Show version and haiku, but not only: we are looking for all the hidden Junos commands

Hello!

This article is about the hidden commands of the Junos operating system. Those who worked with Juniper equipment running the Junos OS (this includes the MX, SRX, EX, QFX, T, J, and many others) probably know that there are undocumented commands in the system besides the “official” (documented) commands. Their peculiarity is that they are not visible in the command line interface by contextual help (this is when you enter a question mark) and autofilling does not work for them, that is, the command needs to be known and entered completely (all letters). Apparently, the most famous (and the most useless) of such teams is show version and haiku, which gives out the Japanese triads about the life of network engineers.

Hidden commands, in fact, a lot. Nowhere does the vendor list their full list, but, for example, there is a sticky topic on the official Juniper forum with a rather large set. So the manufacturer does not object to the use of such commands by us, there is simply no guarantee given to them - it can work, and it can also put your equipment.
')
In this article, I will talk about how you can get a list of all the hidden commands of the operating mode Junos, within some initial branch. The method is based on a fairly simple observation, but by Google I was unable to find evidence that the question was previously put in this form. An example Python script is attached.

Idea

The basic idea of ​​the approach is very simple, but in order to understand it, it is still good to have access to the CLI of a Junos device.

Consider, for example, the show version command. If we enter "show version a" (at the end - always press Enter), then the output of the command is:

lab@jsrxA-1> show version a ^ syntax error. 

And if "show version with", then

 lab@jsrxA-1> show version c ^ syntax error, expecting <command>. 

In the first case, there is a hidden continuation (and haiku), in the second - no. As you can see, the CLI reaction in the presence of hidden continuation differs in two aspects:

• "Syntax error." Instead of "syntax error, expecting‹ command ›.";
• the cap (aka circumflex) stands under the next position of the line.

Accordingly, turning over the letters one by one (albeit manually, but better automated), we can find hidden commands - Junos himself suggests them, although not as clearly as with ordinary commands!

Preliminary notes

Before writing the script, I must warn readers that the hidden commands were hidden by the developer for a reason. Some of them can disrupt the device, damage the file system, etc. Therefore, even one at a time, they should be used with great care. In our case, when a brute force search is being done, this warning is raised to such a degree that in no case should such a script be run on the equipment processing user traffic. After all, we go through all the commands, among which may include file delete, request system zeroize, restart routing, and much more. So, play only with non-connected pieces of hardware that are not pathetic to kill, but better with virtual SRX (aka Firefly Perimeter).

It should also be clarified that although Junos has a very convenient and advanced XML-based API, its use for this task is not possible, since our approach to finding commands is based on the features of the CLI. Therefore, we will open the usual telnet session, give commands and parse the text output.

In this article, I will limit myself to finding the commands of the operational mode. There is also a configuration, and in it, too, a lot of interesting things are hidden (the same commit full). Search for hidden commands there can be carried out similarly.

Algorithm

So, starting with a certain command (commandStart in the script), we will bypass all possible options for the commands, adding each time a character (from the alphabet array) and typing Enter. The output sent by Junos in response may be as follows:

1. Swearing about "syntax error." (And at the same time the hat indicates the presence of the continuation of the command) - a sign of the presence of a hidden-command, we go further, adding new characters.
2. Swearing about "syntax error, expecting‹ command ›." -
   here it is necessary to analyze the position of the cap. If it is on the current letter, as above in the “show version c” example, then we don’t go further, there are no hidden commands.
   If she points to the continuation of the command, like this:
   

    lab@jsrxA-1> show version and ^ syntax error, expecting <command>. 

   
   then in this case the team has a continuation and it is necessary to sort out further (the command here may be hidden or not, depending on the background).
   
3. Just the output of the command, without swearing about syntax errors, but possibly with a scolding about ambiguous input, for example, like this:
   

    lab@jlab-Firefly-3> show chassis cluster i ^ 'i' is ambiguous. Possible completions: interfaces Display chassis cluster interfaces ip-monitoring Display IP monitoring related information 

   
   In this case, the search should be continued, because there may be a hidden command (in this case, show chassis cluster information).
   

It is also necessary to take into account that the conclusions of some commands may take several screens, which leads to the issuance of the invitation "--- (more) ---". In this case, just helmet space.

Script

Actually, here it is (or on github ).

Examples of work:



As you can see, the script marks some commands as incomplete - those that are supposed to continue. If the continuation of the Junos command is no longer hidden, such a command is then also found in the script, but is issued in abbreviated form (show chassis message-statistics i - this is show chassis message-statistics ipc).

The goal of processing the script with all possible errors and situations was not set, so if you have interface lines containing a synax error line to which the script responds, or if the logging is enabled in the terminal, the operation logic may be violated.

Another problem is commands that accept any name as input, for example, show interfaces AnyInterfaceNameIsOKHere (if there is no such interface, an error is generated, other similar commands may not issue anything). For obvious reasons, the script, when set to show interfaces, crashes with an error of maximum recursion depth exceeded. But the search with commandStart = "show interfaces ge-0/0/0" works fine:

Conclusion

It should be understood that a significant part of the hidden-commands are hidden due to the fact that they are not supported (or have no meaning) on ​​this equipment or in this version of software. Many of them are useless, however, among them there are also “nuggets” (for example, show chassis cluster information). Since I work as a Juniper instructor, quite often I hear a question from students - where to get a list of all hidden teams. So now I will refer everyone to this article. I hope that some benefit from this recipe will be to someone.