Security Basics mailing list archives

RE: changing routers and switchs passwords remotely

From: "Jeff Gercken" <JeffG () kizan com>
Date: Sat, 4 Dec 2004 13:49:34 -0500
I wrote a python script that will do this using an expect-like
mechanism.  It reads a file containing routername routerip lines and
executes whatever command you want on them and outputs the results in a
logfile. 

Another script was written to specifically get "show tech" and can do
either IOS or CATOS (an additional field in the device file).  And yea,
I know they're inefficient and ugly; but they do work!

Please correct for word wrap

# File: routercmd.py
# Author: Jeff Gercken
# Date: 9/30/2003
# Description: Connects to ios base routers listed in devicefile.
Outputs the results
# to a file.
# device file format is router_name router_ip.
########################################################################
####
# User variables
########################################################################
####
command='show ver' #optional variable
#user = 'jgercken'     #optional variable     
#password = 'shiznit'  #optional variable (and no, this has never been
my actual passwd)
# NOTICE!!!!! if you comment out the above lines the script will PROMPT
YOU for them

directory='c:\\routercmd\\'
devices=directory+'routers.txt'
#devices=directory+'test.txt'

errorlog=directory+'errors.txt'
output=directory+'results.txt'
########################################################################
####
# end of user variables
########################################################################
####

import sys
import telnetlib
import string
import time
import os
import getpass
# prompt for username & password if none already specified
print "Type ctrl-C to cancel script.\n"
if locals() .has_key('user'): print "Username "+user+" being used. (Hard
coded in script)"
else: user = raw_input("Enter your username: ")                     
if locals() .has_key('password'): print "Password configured in script
being used.\n"
else:password = getpass.getpass("Enter your password: ")
print "\n\n"

# prompt for command to execute unless variable already assigned and
confirm
confirm=0
while confirm <>1:
    if locals() .has_key('command'): pass
    else: command = raw_input("\nEnter the command to execute: ")
    print 'WARNING!!!! "'+command+'" will be executed on all devices.'
    confirm = raw_input ("Is this ok? ")
    if confirm in ('y', 'ye', 'yes'): break
    else: command = raw_input("\nEnter the command to execute: ")
    print


cdate=time.strftime("%m-%d-%y", time.localtime(time.time()))   #Get date
in mm-dd-yy format
ctime=time.strftime("%X", time.localtime(time.time()))         #Get time
in hh:mm:ss format
devices=open(devices,'r')
fileout=open(output,'w')
fileout.write('***************************************\nOutput from
script routercmd.py\n\
     CONFIDENTIAL\n  '+cdate+'   '+ctime+'\ncommand: '+command)
for device in devices.readlines():
    device=device.split()
    if device==[] or device==['\n']:continue     # Quit if line is empty
    print "Connecting to "+device[0]
    try:tn = telnetlib.Telnet(device[1])   #connect to device
    except:                                 #if error record in
errorfile
        print 'Error, Device '+device[0]+' unreachable'
        error=open(errorlog,'a',0)
        error.write('\n'+cdate+' '+ctime+' Error, Device %s unreachable
%s'\
                    %(device[0],sys.exc_info()[0]))
        error.close()
        continue
    print "Logging in...."
    tn.read_until("name: ",5)
    tn.write(user+"\n")
    time.sleep(1)
    tn.read_until("Password:",5)
    tn.write(password+"\n")
    time.sleep(2)       #give the device 2 sec to authenticate w/ TACACS
 #  tn.write("enable\n")
 #  tn.read_until("Password: ",5)
 #  tn.write(password+"\n")
 #  tn.read_until("#",5)
    # prevent pause in output
    tn.write("terminal length 0\n")
    tn.read_until("#",3)
    tn.read_until("#",3)
    tn.write("\n") #simply hit return to gleen hostname for future use
    hostname=tn.read_until("#",1)
    # Send command to router
    print "Entering Command...."
    fileout.write('\n***************************************\n'+
"ROUTER: "+device[0]+'\n')
    tn.write(command+"\n")
    tn.read_until(command,1)
    output=tn.read_until("#",5)
    string.strip(output)
    fileout.write(output)
    print 'Done, getting next device \n'
devices.close()
fileout.close()
print 'Script completed'


# File: deviceconfig.py
# Author: Jeff Gercken
# Date: 1/28/2003
# Description: Connects to network devices listed in devicefile.
Outputs to 
# individual files results of 'show tech'. Folder=device, file is
weekday
# devicefile format is csv like: name,ip,OS  eg:
s60-a-1,148.129.170.22,cls  

# Changeable variables
user = 'JG-Script'          #change this to your username
password = 'I35kC23m'       #change this to your password
directory='./'     #change this to where the devicefile is
errorlog=directory+'errors.txt'
devices=directory+'devicefile.csv'  #change "filename" to match
devicefile filename
#devices=directory+'test.csv'
import sys
import telnetlib
import string
import time
import os
cdate=time.strftime("%m-%d-%y", time.localtime())   #Get date in
mm-dd-yy format
ctime=time.strftime("%X", time.localtime())         #Get time in
hh:mm:ss format
day=time.strftime("%A", time.localtime())        #Get name of day
Monday, Tuesday
devices=open(devices,'r')
for cdevice in devices.readlines():
    cdevice=cdevice.split(",",12)
    if cdevice==[] or cdevice==['\n']:continue     # Quit if line is
empty
    print cdevice[0]
    # Check for existance of subdirectory, create if necessary
    if os.path.isdir(directory+cdevice[0]):pass
    else:os.mkdir(directory+cdevice[0])
    fileout=open(directory+cdevice[0]+'//'+day+'.txt','w')
    # Initialize output file with device name, ip, date, and time 
    fileout.write(cdevice[0]+' '+cdevice[1]+' '+cdate+' '+ctime+'\n\n')
    try:tn = telnetlib.Telnet(cdevice[1])   #connect to device
    except:                                 #if error record in
errorfile
        print 'Error, Device '+cdevice[0]+' unreachable'
        error=open(errorlog,'a',0)
        error.write('\n'+cdate+' '+ctime+' Error, Device %s unreachable
%s'\
                    %(cdevice[0],sys.exc_info()[0]))
        error.close()
        break
    if cdevice[2]=='cls':    #if device is switch use these commands
        print "Device is a switch"
        print "Downloading data...."
        tn.read_until("Username: ")
        tn.write(user+"\n")
        tn.read_until("Password:")
        tn.write(password+"\n")
        time.sleep(2)       #give the device time to authenticate
        tn.write("enable\n")
        tn.read_until("Password: ")
        tn.write(password+"\n")
        tn.read_until("(enable)",10)
        # prevent pause in output
        tn.write("set length 0\n")
        tn.read_until("(enable)",10)
        # prevent console messages in output
        tn.write("set logging session disable\n")
        tn.read_until("(enable)",5)
        # Send 'sh tech' command to switch
        tn.write("show tech\n")
        output=tn.read_until("(enable)",10)
        string.strip(output)
        fileout.write(output)
        fileout.close()
    else:   #assume anything else is a router or ios switch and use ios
commands
        print 'Device is a router or switch running IOS'
        print "Downloading data...."
        tn.read_until("name: ",5)
        tn.write(user+"\n")
        time.sleep(2)
        tn.read_until("Password:",5)
        tn.write(password+"\n")
        time.sleep(2)       #give the device time to authenticate
        tn.write("enable\n")
        tn.read_until("Password: ",5)
        tn.write(password+"\n")
        tn.read_until("#",5)
        # prevent pause in output
        tn.write("terminal length 0\n")
        tn.read_until("#",5)
        # console messages not sent by default
        # Send 'sh tech' command to switch
        tn.write("show tech\n")
        output=tn.read_until(cdevice[2]+'#',10)
        string.strip(output)
        fileout.write(output)
        fileout.close()
    print 'Done, getting next device \n'
devices.close()
print 'All done'
    




-----Original Message-----
From: Juan B [mailto:juanbabi () yahoo com] 
Sent: Thursday, December 02, 2004 4:24 AM
To: security-basics () securityfocus com
Subject: changing routers and switchs passwords remotely

Hi,

in my organization we need to change the enable
password of the swithces ( about 80 )and routers once
each three monthes I an looking for a cheap utility or
application which can help me do that..

can someone advice please?

thanks !!!

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com
Current thread:

changing routers and switchs passwords remotely Juan B (Dec 02)
- <Possible follow-ups>
- RE: changing routers and switchs passwords remotely Stephane Auger (Dec 03)
  - RE: changing routers and switchs passwords remotely Steve Fletcher (Dec 03)
- Re:changing routers and switchs passwords remotely Ghaith Nasrawi (Dec 03)
- RE: changing routers and switchs passwords remotely Stephane Auger (Dec 03)
  - RE: changing routers and switchs passwords remotely Steve Fletcher (Dec 03)
- RE: changing routers and switchs passwords remotely Paris E. Stone (Dec 03)
  - Re: changing routers and switchs passwords remotely Jimi Thompson (Dec 07)
- RE: changing routers and switchs passwords remotely Jeff Gercken (Dec 07)