I need to change the administrative password for over 700 SM’s very quickly. I own prizm but have not implemented it yet, so that option is out. Does anyone know another way to accomplish this without touching each SM in the system manually :?:
Any help is appreciated.
Realistically there is no faster way than to get Prism going.
Other options are Castlerock (high $$ and setup time), custom SNMP script (time).
by the time you screw with these you could have Prism up and running.
Is there a way to change the admin account password using prizm or is it only possible to change the root account password? Better yet, is there an easy way to remove the admin account? We have around 1400 SM’s out there so an automated way to update passwords would be great.
PatrickCW wrote: Is there a way to change the admin account password using prizm or is it only possible to change the root account password? Better yet, is there an easy way to remove the admin account? We have around 1400 SM's out there so an automated way to update passwords would be great.
Is this Solved?
Very old thread (excepting osvaldotcf’s query) but something I dealt with recently, and decided to post as a reply here so it would turn up in future searches.
In order to use the scripts here, you’ll need Perl, nmap (at /usr/bin/nmap, or alter path in code) and perl modules Nmap::Parser and Net::SNMP installed (either distro packages, or “perl -MCPAN -e ‘install Nmap::Parser’” and “perl -MCPAN -e ‘install Net::SNMP’” should work). I’ve only run it on Linux (Ubuntu and Mandriva) servers, I can’t help you with Windows. (though I’m betting most of you have a linux box available)
First up, you need SNMP-write enabled. If this is not the case, you can use the script I posted here before (http://motorola.wirelessbroadbandsupport.com/support/community/viewtopic.php?f=1&t=6656) to enable it. I’ve included the final NMap-enabled makewriteable.pl script here for cohesiveness:
#!/usr/bin/perl
#
# makewriteable.pl
# change read-only to read/write SNMP on Canopy SMs/APs running 9.x firmware
#
# Copyright 2009 Joel NewKirk
# jnewkirk@canmon.us
# subject to the MIT license as presented here: http://www.opensource.org/licenses/mit-license.php
$|=1;
my $debug=2;
use IO::Socket::INET;
use Nmap::Parser;
my $np = new Nmap::Parser;
my $ip=shift;
my @scanblocks=($ip);
$np->parsescan(’/usr/bin/nmap’,’-sP -PE -n -T5’,@scanblocks);
for my $host ($np->all_hosts())
{
if ($host->status() eq ‘up’)
{
print “found something at “.$host->ipv4_addr.”'n” if ($debug>0);
makewriteable($host->ipv4_addr);
}
}
sub makewriteable()
{
my $ip=shift;
my $host=$ip.":80";
my $EOL = “'015’012”;
print $ip . " " . $host . “'n”;
my $remote=IO::Socket::INET->new($host) or die “Failed to connect”;
$remote->autoflush(1);
print $remote “GET /login.cgi?CanopyUsername=admin&CanopyPassword=2121 HTTP/1.1”.$EOL;
print $remote ‘User-Agent: Mozilla/5.0’. $EOL;
print $remote $EOL;
print $remote $EOL;
while (<$remote>)
{
if (/Session=(.)’"/)
{
$sessid=$1;
print “session $sessid for $ip’n” if ($debug>1);
my $remote1=IO::Socket::INET->new($host) or die “Failed to connect”;
$remote1->autoflush(1);
print $remote1 “GET /main.cgi?catindex=1&pageindex=4&Session=$sessid HTTP/1.1”.$EOL;
print $remote1 ‘User-Agent: Mozilla/5.0’. $EOL;
print $remote1 $EOL;
print $remote1 $EOL;
while (<$remote1>)
{
if (/name=’’(.’:SNMPReadOnly)/)
{
$snmpro=$1;
print $snmpro . “'n” if ($debug>1);
my $remote2=IO::Socket::INET->new($host) or die “Failed to connect”;
$remote2->autoflush(1);
print $remote2 “GET /himom.cgi?ok=Save+Changes&”.$snmpro."=0&Session=$sessid HTTP/1.1".$EOL;
print $remote2 ‘User-Agent: Mozilla/5.0’. $EOL;
print $remote2 $EOL;
print $remote2 $EOL;
last;
}
}
last;
}
}
}
It expects to be called with an NMap target specification and admin password, like:
./makewriteable.pl 10.12.10.0/26 appass
./makewriteable.pl 10.12.10.7-35 appass
etc. It scans the specified subnet/range/ip for any devices, then logs into the web interface (if it’s a 9.x canopy) and enables snmp write.
Then you run this changepasses.pl script:
#!/usr/bin/perl
#
# changepasses.pl
# quickie script to change admin passwords on a subnets worth of SMs/APs
#
# Copyright 2010 Joel NewKirk
# jnewkirk@canmon.us
#
# subject to the MIT license as presented here: http://www.opensource.org/licenses/mit-license.php
# Expects nmap address-spec then snmp community, followed by new admin password
$|=1;
my $debug=2;
use Nmap::Parser;
use Net::SNMP;
my $np = new Nmap::Parser;
my $ip=shift;
my $community=shift;
my $adminpass=shift;
my @scanblocks=($ip);
$np->parsescan(’/usr/bin/nmap’,’-sP -PE -n -T5’,@scanblocks);
for my $host ($np->all_hosts()){
if ($host->status() eq ‘up’)
{
print “found something at “.$host->ipv4_addr.”'n” if ($debug>0);
changepass($host->ipv4_addr,$community,$adminpass);
}
}
sub changepass()
{
my ($ip,$community,$adminpass)=@_;
my $OID_changeUsrPwd = ‘1.3.6.1.4.1.161.19.3.3.2.56.0’;
my ($session, $error) = Net::SNMP->session(
-version => ‘snmpv2c’,
-hostname => $ip,
-timeout => 4,
-retries => 2,
-maxmsgsize=>50000,
-community => $community,
-port => 161
);
if (!defined $session) {
printf “ERROR: %s.'n”, $error;
exit 1;
}
my $result = $session->set_request(
-varbindlist => [ $OID_changeUsrPwd, OCTET_STRING, “admin,$adminpass” ],
);
}
This script also expects an nmap target spec (better use the same one;) followed by the SNMP community string, and finally the new admin password. As with makewriteable.pl, it uses NMap to scan the specified subnet/range/ip and uses snmpset to change the admin password on each canopy device found. For example, on our network I would use this to change passwords on APs:
./changepasses.pl 10.10-68.0.3-8 commstring newpass
(on this network second octet differs per tower, fourth octet .2 is cmm, .3-.8 are for APs, the rest are SMs - NMap target specs are pretty flexible)
Finally, if you want to disable SNMP-write again, just copy the makewriteable.pl script to ‘makereadonly.pl’, then change the “=0” to “=1” most of the way through the ‘GET /himom.cgi…’ line. If it makes you happier, you can change each instance of ‘makewriteable’ to ‘makereadonly’ throughout the script…
j