3Com SuperStack II Hub Password Reset

by Van Emery



Introduction

I was recently given a 12-port 3Com SuperStack II managed hub. Unfortunately, nobody knew the passwords. I had to do quite a bit of digging and guessing to figure out how to reset the passwords, since 3Com does not document a password reset procedure. There were some helpful links, though, which can be found in the resources section. One link that I found referred to a procedure to reset the passwords on a 3Com switch by upgrading the software image, and another referred to entering a special keyword before upgrading the software image. None of these procedures were exactly what I needed, but they contained clues that helped me figure it out.

Here are the 3Com model numbers:

The management module is an optional card that can be installed into the back of the hub. The management module allows remote access via TELNET, SNMP, RS-232 serial, or SLIP. The unit can be managed over IP or IPX. Multiple 3Com hubs can be linked together via special cables, with the entire stack being controlled by a single management module. This document discusses how to reset the passwords on the management module.

My management module contained the following version numbers:

Management Module Hardware Revision:    2
Flash EPROM Software Revision:          3.19
PROM Software Revision:                 3.00

Preliminary Steps

In order to connect to the management module, you will need an RS-232 serial cable. The 3Com hub uses a female DB-25 connector configured as a DTE. If you are connecting from a PC or laptop, you will probably need a female DB-9 on your PC or laptop, and a male DB-25 connector on the 3Com hub side. The cable has to be a null-modem cable, or you will need to connect a null-modem adapter to one end of your cable. Your terminal software should be setup for 9600-N-8-1, no flow control. You should select VT-100 emulation if possible. You can use Minicom, Hypterterm, Procomm, SecureCRT, or any other terminal program. When connected, you should hit ENTER twice, then you will get a login screen.

First, you should try the factory default passwords and see if you can get in. For the 3C16630A management module, the default usernames and passwords are:

If these do not work, try some of the 3Com backdoors that have been recorded by many people. They can be found by following the links in the resources section or querying a search engine for 3Com passwords.

You will want to grab the documentation for the 3Com devices:

You will also want to grab several software packages for the Management Module. These are self-inflating Windows executables:

You can also download the software images directly from 3Com here.

When you execute the file, it will unpack several files, including binary files and README files. The software images that you will be using are the FMA03_xx.SLX files.

Setting up the Network and TFTP Server

Since the password reset procedure requires an image download, you need to have a configured TFTP server as well as Ethernet connectivity to the SuperStack II Hub. If you have a Unix or GNU/Linux box with TFTP server, then just use that. If not, there are several decent Win32 TFTP servers that you can use:

Don't forget to move your FMA03_xx.SLX files into the TFTP server's default directory!

Make sure there is an Ethernet connection between the TFTP server host and the 3Com Hub.

Make sure there is a free IP address on the same subnet as the TFTP server. You will need to assign an IP address to the 3Com Hub during this procedure.

Accessing the Software Upgrade Configuration Utility

Normally, the Network Management Module is upgraded via the menu interface. Since you do not have the passwords, you will have to get into the Software Upgrade Configuration Utility. You will need to follow the steps outlined below:

  1. Press the "Reset" button on the back of the hub.
  2. When the yellow "Configure" LED comes on, quickly press the "Reset" button, then let go.
  3. After a short time, the yellow "Configure" LED will start flashing and a "Software Upgrade Configuration Utility" prompt will appear will appear on your terminal screen. You need to press "h" or "H", otherwise a timeout will occur and the unit will continue to boot.

3Com Hub

You should now see this on your terminal screen:

Software Upgrade Configuration Utility.  PROM version 3.00
(Type h for help)
> h

Commands for Device Configuration:-

    L                  list the current settings of these parameters.
    A ip-address       set the IP address of the device.
    D ip-address       set the IP address of the default gateway.
    M subnet-mask      set the IP subnet mask.
    R                  reset the Management Software's configuration of
                       the serial port to default values when it is next
                       restarted
    G                  "Go": restart device without performing an upgrade.

Commands for Software Upgrade:-

    F filename         specify the name of the software image file.
    S ip-address       set the IP address of the TFTP file server
    S ipx-address      set the IPX address of the TFTP file server
    B                  start the software upgrade.
    B ip-address       start the upgrade, from the specified file server
    B ipx-address      start the upgrade, from the specified file server
>

Now, use the "A", "D", and "M" menu options to set your IP address, default gateway, and subnet mask. You can then use the "L" command to view all of the settings. The "S" and "F" commands configure the IP address of the TFTP server and the name of the image file.

Here is an example:

> L
                                                                                               
Device Configuration:-
                                                                                               
    Network port IP address:   0.0.0.0
    Subnet Mask:               0.0.0.0
    Default gateway:           0.0.0.0
                                                                                               
Software Upgrade Configuration:-
                                                                                               
    Software image file:
    Software server address:
    Status of last upgrade attempt: 22 (Software Upgrade successful)
                                                                                               
> A 192.168.21.6
> D 192.168.21.1
> M 255.255.255.0
> S 192.168.21.100
> F FMA03_19.SLX
> L
                                                                                               
Device Configuration:-
                                                                                               
    Network port IP address:   192.168.21.6
    Subnet Mask:               255.255.255.0
    Default gateway:           192.168.21.1
                                                                                               
Software Upgrade Configuration:-
                                                                                               
    Software image file:            FMA03_19.SLX
    Software server address:        192.168.21.100
    Status of last upgrade attempt: 22 (Software Upgrade successful)

What image software should you use? You should probably just use FMA03_19.SLX. This will work even if you are already using FMA03_19.SLX. I have successfully tested this procedure with upgrades, downgrades, and reloading the same image.

Now that you are ready to download an image, you will have to put in the undocumented command that resets the passwords:

 RIP 0000

Here are the actual commands and the results:

> RIP 0000
> B
                                                                                               
                                                                                               
Starting Software Upgrade
................................................................................
...............................................................................
Software Upgrade complete.
Restarting the device...

This procedure takes several minutes, so be patient! After the hub has restarted and all the LEDs on the front panel look normal, you can hit ENTER twice. You should see a login prompt. Use

  security / security

to login. Now, you can configure the device as you see fit.

Conclusion

This procedure should allow you to reset the passwords on your 3C16630A Network Management Module. This process also illustrates why "security through obscurity" doesn't work. It only takes one person to post the "secret" procedure or backdoor password plus a search engine, and then everybody knows. Of course, it is still a pain for the owner of the equipment to track this down himself, rather than simply finding it in the documentation.

For best security, there should be no secret procedures or backdoor passwords, just a well-documented procedure for password recovery or reset that requires physical access to the device.



Resources






Back to Network Gouge...

Valid HTML 4.01!