illmob.org

Recovering Passwords on a Cisco Router

May 6th, 2009 by admin in Password Info, Privilege Escalation, Uncategorized

Password recovery is a fairly frequently used procedure for administrators and engineers. Even though we usually stack our passwords in some word, excel or text file, it’s very easy to forget to update them when changes occur. The end result is you find yourself locked out of the device, wondering what on earth could be the password.
Accessing a Cisco router requires certain privileges. Depending on the router’s configuration, you might be required to firstly log into the router and then enter the popular ‘enable’ password to elevate your access to privileged mode, from where you can issue configuration commands.

This article will show you how you can gain full administrator access to a Cisco router, bypassing all security passwords. The password recovery process, however, can be rendered useless if the administrator has previously configured the router not to allow this process to take place. In this case, the router will warn the user and, if he proceeds, all configuration will be erased, so there will be nothing to recover!

Example Scenario

Consider we have a Cisco router (2610 for our example – this procedure is the same for all routers) and we are unable to access it due to a lost password. Console and VTY (telnet) sessions ask for a password which we do not have:

R1 con0 is now available
Press RETURN to get started.

User Access Verification

Password: *****
Password: ********
Password: ***
% Bad passwords

Even if we were able to successfully log into the router, but couldn’t provide the router with the correct ‘enable’ password, we would still need to perform a password recovery procedure.

To initiate the password recovery procedure, connect the rollover cable to the console port, then power the router off and back on. As soon as you receive a prompt showing the boot process, hit Ctrl-Break:

System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
PC = 0xfff0a530, Vector = 0x500, SP = 0x680127c8
C2600 platform with 65536 Kbytes of main memory

program load complete, entry point: 0x80008000, size: 0xf54134
PC = 0xfff0a530, Vector = 0x500, SP = 0x83fffe68

<ctrl + Break>

monitor: command “boot” aborted due to user interrupt
rommon 1 >

You’ll immediately see the ‘rommon’ prompt, indicating we are in ‘rom monitor’ mode. This is a mini-IOS that allows you to perform very specific tasks in order to recover your router.

Now, to skip our password-protected configuration, we instruct the router to by-pass the configuration located in NVRAM during bootup, and reset the router:

rommon 1 > confreg 0x2142

You must reset or power cycle for new config to take effect
rommon 2 > reset

The router will now reset and start its normal bootup process, however, the current configuration will be ignored. When the bootup is complete, you will be prompted to ‘enter the initial configuration dialog’, answer ‘no’:

System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
C2600 platform with 65536 Kbytes of main memory

program load complete, entry point: 0x80008000, size: 0xf54134
Self decompressing the image : ##

<output omitted>
— System Configuration Dialog —

Would you like to enter the initial configuration dialog? [yes/no]: no

Press RETURN to get started!

Next step is to enter ‘Privileged Mode’ and load the router’s configuration from nvram. Then reset the ‘enable’ or ‘secret’ password. To be sure, we’re showing how to reset both, but we’ll only need to use the ‘secret’ password. In addition, we are going to reset the console port’s password:

Router>
Router> enable
Router# copy startup-config running-config
Destination filename [startup-config]? (hit enter)
Building configuration…
[OK]
Router# configure terminal
Router(config)# enable password cisco
Router(config)# enable secret enter
Router(config)# line console 0
Router(config-line)# password hello
Router(config)# username admin password enternow

If you use the ‘login local’ command you’ll need to reset the user account of the password you have lost (in our example, it’s ‘admin’).

Lastly, we need to change the ‘configuration register’ so the router will load the newly modified configuration next time it reboots, save our settings and reboot the router:

Router(config)# config-register 0x2102
Router(config)# exit
Router# copy running-config startup-config
Destination filename [startup-config]? (hit enter)
Building configuration…
[OK]
Router# reload

The router will now reload and use the new configuration that contains the newly set passwords.

When the router reboots, log in and check your configuration. If you find any interfaces in the ‘shutdown’ state, you’ll need to use the ‘no shutdown’ command to bring them back up. Again, don’t forget to save your configuration!

Article Summary

We’ve shown you how to recover lost passwords and gain control of a Cisco router. Of course there are mechanisms, which can be enabled, that will not allow you to perform the password recovery procedure. In this case, any attempt to recover the passwords or configuration will result in the erasure of the device’s configuration!

Via: firewall.cx

2 Responses to ' Recovering Passwords on a Cisco Router '

Subscribe to comments with RSS or TrackBack to ' Recovering Passwords on a Cisco Router '.


  1. on October 9th, 2009 at 5:12 am

    i lost my password ,please help

  2. compcentral said,

    on January 31st, 2011 at 11:13 pm

    @winfred seguya you’re dumb. read the article. It tells you everything you need to know.

Leave a reply