Password Breaking of Cisco Routers
The password-recovery process relies on the fact that the configuration register can be used to make the router ignore the NVRAM configuration when the router is reloaded. The router will be up, but with a default configuration; this allows a console user to log in, enter privileged mode, and change any encrypted passwords or view any unencrypted passwords.
ROMMON will allow you to change the configuration register without knowing any passwords or even booting the IOS. To enter ROMMON mode, press the Break key during the first 60 seconds after power-on of the router. Then you must set bit 6 in the configuration register to binary 1, which is done by setting the entire config register with a four-digit hexadecimal value. For example, hex 2142 is identical to hex 2102, except that bit 6 is binary 1.
The process is slightly different for different models of routers, although the concepts are identical.
Password Recovery
| Step | Function | How to Do This for 1600, 2600, 3600, 4500, 7200, 7500 |
| 1 | Turn the router off and then back on again. | Use the power switch. |
| 2 | Press the Break key within the first 60 seconds. | Find the Break key on your console device’s keyboard. |
| 3 | Change the configuration register so that bit 6 is 1. | Use the ROMMON command confreg, and answer the prompts. |
| 4 | Cause the router to load IOS. | Use the ROMMON reset command or, if unavailable, power off and on. |
| 5 | Avoid using setup mode, which will be prompted for at the console. | Just say no. |
| 6 | Enter privileged mode at console. | Press Enter and use the enable command (no password required). |
| 7 | Assuming that you still want to use the configuration in NVRAM, copy it to the running config. | copy startup-config running-config |
| 8 | View startup config to see unencrypted passwords. | Use the exec command show startup-config. |
| 9 | Use the appropriate config commands to reset encrypted commands | For example, use enable secret xyz123 command to set the enable secret password. |
| 10 | Change the config register back to its original value. | Use the config command config-reg 0x2102. |
| 11 | Reload the router after saving the configuration. | Use the copy running-config startup-config and reload commands. |
Password Recovery
| Step | Function | How to Do This for 2000, 2500, 3000, 4000, 7000 |
| 1 | Turn the router off and then back on again. | Same as other routers. |
| 2 | Press the Break key within the first 60 seconds. | Same as other routers. |
| 3 | Change the configuration register so that bit 6 is 1. | Use the ROMMON command o/r 0x2142. |
| 4 | Cause the router to load IOS. | Use the ROMMON command initialize. |
| 5 | Avoid using setup mode, which will be prompted for at the console. | Same as other routers |
| 6 | Enter privileged mode at console. | Same as other routers. |
| 7 | Assuming that you still want to use the configuration in NVRAM, copy it to the running config. | copy startup-config running-config |
| 8 | View startup config to see unencrypted passwords. | Same as other routers. |
| 9 | Use the appropriate config commands to reset encrypted commands | Same as other routers. |
| 10 | Change the config register back to its original value. | Same as other routers. |
| 11 | Reload the router after saving the configuration. | Same as other routers. |
*Note: A simple trick for this table is, Use following command for the following rommon prompt
If rommon promt is appear like this (>) use following commands
Step 1. > o/r 0x2142
Step 2. > initialize
If rommon promt is appear like this (rommon1>) use following commands
Step 1. rommon1> confreg 0x2142
Step 2. rommon2> reset
No comments:
Post a Comment