Oh it’s hot hot hot….not chilly hot but hot hot!
it’s 42 degree outside here in Sydney today and is also a long weekend . This is so boring as I can’t do any outdoor activities. My mind got crazy and then I thought to play with my new toy – CCM version 6.x.
Warning: Before you read this post, please note -do not try to apply it on your production server. If you perform this on your production CUCM box, you may voiding Cisco contract. This is only for lab and learning purpose!
Quite often, when we are working on a production (or Lab) server and need a shell access to CUCM, we had to call Cisco TAC and wait for ages before we get access to the CUCM root shell. Many of us Linux geeks sometime want to jump onto the CUCM Linux shell, just like we natively access any other *NIX based server.Oh yeah, much more fun and seriously you can debug and troubleshoot things quicker. Without native shell accessing CUCM files or other thing using Cisco recommended method (CUCM OS) is like eating a banana without peeling it. Well you are eating the banana but eating the skin too, not so tasty :(. You got the point! One of my friends asked me last week – is there anyway to get access to the CUCM root shell. I asked why do u want to access the root shell to start with. He replied, I recently upgraded CUCM from v5 to 6x and the disk space creped up on and want to clear up some files. He was not aware of he could delete using CUCM OS CLI ‘file delete activelog blah..’ command but contented to get shell access to CUCM. I think Cisco did a good job in locking down the root access to the box. It make complete sense, why would anyone fiddle with a production box.
I tried with my old trick like we used to break Linux server password using normal old school way and surprisingly it worked. Cisco has not locked these down. I was expecting Cisco would really make it almost impossible to get access to the root but that was not the case. Today I got some time to do some research on this and found out a less effort method which you can safely apply to your production server without breaking anything related to Cisco’s software. Using the below mentioned method anyone would be able to get access to CUCM in less than 10 minutes. If you’re *NIX folk , you don’t have to wait for TAC to login to shell. I think there is the reason they are not allowing this officially. Vendor like Broadsoft give you root access to their softswitch linux servers. Why don’t they lock you down, just like cisco – I’d never have a clue.
I have given step-by-step method to break the root password of CUCM:
STEP#0: Download *nix bootable media
Download fedora9, redhat linux 4 or above or centos disk1. burn it on a CD or dvd. this disk will be used in the step #3. Google and you’ll find the ISO image.
STEP#1: Create remote account on your CUCM.
ssh to your CUCM box. I use Ubuntu as a desktop, if you are billy fane you can use ssh or secureCRT.
frog# ssh email@example.com
You’ll get below prompt like this:
Now Create a account and enable remote account to this box:
admin:utils remote_account create frog 100
admin:utils remote_account enable
noticed 100 in the above is number of days ‘frog’ username / account will be valid. If you want it forever, then just type 0
STEP#2: Reboot the server:
admin:utils system restart
STEP#3: Create password for ‘frog’ remote user
While server reboots, pop-in a linux booteble disk (downloaded centos or redhat first disk) to MCS server or your lab toy. When you see boot prompt type ‘linux rescue:
That will give you the root shell access of root#
Rescue disk mounts the CCM hard disk image as a /mnt/sysimage. Now chroot to this image to change in the /etc/ files or passwords:
Note1: if you don’t’ see the root prompt and /etc/pass file, then you may need to mount your sysimage.
Note2: If you are Open Source freak and know very well how the penguin computing works, u may jump direct to the step#4. Actually adding user here vs adding them when u get root# shell using a booteble CD is that u don’t have to apply all admin groups to remote user. You got the sense I guess now.
The remote user must be a member of the following groups in CCM BOX:
disk, sys, adm, bin, wheel and root
STEP#4: change attribute of /etc files and create ‘frog’ user’s password:
Cisco have locked the attribute to read only to all /etc/passwd /etc/group /etc/shadow and /etc/gshadow file to protect those files. Make all of below files attribute from read only to read/write. So when you change ‘frog’ users password the system will let you change it.
root#chattr -i /etc/passwd
root#chattr -i /etc/shadow
root#chattr -i /etc/group
root#chattr -i /etc/gshadow
root#passwd frog <press enter>
Now restart the server, use reboot command
Dont’ forget to remove your DVD/CD from MCS server. Once that is done, access to the ccm from your favourite ssh client. mine is ubuntu these days.
frog# ssh firstname.lastname@example.org
Welcome to Remote Support
All done for now. This is your little linux toy box. Do anything just like you do with any other *NIX based operating system – no biggie. I will install freeRADIUS and some other cool tool like NMAP on this Cisco box.