command from line configuration mode as shown below;

Router(config-line)#login

Now you can test your console line password but first you’ll have to end your exec session by typing end and exit then attempting to establish a new exec session via console as shown below;

Router(config-line)#end
Router#exit

Router con0 is now available



Press RETURN to get started.



User Access Verification

Password: 

Router>

Step 2. Now its time to configure VTY (Virtual TeleType) lines. The VTY lines are virtual lines used for establishing an exec session via telnet or ssh. You apply the password to these lines in the same manner as you previously did the console line as shown below;

Router>enable
Router#config terminal
Router(config)#line vty 0 4
Router(config-line)#password Cisco321
Router(config-line)#login

Notice that in this example the password was set to Cisco321 just to demonstrate you can have different passwords per line. In order to verify this configuration; typically you’d need Ethernet connectivity to the device so as per that requirement you’ll need to assign an IP address to an interface. For example assign 10.1.1.1 255.255.255.255 to interface loopback0 as shown below;

Router(config-line)#interface lo0
Router(config-if)#ip add 10.1.1.1 255.255.255.255
Router(config-if)#end
Router#

To verify your vty line password configuration you can telnet to your local interface to initiate a telnet exec session as shown below;

Router#telnet 10.1.1.1
Trying 10.1.1.1 ... Open


User Access Verification

Password:
Password: 
Router>

As you can see you’re prompted for the VTY line password. If you enter the console line password, you will be denied access but upon entering the correct vty line password you’ll be authorized to start an exec session as shown above.

Once you’ve established a telnet session to the router, try to gain privileged level access. You’ll immediately notice that you’ll be prompted for an “enable” password in which case none is set so therefore you cannot gain privileged level access.

Router>enable
Password: 
Password: 
Password: 
% Bad passwords

Router>

Step 3. Configure an enable password and secret for the Cisco router to gain privileged level access to the device via telnet. This configuration is done in global configuration mode. If you still have a telnet session open from the previous objective verification, type exit. To configure an enable password execute the enable password passwordgoeshere command.

To configure an enable secret you simply execute the enable secret passwordgoeshere as shown below;

Router>exit

[Connection to 10.1.1.1 closed by foreign host]
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#enable password Cisco1
Router(config)#enable secret Cisco2
Router(config)#end
Router#

As shown above the enable password was set to Cisco1 and the enable secret was set to Cisco2

The enable password and enable secret are used for the same authentication, which is to gain access to privileged mode however if you have both enable password and enable secret set, the enable secret will override the enable password.

Once the enable passwords have been set verify the configuration by executing a reverse telnet to 10.1.1.1 and establishing a telnet session using the previously set vty lines password then escalate to privileged level access.

Router#telnet 10.1.1.1
Trying 10.1.1.1 ... Open


User Access Verification

Password: 
Router>enable
Password: 
Password: 
Router#

If you typed in the enable password first you’ll be rejected as the router also has an enable secret set of Cisco2.

Step 4. The last objective only applies to Cisco devices that have an Auxiliary (AUX) port. The AUX port is very similar to the console port but has modem control pins where you can attach an external modem to the device and dial-in to the device via external 56k modem and remote manage the device using POTS dial-up service. This is commonly used in out of band management for single devices however when there are multiple devices per site and out of band management is required its common to have an access-server setup with a modem to allow console management of multiple devices through a single dial-in device.

To set the AUX line password you’ll execute the same commands as you’ve previously done in the console line password configuration as shown below;

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#line aux 0
Router(config-line)#password AuxPassword123
Router(config-line)#login
Router(config-line)#end
Router#

Which of the following commands will allow you to set your Telnet password on a Cisco router?

Explanation: The command line vty 0 4 places you in a prompt that will allow you to set or change your Telnet password.

What is the password for Telnet?

By default, the device does not require a user name or password when you log in to the CLI using Telnet. You can assign a password for Telnet access using one of the following methods. Set the password "letmein" for Telnet access to the CLI using the following command at the global CONFIG level.

What is a Type 0 password in Cisco?

Cisco type 0 password Cisco password type 0 is basically clear text password. There is no encryption nor obfuscation. It is the oldest and the most insecure method of storing passwords in Cisco devices. It should never be used.

What is Cisco default enable password?

Most routers and switches by Cisco have default passwords of admin or cisco, and default IP addresses of 192.168. 1.1 or 192.168. 1.254.