Password Recovery on a Cisco Router

«« Previous
Next »»

While working with IOS based devices, it is not uncommon to forget passwords and lock yourself out of the devices. While password recovery procedures differ from device to device, most Cisco routers have a similar process for recovering the password. Recovering passwords for Cisco switches is a little different and not covered in CCNA, so this sections looks at the password recovery procedure for routers only.

Before starting password recovery on a Cisco router, you need to understand two important things associated with the boot process:

◉ The ROM monitor – The ROM monitor, also called the bootstrap program, initializes the hardware, locates the IOS file and boots it. This mode can be used for troubleshooting and testing. If an IOS file is not found during the boot process, you will be dropped into the ROM monitor (ROMmon) mode. The prompt at this mode is rommon #>, where # is a number. At this mode there are very few commands available that essentially help in finding and fixing problems related to the boot up. It can also be used to copy an IOS file from TFTP to the flash.

◉ Configuration Register – This is a 16-bit value that is written to the NVRAM and controls aspects of the boot process. It can be set to change where bootstrap program looks for the IOS file, whether the startup config is loaded or not and even if the boot process should stop at ROMmon and not load the IOS file. While each one of the 16-bits has a different function there are two values that you need to remember – 2102 and 2142. 2102 is the default value, which means that the router will look for the IOS file in the flash memory and will load the startup config from the NVRAM. A value of 2142 means that the router will load the IOS file from the flash but will not load the startup config. The value of the config register can be seen in the output of show version command.
You probably have figured by now that the ROMmon and the configuration register play an important role in the password recovery procedure. The mains steps for the procedure are:

1. Boot into the ROMmon mode
2. Change the configuration register such that the startup config is not loaded
3. Boot into IOS
4. Go to the privileged exec mode and copy startup config to running config
5. Change the passwords
6. Save the running config to startup config
7. Change the configuration register back to 2102
8. Reboot

So essentially, you first get the router to load the IOS without the startup config, so that you can start an exec session and go to the privileged mode without a password. Once there, you load the startup config and change the password and then save back the config. One common mistake here is to not load the startup config. Remember that the running config is empty. If you simply configure the new password and save this config, it will override the startup config. Once the new passwords are saved in the startup config, you will need to change the configuration register back to normal.

Now let us look at the procedure in detail.

Booting into the ROMmon mode and changing configuration register

To manually boot into the ROMmon mode, you will need to reboot the device and break the boot sequence. Pressing the Ctrl+Break key combination during boot usually does this. An example is shown below:

Exam Alert: In reality the break sequence differs from client to client and operating system to operating system. For example, when using OSX, you might have to use Cmd+b. As far as the CCNA exam goes, Ctrl+Break is the only option. I would suggest using Windows/Hyperterminal for practice.

System Bootstrap, Version 12.3(8r)T8, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2004 by cisco Systems, Inc.
PLD version 0x10
GIO ASIC version 0x127
c1841 processor with 131072 Kbytes of main memory
Main memory is configured to 64 bit mode with parity disabled
Readonly ROMMON initialized
program load complete, entry point: 0x8000f000, size: 0xc10
monitor: command “boot” aborted due to user interrupt
rommon 1 >

Notice the second to the last line in the output where it shows that the boot was aborted due to user interrupt. That is where I press Ctrl+Break key combination and was brought to the rommon 1> prompt.

You can change the configuration register from this prompt using the confreg command as shown below:

rommon 1 > confreg 0x2142
You must reset or power cycle for new config to take effect 

Note that the configuration register value is preceded by 0x. This denotes that the value 2102 is a hexadecimal value. After changing the value, you can reset the device using the reset command here. When the device boots again, you do not have to interrupt the sequence.

The rest of the procedure

After the device boots, the setup mode will begin. Type in no when prompted to exit the setup mode and enter the user exec mode. Once there, you can use the commands discussed previously in the chapter to get to the privileged mode, load startup config and change passwords. An example is shown below:

Router>en
Router#copy startup-config running-config
Destination filename [running-config]?
1244 bytes copied in 0.548 secs (2270 bytes/sec)
myRouter#config t
myRouter(config)#enable secret newpass
myRouter(config)#line con 0
myRouter(config-line)#password newpass
myRouter(config-line)#^Z
myRouter#copy running-config startup-config
Destination filename [startup-config]?
Building configuration…
[OK]

Now that the password has been changed in the startup config, you will be able to access the device once it boots back normally. But if you boot the router now, it will keep loading without the startup config because the configuration register is still set to 0x2142. To change the configuration register use the config-register command in the global configuration mode as shown below and then save the configuration again before rebooting:

myRouter#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
myRouter(config)#config-register 0x2102
myRouter(config)#exit
myRouter#copy running-config startup-config
Destination filename [startup-config]?
Building configuration…
[OK]
myRouter#reload
Proceed with reload? [confirm]

«« Previous
Next »»

0 comments:

Post a Comment