“Hidden” CLI interface on Netgear GS110TP

Published by on 2014-02-11 | 11 Responses

The price difference between cheaper "smart managed" and the higher priced "fully managed" switches is often made up by removing a) serial console access and b) disabling access to a remote CLI. After working more often with managed switches I really appreciate a CLI access since most GUIs I've so far used (Netgear, HP-H3C Comware, Cisco IOS) were not much of a pleasure and most often slow. Serial console was less of use but it becomes very handy if the device doesn't want to boot or for initial configuration.

Some vendors restrict or hide CLI access on their larger smart switches - maybe for support or developer purpose - one that I know about was the HP 1910's that I've used (formerly H3C-based 3Com 2928). It was during a port scan on my GS110TP where I realized there were more than the expected HTTP and HTTPS ports responding. After increasing the scope to a full TCP  scan I saw 2 ports in the upper range that took my interest:

# nmap -p 1-65535 -T4 -A -v <ip>
[...]
Completed NSE at 08:44, 35.57s elapsed
Nmap scan report for myswitch.net.example.org (<ip>)
Host is up (0.011s latency).
Not shown: 65528 closed ports
PORT      STATE    SERVICE         VERSION
22/tcp    filtered ssh
23/tcp    filtered telnet
80/tcp    open     http?
|_http-methods: HEAD GET OPTIONS
|_http-title: NETGEAR GS110TP
161/tcp   filtered snmp
443/tcp   open     ssl/https?
| ssl-cert: Subject: commonName=<removed>
[...]
4242/tcp  open     vrml-multi-use?
60000/tcp open     unknown
[...]

For sure the default telnet and ssh didn't return anything interesting, but there were TCP 4242 and TCP 60000 remaining. Apparently 4242 isn't to much use, possibly a management interface for Netgear but it seems to have been detected by others for a couple of Netgear switches. During a quick search I came across a post from Koos van den Hout who had detected a telnet server on a larger, rackmount GS716T using an older firmware, thus at least there was a trace for Netgear to have a "hidden" CLI access for some of their larger smart switches. I tried my luck using a telnet client on my tiny 10-Port switch and what I got resembled much to Koos' GS716T.

(Broadcom FASTPATH Switching) Applying Interface configuration, please wait ...

I continued as follows: Since GS110TP doesn't allow defining different users nor RADIUS-based management authentication tried what Koos suggested and used the default 'admin' user as found on larger switches that do have user name for login.  This resulted in a password prompt. To get full access, enter 'enable' and enter twice (Cisco IOS - anyone?).  Now I can confirm that this works for the GS110TP running version 5.4.2.10, and likely the GS108Tv2 (uses same firmware image):

(Broadcom FASTPATH Switching)
Applying Interface configuration, please wait ...admin
Password:*******************
(Broadcom FASTPATH Switching) >
(Broadcom FASTPATH Switching) >?

enable                   Enter into user privilege mode.
help                     Display help for various special keys.
logout                   Exit this session. Any unsaved changes are lost.
passwd                   Change an existing user's password.
ping                     Send ICMP echo packets to a specified IP address.
quit                     Exit this session. Any unsaved changes are lost.
show                     Display Switch Options and Settings.

(Broadcom FASTPATH Switching) >enable
Password:
(Broadcom FASTPATH Switching) #show version
Switch: 1

System Description............................. GS110TP
Machine Type................................... GS110TP
Machine Model.................................. GS110TP smartSwitch
Serial Number.................................. [...]
FRU Number.....................................
Part Number.................................... BCM53312
Maintenance Level.............................. A
Manufacturer................................... 0xbc00
Burned In MAC Address.......................... [...]
Software Version............................... 5.4.2.10
Operating System............................... ecos-2.0
Network Processing Device...................... BCM53312_B0
[...]
Additional Packages............................ FASTPATH QOS
                                                FASTPATH IPv6 Management
                                                iÞä°cüå|Ø

(Broadcom FASTPATH Switching) #configure
(Broadcom FASTPATH Switching) (Config)#

As you can see at the end, even going into config mode is possible. If you are familiar with the Cisco IOS CLI you'll realize how similar things are on the Netgear switches (Google tells us FASTPATH is from Broadcom). Also you can have a look at Netgear's M4100 or M5300 CLI guides to get a closer idea of the CLI command usage, though not all commands are available on this box. If you change things via CLI, remember to save the running config to the NVRAM's startup config which is what the web UI automatically does for you. (#copy system:running nvram:startup-config)

Warning: Some commands cause instant reboot
However, as Koos for the GS716T already confirmed, certain commands don't seem to be recognized and may cause an instant reboot of the switch without saving to the NVRAM (i.e. #ip ssh server enable). That might be the cause why Netgear preferred disabling regular CLI access on this firmware since they didn't want to support it. Still it can be quite useful to know that even on such a small entry-level manageable switch, there is still a  CLI available in case you need it.

11 Responses

  1. Bram
    Bram 2014-09-03 at 20:15 |

    Interesting! I’m specifically looking into ways to cycle PoE-power on connected devices, under software control. This might offer a way to do so?

    Reply
    1. Jaret
      Jaret 2014-11-17 at 07:09 |

      The easiest way to do this would be to admin down the port then bring it back up.

      Reply
  2. Artem
    Artem 2014-12-19 at 18:32 |

    Hi! I’m trying to find any information about GS110TP boot time. Even support can’t help, they don’t have such information and haven’t this device in their lab. I want to know, how fast does it start? I mean time from power on to working (switching) state. Can you help me with this information?

    Reply
    1. admin
      admin 2014-12-21 at 07:52 |

      I haven’t checked exactly, but from plugging in the power to the stage where all ports coming up a little under 1 minute. Certainly that’s slower than any unmanaged, but still quicker than most managed switches I’ve encountered so far. It’s a switch with lots of features and lots of bang for the buck. For a small installation they are OK, but I wouldn’t want to manage an armada of these switches (due rather sluggish Web-UI).

      Reply
  3. Chris Wilson
    Chris Wilson 2020-05-21 at 22:43 |

    This still works on the GS108Tv3, BUT port 60000 is closed by default. You need to use the web UI to enable Maintenance > Troubleshooting > Remote Diagnostics. Then you can login by telnet!

    I found this from https://blog.hansguthrie.com/2016/01/27/enable-ssh-on-netgear-gs728tp/, but unfortunately enabling SSH as described there does not work on this particular switch.

    Reply
    1. admin
      admin 2020-06-11 at 07:03 |

      Thanks for your update. It still seems this article gets a fair amount of hits even after all these years. I’m not using this switch anymore though 🙂

      Reply
  4. d
    d 2023-10-31 at 05:39 |

    Tried this with my GS308EPP. I was hopeful when I cli returned
    Trying…
    Connected to …
    Escape Character is ‘^]’.

    but then the prompt is just blank from there and have to reboot 🙁
    didnt think it was possible but wanted to give it a try

    Reply
  5. Dobromir
    Dobromir 2024-03-12 at 17:21 |

    Thanks to what was written above, I experimented with the Netgear GS110TUP.
    Boot version 1.0.0.9/Software version 1.0.5.9 -the last one at the time of the test.

    Setup Maintenance ->Troubleshooting->Remote Diagnostics to Enable. This open port 60000.

    I logged in with Putty using Username: admin and password which is the same as for Web UI and this came out as a result:

    GS110TUP#

    Using an question mark gives you the available options and their description.

    GS110TUP# ?
    clear Reset functions
    clock Manage the system clock
    configure Configuration Mode
    copy Copy from one file to another
    debug Debug Options
    delete Delete a file from the flash file system
    disable Turn off privileged mode command
    end End current mode and change to enable mode
    exit Exit current mode and down to previous mode
    no Negate command
    ping Send ICMP ECHO_REQUEST to network hosts
    power Power Over Ethernet Configuration
    reboot Halt and perform a warm restart
    renew Renew functions
    restore-defaults Restore to default
    save Save running configuration to flash
    show Show running system information
    ssl Setup SSL host keys
    terminal Terminal configuration
    traceroute Trace route to network hosts
    GS110TUP#

    To see the possible sub-commands put a space after the comma and then a question mark

    GS110TUP# power ? will show you :
    inline Configure the inline power
    GS110TUP# power
    which means you have an inline subcommand.

    Based on this I did a test and found that I can now start and stop the PoE power on each individual port

    Reply
    1. admin
      admin 2024-04-11 at 07:48 |

      Cool to hear after all these years that even on recent models there is some use for their known, but undocumented CLI!

      Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.