“Hidden” CLI interface on Netgear GS110TP

The price difference between cheaper “smart managed” and the higher priced “fully managed” switches is often made up by removing a) serial console access and b) disabling access to a remote CLI. After working more often with managed switches I really appreciate a CLI access since most GUIs I’ve so far used (Netgear, HP-H3C Comware, Cisco IOS) were not much of a pleasure and most often slow. Serial console was less of use but it becomes very handy if the device doesn’t want to boot or for initial configuration.

Some vendors restrict or hide CLI access on their larger smart switches – maybe for support or developer purpose – one that I know about was the HP 1910’s that I’ve used (formerly H3C-based 3Com 2928). It was during a port scan on my GS110TP where I realized there were more than the expected HTTP and HTTPS ports responding. After increasing the scope to a full TCP  scan I saw 2 ports in the upper range that took my interest:

# nmap -p 1-65535 -T4 -A -v <ip>
[...]
Completed NSE at 08:44, 35.57s elapsed
Nmap scan report for myswitch.net.example.org (<ip>)
Host is up (0.011s latency).
Not shown: 65528 closed ports
PORT      STATE    SERVICE         VERSION
22/tcp    filtered ssh
23/tcp    filtered telnet
80/tcp    open     http?
|_http-methods: HEAD GET OPTIONS
|_http-title: NETGEAR GS110TP
161/tcp   filtered snmp
443/tcp   open     ssl/https?
| ssl-cert: Subject: commonName=<removed>
[...]
4242/tcp  open     vrml-multi-use?
60000/tcp open     unknown
[...]

For sure the default telnet and ssh didn’t return anything interesting, but there were TCP 4242 and TCP 60000 remaining. Apparently 4242 isn’t to much use, possibly a management interface for Netgear but it seems to have been detected by others for a couple of Netgear switches. During a quick search I came across a post from Koos van den Hout who had detected a telnet server on a larger, rackmount GS716T using an older firmware, thus at least there was a trace for Netgear to have a “hidden” CLI access for some of their larger smart switches. I tried my luck using a telnet client on my tiny 10-Port switch and what I got resembled much to Koos’ GS716T.

(Broadcom FASTPATH Switching) Applying Interface configuration, please wait ...

I continued as follows: Since GS110TP doesn’t allow defining different users nor RADIUS-based management authentication tried what Koos suggested and used the default ‘admin’ user as found on larger switches that do have user name for login.  This resulted in a password prompt. To get full access, enter ‘enable’ and enter twice (Cisco IOS – anyone?).  Now I can confirm that this works for the GS110TP running version 5.4.2.10, and likely the GS108Tv2 (uses same firmware image):

(Broadcom FASTPATH Switching)
Applying Interface configuration, please wait ...admin
Password:*******************
(Broadcom FASTPATH Switching) >
(Broadcom FASTPATH Switching) >?

enable                   Enter into user privilege mode.
help                     Display help for various special keys.
logout                   Exit this session. Any unsaved changes are lost.
passwd                   Change an existing user's password.
ping                     Send ICMP echo packets to a specified IP address.
quit                     Exit this session. Any unsaved changes are lost.
show                     Display Switch Options and Settings.

(Broadcom FASTPATH Switching) >enable
Password:
(Broadcom FASTPATH Switching) #show version
Switch: 1

System Description............................. GS110TP
Machine Type................................... GS110TP
Machine Model.................................. GS110TP smartSwitch
Serial Number.................................. [...]
FRU Number.....................................
Part Number.................................... BCM53312
Maintenance Level.............................. A
Manufacturer................................... 0xbc00
Burned In MAC Address.......................... [...]
Software Version............................... 5.4.2.10
Operating System............................... ecos-2.0
Network Processing Device...................... BCM53312_B0
[...]
Additional Packages............................ FASTPATH QOS
                                                FASTPATH IPv6 Management
                                                iÞä°cüå|Ø

(Broadcom FASTPATH Switching) #configure
(Broadcom FASTPATH Switching) (Config)#

As you can see at the end, even going into config mode is possible. If you are familiar with the Cisco IOS CLI you’ll realize how similar things are on the Netgear switches (Google tells us FASTPATH is from Broadcom). Also you can have a look at Netgear’s M4100 or M5300 CLI guides to get a closer idea of the CLI command usage, though not all commands are available on this box. If you change things via CLI, remember to save the running config to the NVRAM’s startup config which is what the web UI automatically does for you. (#copy system:running nvram:startup-config)

Warning: Some commands cause instant reboot
However, as Koos for the GS716T already confirmed, certain commands don’t seem to be recognized and may cause an instant reboot of the switch without saving to the NVRAM (i.e. #ip ssh server enable). That might be the cause why Netgear preferred disabling regular CLI access on this firmware since they didn’t want to support it. Still it can be quite useful to know that even on such a small entry-level manageable switch, there is still a  CLI available in case you need it.

6 Comments

  • Interesting! I’m specifically looking into ways to cycle PoE-power on connected devices, under software control. This might offer a way to do so?

  • Hi! I’m trying to find any information about GS110TP boot time. Even support can’t help, they don’t have such information and haven’t this device in their lab. I want to know, how fast does it start? I mean time from power on to working (switching) state. Can you help me with this information?

    • I haven’t checked exactly, but from plugging in the power to the stage where all ports coming up a little under 1 minute. Certainly that’s slower than any unmanaged, but still quicker than most managed switches I’ve encountered so far. It’s a switch with lots of features and lots of bang for the buck. For a small installation they are OK, but I wouldn’t want to manage an armada of these switches (due rather sluggish Web-UI).

Leave a Reply

February 11, 2014

Posted In: Uncategorized

Tags: , ,

6 Comments