Cisco Password Recovery
“Physical access to a computer or router usually gives a sophisticated user complete control over the device. Software security measures can often be circumvented when access to the hardware is not controlled.” — Cisco Systems, Inc. |
Recovering the passwords for most Cisco devices via the console port is very simple. However, Cisco has purchased so many other manufacturers and put the Cisco label on their devices that the procedures for password recovery vary greatly from one Cisco device to another. In addition, the Cisco password recovery procedures have also changed with IOS upgrades. These password recovery instructions are as generic as possible, to account for past and future oddities that users may run into.
These Cisco password recovery instructions will enable the user to recover from a lost password or most Cisco devices. Unless otherwise stated, the instruction below refers to the 2000, 2500, 3000, 4000, 7000, and IGS series routers.
Part I: The Configuration Register
To begin password recovery, connect a terminal or a computer running terminal emulation software to the Cisco device’s console port. Set the terminal to 9600 bps, eight data bits, no parity, and two stop bits.
Some Cisco devices, such as the AccessPro Card, prefer 9600 bps, eight data bits, no parity, and one stop bit.
Power cycle the Cisco device.
Within 60 seconds of turning on the Cisco device, send a BREAK signal from the terminal or terminal emulation software. If using:
- Telix, press <CONTROL-END>
- Procomm, press <ALT-B>
- Hyperterminal, press <CONTROL-PAUSE>
If the cable being used to connect to the Cisco device is good and a break signal is being correctly sent, the user will be rewarded with a ‘>’ prompt. This is not an IOS prompt. This is the ROM monitor prompt.
Note: The Cisco 1003, 1600, 2600, 3600, 4500, 7200, 7500, 12000, AS5200, AS5300, uBR7246, and IDT Orion-Based routers use “rommon” as the ROM monitor prompt.
Note: The Cisco 3800 ERM uses “3800-ERM(boot)>” as the boot monitor prompt. Users can enter privileged mode directly from the 3800 ERM boot monitor, at which point the prompt changes to “3800-ERM(boot)#.”
Look at the configuration register using the command ‘e/s 2000002.’ Write down the value of the configuration register. Use the `Q` command to return to the ROM monitor prompt.
Note: If the device can be logged into, view the configuration register simply by using the command `show version.` Some Cisco devices do not require passwords to login from the console port.
Note: The Cisco 1003, 1600, 2600, 3600, 4500, 7200, 7500, 12000, AS5200, AS5300, uBR7246, and IDT Orion-Based routers use the `confreg` or `config-register` command to enter the configuration register utility. Users are asked a series of questions. Answer yes to “Do you wish to change the configuration[y/n]?,” “ignore system config info[y/n]?,” and “change boot characteristics[y/n]?.” Answer no to all of the other questions. At the “enter to boot:” prompt enter `2` and press return. Answer no to the question “Do you wish to change the configuration[y/n]?” the second time it is seen.
Set the configuration register. Enter the command `o/r0x42` to cause the device to boot from the flash ROMs. If the flash ROMs are corrupted, use the command `o/r0x41` to cause the device to boot from the boot ROMs.
Note: Some older Cisco devices such as CGS, MGS, AGS, AGS+, and early 7000 routers require users to change the configuration register by moving hardware jumpers. On many of these devices, the jumpers are on the CSC processor card and must be changed by removing jumper eight and placing it in position fifteen.
Early Cisco IGS routers use DIP switches to set the configuration register. On the IGS, set switches 0-3 OFF/UP and switch 7 ON/DOWN.
<2>Part II: Modifying The Configuration
Power cycle the device.
Answer `No` to all of the setup questions.
At the “Router>” prompt, use the `enable` command to enter privileged mode. The user’s prompt will change to “Router#.”
Use the `show startup-config` command to view the devices configuration file. Look for the passwords. If the passwords are not encrypted, note the passwords and reboot the device. If the passwords are encrypted, continue with these directions.
Use the `configure memory` command to copy the configuration file from NVRAM into RAM. Before doing this, the device configuration will be empty. After doing this, the device configuration will be the configuration that the device’s administrator previously stored.
Use the `configure terminal` command to enter configuration mode.
If desired, use the `password` command to set the login password or the `no password` command to remove the login password.
If desired, use the `enable password` command to set the enable password or the `no enable password` command to remove the enable password.
If desired, use the `enable secret` command to set the secret password or the `no enable secret` command to remove the secret password.
If desired, use the `line 0` and `password` commands to set a password on the console port or the `line 0` and `no password` commands to remove a password on the console port.
Changing these password may inconvenience and annoy any previous administrator of this device! If the passwords are not encrypted, they do not need to be changed. If the passwords are encrypted, either change them or decrypt them. For information on decrypting these passwords, read How do I decrypt Cisco passwords?.
Press <CONTROL-Z> to exit configuration mode.
Use the `copy running-config startup-config` command to copy the configuration being edited back into the startup-config. This will save the changes just made to the configuration.
Part III: Cleaning Up
Power cycle the device.
Restore the configuration register to its original value. Use the `configure terminal` command to enter configuration mode and then use the `config-register` command to set the configuration register. If the user was unable to note the configuration register earlier, he/she will almost always be fine by setting it to 0x2102, which is the default for most Cisco devices.
Note: The default configuration register value for the Router Switch Processor (RSP4) is 0x0101.
Note: On devices where jumpers were moved or DIP switches set, change them back to their original configuration.
Some Cisco devices require the user to delete their entire configurations to recover from a lost password. On the Catalyst 2820 ATM module, reset to factory defaults from the Port Configuration Menu. On the 500-CS, press the reset button on the top of the case while powering on the device and the entire configuration is returned to factory default. On the Catalyst 3000, press the SysReq button on the back panel for five seconds, release it, and then select “Clear Non-Volatile RAM” from the menu.
Purchase these excellent books on Cisco security at Amazon.com
Comments - 5 Responses to “Cisco Password Recovery”
Sorry but comments are closed at this time.