“Hidden” CLI interface on Netgear GS110TP

The price difference between cheaper “smart managed” and the higher priced “fully managed” switches is often made up by removing a) serial console access and b) disabling access to a remote CLI. After working more often with managed switches I really appreciate a CLI access since most GUIs I’ve so far used (Netgear, HP-H3C Comware, Cisco IOS) were not much of a pleasure and most often slow. Serial console was less of use but it becomes very handy if the device doesn’t want to boot or for initial configuration.

Some vendors restrict or hide CLI access on their larger smart switches – maybe for support or developer purpose – one that I know about was the HP 1910’s that I’ve used (formerly H3C-based 3Com 2928). It was during a port scan on my GS110TP where I realized there were more than the expected HTTP and HTTPS ports responding. After increasing the scope to a full TCP  scan I saw 2 ports in the upper range that took my interest:

# nmap -p 1-65535 -T4 -A -v <ip>
[...]
Completed NSE at 08:44, 35.57s elapsed
Nmap scan report for myswitch.net.example.org (<ip>)
Host is up (0.011s latency).
Not shown: 65528 closed ports
PORT      STATE    SERVICE         VERSION
22/tcp    filtered ssh
23/tcp    filtered telnet
80/tcp    open     http?
|_http-methods: HEAD GET OPTIONS
|_http-title: NETGEAR GS110TP
161/tcp   filtered snmp
443/tcp   open     ssl/https?
| ssl-cert: Subject: commonName=<removed>
[...]
4242/tcp  open     vrml-multi-use?
60000/tcp open     unknown
[...]

For sure the default telnet and ssh didn’t return anything interesting, but there were TCP 4242 and TCP 60000 remaining. Apparently 4242 isn’t to much use, possibly a management interface for Netgear but it seems to have been detected by others for a couple of Netgear switches. During a quick search I came across a post from Koos van den Hout who had detected a telnet server on a larger, rackmount GS716T using an older firmware, thus at least there was a trace for Netgear to have a “hidden” CLI access for some of their larger smart switches. I tried my luck using a telnet client on my tiny 10-Port switch and what I got resembled much to Koos’ GS716T.

(Broadcom FASTPATH Switching) Applying Interface configuration, please wait ...

I continued as follows: Since GS110TP doesn’t allow defining different users nor RADIUS-based management authentication tried what Koos suggested and used the default ‘admin’ user as found on larger switches that do have user name for login.  This resulted in a password prompt. To get full access, enter ‘enable’ and enter twice (Cisco IOS – anyone?).  Now I can confirm that this works for the GS110TP running version 5.4.2.10, and likely the GS108Tv2 (uses same firmware image):

(Broadcom FASTPATH Switching)
Applying Interface configuration, please wait ...admin
Password:*******************
(Broadcom FASTPATH Switching) >
(Broadcom FASTPATH Switching) >?

enable                   Enter into user privilege mode.
help                     Display help for various special keys.
logout                   Exit this session. Any unsaved changes are lost.
passwd                   Change an existing user's password.
ping                     Send ICMP echo packets to a specified IP address.
quit                     Exit this session. Any unsaved changes are lost.
show                     Display Switch Options and Settings.

(Broadcom FASTPATH Switching) >enable
Password:
(Broadcom FASTPATH Switching) #show version
Switch: 1

System Description............................. GS110TP
Machine Type................................... GS110TP
Machine Model.................................. GS110TP smartSwitch
Serial Number.................................. [...]
FRU Number.....................................
Part Number.................................... BCM53312
Maintenance Level.............................. A
Manufacturer................................... 0xbc00
Burned In MAC Address.......................... [...]
Software Version............................... 5.4.2.10
Operating System............................... ecos-2.0
Network Processing Device...................... BCM53312_B0
[...]
Additional Packages............................ FASTPATH QOS
                                                FASTPATH IPv6 Management
                                                iÞä°cüå|Ø

(Broadcom FASTPATH Switching) #configure
(Broadcom FASTPATH Switching) (Config)#

As you can see at the end, even going into config mode is possible. If you are familiar with the Cisco IOS CLI you’ll realize how similar things are on the Netgear switches (Google tells us FASTPATH is from Broadcom). Also you can have a look at Netgear’s M4100 or M5300 CLI guides to get a closer idea of the CLI command usage, though not all commands are available on this box. If you change things via CLI, remember to save the running config to the NVRAM’s startup config which is what the web UI automatically does for you. (#copy system:running nvram:startup-config)

Warning: Some commands cause instant reboot
However, as Koos for the GS716T already confirmed, certain commands don’t seem to be recognized and may cause an instant reboot of the switch without saving to the NVRAM (i.e. #ip ssh server enable). That might be the cause why Netgear preferred disabling regular CLI access on this firmware since they didn’t want to support it. Still it can be quite useful to know that even on such a small entry-level manageable switch, there is still a  CLI available in case you need it.

February 11, 2014

Posted In: Uncategorized

Tags: , ,

6 Comments

Admin login through RADIUS on Netgear managed

When I had already dived into RADIUS for wireless network authentication, authorization (and accounting) – AAA – I started to think that it was worth to tinker about moving admin authentication of @work switches to RADIUS too. Netgear managed switches definitely support this – unfortunately neither their Websites, KB, nor the (mostly quite good) Software Administration Manuals for firmware 8.0 and 10.0 mention real-life configuration examples – only 802.1x port authentication.

I had to get inspired by comparing Cisco, Dell PowerConnect (see “P.S.”) documentation and blog post but in the end I hope this make sense for you too:

Configuration

First things first, define a local admin password and enable password (if your policy or you want to have it

(switch) #enable password
(switch) #configure
(switch) (Config)#username admin password

Then enter the RADIUS server configuration – and prepare authentication via RADIUS where Netger uses a concept of lists that contain methods of authentication (very close to Cisco IOS too). The first method will be use as long as it does not time out, I put local in there in case no RADIUS server is available. But since my environment was small and I wanted to keep the config files as small as possible I stuck to the default lists which for SSH and Telnet is the ‘networkList’.

(switch) (Config)#radius server host auth <ip|name> port 41812
(switch) (Config)#radius server key auth <ip|name>

(switch) (Config)#aaa authentication login "networkList" radius local

Still not getting to privileged mode?

The 10.x-based Netgears should let you authenticate with any user the RADIUS server allows to access, yet it doesn’t allow you to privileged exec mode other than with the local enable password. Here you have at least 3 options where for 2 of them I know how to achieve them:

Use a global enable admin (1)

You can configure ‘enableList’ (or create a enable List on your own) to do radius auth, but then it will ask your Server to verify a user called $enab15$ user (this is actually documented in the CLI manual). Obviously the point of having personal admin acccounts is to have shared global admin passwords agains. This works and is documented in the CLI manual personally but I don’t really like this idea.

Tell the switch that about being an administrative user (2 & 3)

Then you can configure your RADIUS server to inform the switch via additional reply message: “this is an admin, let him/her to privileged mode”. For Netgear the message is Service-Type = Administrative-User – finding this out was possible thanks to similarities with Dell PowerConnect and by trying it out.

(2) If you have your own lists you’ll have to figure out how to configure the switch to work correctly but in case you use the default lists (3), you have to tell your switch to interpret the additional message with:

(switch) (Config)#aaa authorization exec default radius local

For the Web-UI this additional reply message from the RADIUS server is (interestingly!) not required for the Web-UI. Any user your RADIUS-Server sedns “Access-Accept” gets full access to the Web-UI. (I’ll re-check this) Make sure you only let members of your admin group pass at the level of the RADIUS server. If you are ok with this, you only have to tell http method to use radius too:

(switch) (Config)#ip https authentication radius local

Obviously you can send cisco-avpair = “shell:priv-lvl=15” which is what you can do with Cisco Switches – the advantage being that you (should) be able to more granuarly pass privilege level although I haven’t investigated what the different privilege levels other than 15 (admin) means on Netgear.

Finally on 10.x the serial ports (line console) don’t use networkList by default but defaultList – by modifying networkList you obviously leave console to local authentication only – what’s your though on this? If I have physical access to the device should I make it possible to silently try and error network admin passwords or should I make things consistent for all logins?

 

Differences to pre-10.x firmware

For Firmware 8.0-based switches that can’t be updated to 10.x firmware things are a bit different – and likely 9.0 too according to CLI manuals. I didn’t have any’ 9.x available as all have been legit for 10.x upgrade).  The ‘aaa authorizaion’ command didn’t exist back then. Instead of this, create an authentication list and map it to the ssh method. The additionnal message from your RADIUS server thereafter is sufficient to get to enable mode.

aaa auhentication login mylist radius local
line ssh
(switch) >login authentication mylist

Difference in enable behaviour

Both 8.x/9.x and 10.x will happily pass you to privileged exec mode on a CLI with following differences (with this config, YMMV)

  • 10.x will put you directly into privileged exec mode (Prompt: hostname) #) if it has received Service-Type= Administrative-User
  • 8.x/9.x will continue asking for the enable command but let you pass without additional password query
  • 10.x will NOT let you in without this message – even if the RADIUS-Server has sent ‘Access-Accept’
  • 8.x/9.x will let any user to CLI for which it has received an “Access-Accept” – but it will deny privileged exec mode without receiving the additional message from the RADIUS server:
(8.x-switch) >enable

Access Denied! You are not authorized to enter into Privilege mode!

In a later post I’ll jot down a sample configuration for basic switch admin authentication for FreeRADIUS, note that Netgears only do the most basic RADIUS authentication method called PAP. With FreeRADIUS this requires you to have passwords store in cleartext in your password database  (which is not what AD does but NT hashes) – but there is a workaround for this dilemma at least with AD.

References

P.S. The chances are good that if you have some Dell PowerConnect switches and yet see FASTPATH mentioned in SNMP MIBs, Manuals etc. or you think that the syntax looks very close to Netgear – yes both are running on the same Broadcom FASTPATH software (based on some embedded Linux kernel).

ftp://downloads.netgear.com/files/GDC/M5300/M5300_CLI_Aug2012.pdf

July 16, 2013

Posted In: Uncategorized

Tags: , , , ,

Leave a Comment

Monitoring Netgear Switches: Interesting MIBs

At my job we have been introducing new switches and in terms of feature’s and cost we’ve gone with Netgear. Sure every vendor does have it’s sharp edges, but so far mostly I’ve been quite happy with them. I’ve been thinkering around with how to monitor them – since they do SNMP I studied their MIBs and have found out some things that might help. One major disadvantage compared to big vendors is that far less companies use them in production and thus monitor them – I haven’t been able to find a specialized plugin that would cover Netgear-specific items so this Is a quite note on what I’ve been able to find. This only covers the fully managed switches, I don’t know if their smart managed switches also partially run on FASTPATH.

Netgear = Broadcom FASTPATH
The fist  and most obvious thing that I’ve found was that not only the chips inside Netgear managed switches are from Broadcom (as did 3Com) but also the operating systems, in fact the MIB namings suggest that Netgear buys the base (Linux-based) switching OS from Broadcom which is called FASTPATH (http://www.broadcom.com/products/Switching/Software/FASTPATH). According to Google search, some Dell switches are also known to run a some sort of Broadcom FASTPATH.

Getting the right MIBsBe sure to get a set of MIBs matching the closest possible to your revision you run onto. Netgear seems to modify behaviour (so did Cisco) or the meaning of values, so be sure you get the matching MIB for your product! At least the naming for MIB’s seemed to stay consistent though.

MIB 8.x to 9.x/10.x
While some of the (now) older switches run 8.x firmware I’ve realized that this revision (and likely previous releases too) tend to have meaning of output values. 9.x and 10.x based switches seem to be more consistent to each other but I wouldn’t warrant for that.

The most interesting parts are in private MIBs
I’ve been more interested in environmental and STP status and although Netgear seems to implement BRIDGE-MIB I had to realize that the most valuable information about STP is only exposed through their private MIBs:

FASTPATH-SWITCHING-MIB (fastpathswitching.my)
If you look after monitoring STP status or checking some configurations for switching, this is the MIB you’ll want to check some examples that I’ve found useful:

  • agentStpAdminMod: Returns 1 when STP is enabled (I guess you don’t want that to be disabled!)
  • agentStpForceVersion: Returns the configured STP mode Multiple, Rapid or even plain ol’ STP
  • agentStpCstPortForwardingState: Followed by .<ifIndex> it gives you the current forwarding state of an (R)STP port
  • agentStpMstPortForwardingState: Gives meaningful values about the switch in case you’r using MSTP

FASTPATH-BOXSERVICES-PRIVATE-MIB (fastpath_boxservices.my)
This is the MIB that has environmental values,  this shows to have stong differences between 8.x and 9.x/10.x based firmware so pay attention. For sure a GSM5212P (12-Port GE) doesn’t have the same (amount) of Fans than GSM7228P (Stackable 24 GE + 1 10GE)

Unfortunately on most models I’ve encountered, some OIDs are not meaningful (buggy?) and thus can’t be used for monitoring, either way, here are some OID I’ve found interesting:

  • boxServicesFanItemState: Depending on the model you’ll almost certainly have .1 as the first fan. Some switches have 2-3 or more fans so be sure to check .1.-n
  • boxServicesFanSpeed: Most often bogus as it seems (9.x)
  • boxServicesPowSupplyItemState: While .1 tends to be the main PSU, .2 tends to be the RPS connector (not present by default)
  • boxServicesTempSensorState: Some devices have more than .1 sensors, do a walkd to find it out.

As for Nagios or Icigina I haven’t been able to find plugins to monitor Netgear boxes I guess I’ll have to write my own checks. I hope to post some examples here.

May 6, 2013

Posted In: Uncategorized

Tags: , , ,

4 Comments