Password Recovery – Cisco IOS Routers
In this post I want to cover how to recover passwords on a Cisco IOS Router. This is helpful in lab environments as well as production environments. Although this method can be used the correct "legal" way you can also use this method to break into these devices "illegally" if you have physical console access to the device. However to get into it physical power must be turned off first causing a disruption in the environment, let get started! So I have a router called R2-D2 at ACME Corp, I have been given permission to recover the password and access the device. I have tried some passwords that where written down but all failed. [code]R2-D2 con0 is now available Press RETURN to get started. *************************************************************************** * L E G A L N O T I C E -- Y O U M U S T R E A D * *************************************************************************** * * * You must have explicit permission to access or configure this * * device. All activities performed on this device are logged and * * violations of this policy may result in criminal prosecution. * * * *************************************************************************** * * * This system is for the use of authorized users only. Individuals using * *this computer system without authority, or in excess of their authority, * * are subject to having all of their activities on this system monitored * * and recorded by system personnel. * * * * * * Anyone using this system expressly consents to such monitoring and is * * advised that if such monitoring reveals possible evidence of criminal * * activity, system personnel may provide the evidence of such monitoring * * to law enforcement officials. * * * =========================================================================== User Access Verification Username: admin Password: % Login invalid Username: admin Password: % Login invalid[/code] It is after-hours so I can physically power off the device and that's what I need to do next. Immediately I have to press the "break sequence" (which depends on the terminal application you are using. In TeraTerm this sequence is ALT + B) I like to think of this as a BIOS like on a computer, but it is normally called ROMon in Cisco terms or ROM Monitor, notice the prompt? At this prompt you have to type "confreg 0x2142" which ignores or bypass the startup-config file. Then type the command "reset" to reload the router which will bypass the statup-config. [code]System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2006 by cisco Systems, Inc. Initializing memory for ECC . c2811 platform with 262144 Kbytes of main memory Main memory is configured to 64 bit mode with ECC enabled Upgrade ROMMON initialized PC = 0xbfcd0d54, Cause = 0x2000, Status Reg = 0x3040a803 rommon 1 > confreg 0x2142 You must reset or power cycle for new config to take effect rommon 2 >[/code] Now that the router bypassed its startup-config we have to go into the privilege mode and type the command "copy startup-config running-config" which will load the startup-config into the running-config. [code]DRAM configuration is 64 bits wide with parity enabled. 239K bytes of non-volatile configuration memory. 125440K bytes of ATA CompactFlash (Read/Write) --- System Configuration Dialog --- Would you like to enter the initial configuration dialog? [yes/no]:no Press RETURN to get started! ---Output Omitted--- Router#copy startup-config running-config Destination filename [running-config]? 2341 bytes copied in 0.288 secs (8128 bytes/sec) R2-D2#[/code] Next we change the password to something that we know, I'm changing the login password and the enable secret: [code]R2-D2(config)#username admin password $%^cisco R2-D2(config)#enable secret !!@@cisco[/code] After that we have to change config-register back to the default 0x2102 which will load the startup-config file when reloaded. [code]R2-D2(config)#config-register 0x2102 R2-D2#copy startup-config running-config Destination filename [running-config]? 2341 bytes copied in 0.292 secs (8017 bytes/sec) R2-D2#reload[/code] Copy the running-config to save those password changes by using the "copy running-config startup-config command and reload the device one last time to confirm changes. you should be able to access the device and the configuration by using the passwords you just created . :) I hope this information was helpful some may ask what do those config-resister values do? Well there is some documention on Cisco's website and it goes over the Use of the Configuration Register on All Cisco Routers and if you have other questions comment below!
Related articles
- Basic Cisco ASA Overview (lewiryan.github.io/ciscoskills)
- Upgrade ASA IOS via ASDM (lewiryan.github.io/ciscoskills)
- CCNA Security - 640-554 (lewiryan.github.io/ciscoskills)
- Basics of cisco switch administration (slideshare.net)
Comments:
I really appreciate your efforts in writing really helpful points in password recovery. Because there are many users who face difficulties in case of password recovery...
#### [Ryan](http://systemstechblog.wordpress.com "lewiryan@isu.edu") -
Glad I could help.