Introduction
This section describes how to recover a lost enable or console login password, and how to replace a lost
enable secret password on the Cisco Router.
This Page Is An Index Of Password Recovery Procedures For Cisco Products. For Security Reasons, The Password Recovery Procedures Listed Here Require Physical Access To The Equipment.
This Document Describes The Procedure For Recovering An Enable Password Or Enable Secret Passwords. These Passwords Are Used To Protect Access To Privileged EXEC And Configuration Modes.
The Enable Password Password Can Be Recovered But The Enable Secret Password Is Encrypted And Can Only Be Replaced With A New Password Using The Procedure Below.
Recovering The Passwords For Most Cisco Devices Via The Console Port Is Very Simple. However, Cisco Has Purchased So Many Other Manufacturers And Put The Cisco Label On Their Devices That The Procedures For Password Recovery Vary Greatly From One Cisco Device To Another. In Addition, The Cisco Password Recovery Procedures Have Also Changed With IOS Upgrades. I Have Attempted To Make These Password Recovery Instructions As Generic As Possible, To Account For Past And Future Oddities That You May Run Into.
These Cisco Password Recovery Instructions Will Enable You To Recover From A Lost Password Or Most Cisco Devices. Unless Otherwise Stated The Instruction Below Refer To The 2000, 2500, 3000, 4000, 7000 And IGS Series Routers.
PASSWORD RECOVERY PROCEDURE OVERVIEW:
The following is an overview of the steps in the password recovery procedure.
• If you can log in to the router, enter the show version command to determine the existing
configuration register value.
• Press the Break key to go to the bootstrap program prompt (ROM monitor). You might need to
reload the system image by power-cycling the router.
• Change the configuration register to 0x2142 so that the router ignores the startup configuration file
during bootup. This allows you to log in without using a password and to display the startup
configuration password.
• Reload the cycle the router by typing reset at the rommon> prompt.
• Log in to the router and enter the privileged EXEC mode.
• Enter the show startup-config command to display the passwords.
• Recover or replace the displayed passwords.
• Change the configuration register back to its original setting.
PASSWORD RECOVERY PROCEDURE:
To recover or replace a lost enable, enable secret, or console login password, use this procedure:
Step 1 Attach an ASCII terminal to the console port on the router.
Step 2 Configure the terminal to operate at 9600 baud, 8 data bits, no parity, and 1 stop bit.
Step 3 If you can log in to the router as a nonprivileged user, enter the show version command to display the
existing configuration register value, then go to Step 6. If you cannot log in to the router at all, go to the
next step.
Step 4 Press the Break key or send a break signal from the console terminal.
• If break is enabled, the router enters the ROM monitor, indicated by the ROM monitor prompt
(rommon>). Go to Step 6.
• If break is disabled, power cycle the router (turn off the router or unplug the power cord, and then
restore power). Then go to Step 5.
Step 5 Within 60 seconds of restoring the power to the router, press the break key or send a break signal. This
action causes the router to enter the ROM monitor and display the ROM monitor prompt (rommon>).
Step 6 Set the configuration register using the configuration register utility. Enter the confreg command at the
ROM monitor prompt as follows:
rommon> confreg
Answer yes to the enable “ignore system config info?” Press the return key at all other prompts to accept
the existing value.
Step 7 Reboot the router by entering the reset command:
rommon> reset
The router initializes, the configuration register is set to 0x2142, and the router boots the system image
from Flash memory and enters the system configuration dialog (setup):
--- System Configuration Dialog --
Step 8 Enter no in response to the system configuration dialog prompts until the following message appears:
Press RETURN to get started!
Step 9 Press Return. The user EXEC prompt appears:
Router>
Step 10 Enter the enable command to enter privileged EXEC mode. Then enter the show startup-config
command to display the passwords in the configuration file as follows:
Router# show startup-config
Step 11 Scan the configuration file display, looking for the passwords (the enable passwords are usually located
near the beginning of the file, and the console login or user EXEC password is near the end). The
passwords displayed appear similar to the following:
enable secret 5 $1$ORPP$s9syZt4uKn3SnpuLDrhuei
enable password 23skiddoo
.
.
line con 0
password onramp
The enable secret password is encrypted and cannot be recovered; it must be replaced. Go to the next
step to replace an enable secret, console login, or enable password. If there is no enable secret password,
note the enable and console login passwords. If the enable and console login passwords are not
encrypted, go to Step 16.
Caution Do not execute the next step unless you have determined you must change or replace the enable, enable
secret, or console login passwords. Failure to follow the steps as shown might cause you to erase the
router configuration.
Step 12 Enter the copy startup-config running-config command to load the startup configuration file into
running memory. This action allows you to modify or replace passwords in the configuration.
Router# copy startup-config running-config
Step 13 Enter the privileged EXEC command configure terminal to enter configuration mode:
Router# configure terminal
Step 14 Change all three passwords using the following commands:
Router(config)# enable secret newpassword1
Router(config)# enable password newpassword2
Router(config)# line con 0
Router(config-line)# password newpassword3
Change only the passwords necessary for your configuration. You can remove individual passwords by
using the no form of the above commands. For example, entering the no enable secret command
removes the enable secret password.
Step 15 You must configure all interfaces to avoid having the system be administratively shut down:
Router(config)# interface fastethernet 0/0
Router(config-int)# no shutdown
Enter the equivalent commands for all interfaces that were originally configured. If you omit this step,
all interfaces are administratively shut down and unavailable when the router is restarted.
Step 16 Use the config-register command to set the configuration register to the original value noted in Step 3
or Step 7, or to the factory default value 0x2102.
Router(config)# config-register 0x2102
Step 17 Press Ctrl-Z (hold down the Control key while you press Z) or enter end to exit configuration mode
and return to the EXEC command interpreter.
Caution Do not execute the next step unless you have changed or replaced a password. If you skipped Step 12
through Step 15, go to Step 19. Failure to observe this caution causes you to erase the router
configuration file.
Step 18 Enter the copy running-config startup-config command to save the new configuration to NVRAM.
Step 19 Enter the reload command to reboot the router.
Step 20 Log in to the router using the new or recovered passwords.
Example :- Step-by-Step Procedure
1. Attach a terminal or PC with terminal emulation to the console port of the router. Use the following terminal settings:
9600 baud rate
No parity
8 data bits
1 stop bit
2. If you still have access to the router, type show version and record the setting of the configuration register; it is usually 0x2102 or 0x102.
3. If you don't have access to the router (because of a lost login or tacacs password), you can safely consider that your configuration register is set to 0x2102.
4. Using the power switch, turn off the router and then turn it back on.
Important: To simulate step 4 on a Cisco 6400, pull out and then replace the Node Route Processor (NRP) or Node Switch Processor (NSP) card.
Important: To simulate step 4 on a Cisco 6x00 using NI-2, pull out and then replace the NI-2 card.
5. Press Break on the terminal keyboard within 60 seconds of the power-up to put the router into ROMMON.
If the break sequence doesn't work, see Possible Key Combinations for Break Sequence During Password Recovery for other key combinations.
6. Type confreg 0x2142 at the rommon 1> prompt to boot from Flash without loading the configuration.
7. Type reset at the rommon 2> prompt.
The router reboots but ignores its saved configuration.
8. Type no after each setup question or press Ctrl-C to skip the initial setup procedure.
9. Type enable at the Router> prompt.
You'll be in enable mode and see the Router# prompt.
10. Important: Type configure memory or copy startup-config running-config to copy the nonvolatile RAM (NVRAM) into memory.
11. Type write terminal or show running-config.
The show running-config and write terminal commands show the configuration of the router. In this configuration you see under all the interfaces the shutdown command, which means all interfaces are currently shutdown. Also, you can see the passwords (enable password, enable secret, vty, console passwords, and so on) either in encrypted or unencrypted format. The unencrypted passwords can be re-used, the encrypted ones will have to be changed with a new one.
12. Type configure terminal and make the changes.
The prompt is now hostname(config)#.
13. Type enable secret <password> to change the enable secret password, for example.
14. Issue the no shutdown command on every interface that is used. If you issue a show ip interface brief command, every interface that you want to use should be "up up".
13. Type config-register 0x2102, or the value you recorded in step 2.
14. Press Ctrl-z or end to leave the configuration mode.The prompt is now hostname#.
15. Type write memory or copy running-config startup-config to commit the changes.
Example of Password Recovery Procedure
THE EXAMPLE BELOW PRESENTS AN ACTUAL PASSWORD RECOVERY PROCEDURE. WE CREATED THIS EXAMPLE USING A CISCO 2600. EVEN IF YOU ARE NOT USING A CISCO 2600, THIS EXAMPLE WILL BE ALMOST EXACTLY WHAT YOU EXPERIENCE ON YOUR PRODUCT:
Router>enable
Password:
Password:
Password:
% Bad secrets
Router>show version
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IS-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Tue 07-Dec-99 02:21 by phanguye
Image text-base: 0x80008088, data-base: 0x80C524F8
ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Router uptime is 3 minutes
System returned to ROM by abort at PC 0x802D0B60
System image file is "flash:c2600-is-mz.120-7.T"
cisco 2611 (MPC860) processor (revision 0x202) with 26624K/6144K bytes of memory.
Processor board ID JAB031202NK (3878188963)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
Basic Rate ISDN software, Version 1.1.
2 Ethernet/IEEE 802.3 interface(s)
2 Serial(sync/async) network interface(s)
1 ISDN Basic Rate interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash partition 1 (Read/Write)
8192K bytes of processor board System flash partition 2 (Read/Write)
Configuration register is 0x2102
Router>
!--- The router was just powercycled and during bootup a
!--- break sequence was sent to the router.
!
*** System received an abort due to Break Key ***
signal= 0x3, code= 0x500, context= 0x813ac158
PC = 0x802d0b60, Vector = 0x500, SP = 0x80006030
rommon 1 > confreg 0x2142
You must reset or power cycle for new config to take effect
rommon 2 > reset
System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
C2600 platform with 32768 Kbytes of main memory
program load complete, entry point: 0x80008000, size: 0x6fdb4c
Self decompressing the image : ###############################
##############################################################
##############################################################
##############################################################
############################### [OK]
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IS-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Tue 07-Dec-99 02:21 by phanguye
Image text-base: 0x80008088, data-base: 0x80C524F8
cisco 2611 (MPC860) processor (revision 0x202) with 26624K/6144K bytes of memory.
Processor board ID JAB031202NK (3878188963)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
Basic Rate ISDN software, Version 1.1.
2 Ethernet/IEEE 802.3 interface(s)
2 Serial(sync/async) network interface(s)
1 ISDN Basic Rate interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash partition 1 (Read/Write)
8192K bytes of processor board System flash partition 2 (Read/Write)
--- System Configuration Dialog ---
Would you like to enter the initial configuration dialog? [yes/no]: n
Press RETURN to get started!
Router>
Router>enable
Router#copy startup-config running-config
Destination filename [running-config]?
1324 bytes copied in 2.35 secs (662 bytes/sec)
Router#
00:01:24: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:1, changed state to down
00:01:24: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:2, changed state to down
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#enable secret cisco
Router(config)#^Z
00:01:54: %SYS-5-CONFIG_I: Configured from console by console
Router#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 10.200.40.37 YES TFTP administratively down down
Serial0/0 unassigned YES TFTP administratively down down
BRI0/0 193.251.121.157 YES unset administratively down down
BRI0/0:1 unassigned YES unset administratively down down
BRI0/0:2 unassigned YES unset administratively down down
Ethernet0/1 unassigned YES TFTP administratively down down
Serial0/1 unassigned YES TFTP administratively down down
Loopback0 193.251.121.157 YES TFTP up up
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface Ethernet0/0
Router(config-if)#no shutdown
Router(config-if)#
00:02:14: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
00:02:15: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up
Router(config-if)#interface BRI0/0
Router(config-if)#no shutdown
Router(config-if)#
00:02:26: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to down
00:02:26: %LINK-3-UPDOWN: Interface BRI0/0:2, changed state to down
00:02:26: %LINK-3-UPDOWN: Interface BRI0/0, changed state to up
00:02:115964116991: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0/0, TEI 68 changed to up
Router(config-if)#^Z
Router#
00:02:35: %SYS-5-CONFIG_I: Configured from console by console
Router#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IS-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2)
--- output truncated ---
2 Ethernet/IEEE 802.3 interface(s)
2 Serial(sync/async) network interface(s)
1 ISDN Basic Rate interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash partition 1 (Read/Write)
8192K bytes of processor board System flash partition 2 (Read/Write)
Configuration register is 0x2142
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#config-register 0x2102
Router(config)#^Z
00:03:20: %SYS-5-CONFIG_I: Configured from console by console
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IS-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2)
--- output truncated ---
2 Ethernet/IEEE 802.3 interface(s)
2 Serial(sync/async) network interface(s)
1 ISDN Basic Rate interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash partition 1 (Read/Write)
8192K bytes of processor board System flash partition 2 (Read/Write)
Configuration register is 0x2142 (will be 0x2102 at next reload)
Router#
EXAMPLE - 2 : ALSO WE MAY KNOW HOW TO DISABLING CISCO PASSWORD RECOVERY SERVICE:
Most Cisco engineers are aware of the classic Password-Recovery service Cisco equipment have. If the device's credentials are lost, then performing the Password-Recovery procedure will effectively provide full access to the device's configuration.
By disabling the Password-Recovery service you prevent anyone with physical access to the device (e.g console port) from performing the Password-Recovery process and obtaining access to its configuration.
Disabling the Password-Recovery service requires extreme attention because should you loose your password, there is no turning back. It is highly advisable to always keep a backup of your configurations in a secure area - just in case.
You will also notice that the 'no service password-encryption' command will not show up when hitting '?' (for help) as this command is undocumented in the IOS help.
Following are the steps to disable the Password-Recovery service and the message confirmation shown when the device boots up after the Password-Recovery service is disabled:
R1(config)# no service password-recovery
WARNING:
Executing this command will disable password recovery mechanism.
Do not execute this command without another plan for
password recovery.
Are you sure you want to continue? [yes/no]: yes
R1(config)# exit
R1# reload
Proceed with reload? [confirm]
System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2009 by Cisco Systems, Inc.
c2811 processor with 240640 Kbytes of main memory
Main memory is configured to 64 bit mode with parity disabled
Readonly ROMMON initialized
PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
Article Summary:-
• This Article Explains The Password-Recovery And How To Disable It On A Cisco Device.
Disclaimer:
This document carries no explicit or implied warranty. Nor is there any guarantee that the information contained in this document is accurate. It is offered in the hopes of helping others, but you use it at your own risk. The author will not be liable for any damages that occur as a result of using this document.
This Article Written Author By: Premakumar Thevathasan. CCNA, CCNP, CCIP, MCSA, MCSE, MCSA - MSG, CIW Security Analyst, CompTIA Certified A+.
1 comment:
This is very excellent way of teaching every one can be easy to understand this Article.
Post a Comment