cisco networking academy chabot college elec 99.08 password recovery
TRANSCRIPT
CISCO NETWORKING ACADEMYCISCO NETWORKING ACADEMY
Chabot CollegeChabot College
ELEC 99.08ELEC 99.08Password Recovery
CISCO NETWORKING ACADEMYCISCO NETWORKING ACADEMY
Password Recovery TopicsPassword Recovery Topics• Problem: Lost Password• Overview & Strategy• Step-by-Step
CISCO NETWORKING ACADEMYCISCO NETWORKING ACADEMY
Problem: Lost PasswordProblem: Lost Password• If line passwords are lost, you can’t log on.• If enable secret is lost, you can’t do anything
useful.• Unless you can recover from this situation,
your router’s config can never be changed. For all practical purposes, the router is a doorstop.
CISCO NETWORKING ACADEMYCISCO NETWORKING ACADEMY
Overview & StrategyOverview & Strategy• 3 ways to “recover”
– view the password oak#show run
– change the password oak(config)#enable secret chabot
– erase the configuration, including the password, and start overoak#erase startoak#reload
• To do any of these, which mode must you be in?privileged
CISCO NETWORKING ACADEMYCISCO NETWORKING ACADEMY
Overview & StrategyOverview & Strategy• To enter privileged mode, what is usually
required?enable secret password
• So that’s the key to the strategy: Enter the privileged mode without knowing the enable secret!
• Here’s how...
CISCO NETWORKING ACADEMYCISCO NETWORKING ACADEMY
Overview & StrategyOverview & Strategy• Configure the router to start up without reading its
configuration file. (that’s where the passwords are stored)
• Do this by – interrupting the normal boot process– setting the config-register to ignore the config file– rebooting the router (again)
• When it reboots, it has no config and no passwords. Just enable the privileged mode!
• Change, view, or erase the passwords.• Restore the config register for a normal boot.
CISCO NETWORKING ACADEMYCISCO NETWORKING ACADEMY
Step-by-Step: 1Step-by-Step: 1• Connect to the router’s console port.
CISCO NETWORKING ACADEMYCISCO NETWORKING ACADEMY
Step-by-Step: 2Step-by-Step: 2• Display and record the current value of the
router’s config register. You’ll need to reset the register to this value later, so write it down now.show version
If you can’t login to the router, you can discover the setting in a later step.
oak>show version
Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-JS-L), Version 12.0(7)T, RELEASE SOFTWARE
16384K bytes of processor board System flash (Read ONLY) Configuration register is 0x2102
CISCO NETWORKING ACADEMYCISCO NETWORKING ACADEMY
Step-by-Step: 3Step-by-Step: 3• Power-cycle the router• Why can’t you use reload?• What mode must you be in to reload?
privilegedWhat must you know to be able to enter the privileged mode?
enable secretso, you must use the power switch...
CISCO NETWORKING ACADEMYCISCO NETWORKING ACADEMY
Step-by-Step: 3Step-by-Step: 3• Power-cycle the router• Within 60 seconds, interrupt the normal boot
process:– Press break key (control-break on Hyperterm PE)– The router enters ROM-monitor mode and presents
this prompt >
!-- The router was just powercycled !-- During bootup a break sequence was sent to the router. !
Abort at 0x10EA83C (PC)
>
CISCO NETWORKING ACADEMYCISCO NETWORKING ACADEMY
Step-by-Step Step-by-Step (option if Step 2 could not be performed)(option if Step 2 could not be performed)
• Display and record the current value of the router’s config register. You’ll need to reset the register to this value later, so write it down now.>o
Letter “o”, not the number zero
Abort at 0x10EA83C (PC)
>oConfiguration register = 0x2102 at last boot Bit# Configuration register option settings:...
CISCO NETWORKING ACADEMYCISCO NETWORKING ACADEMY
Step-by-Step: 4Step-by-Step: 4• Set the config register to ignore the config file during boot:
>o/r 0x2142
Letter “o”, not the number zero
Abort at 0x10EA83C (PC)
>o/r 0x2142
4 here causes config file notto be loaded
CISCO NETWORKING ACADEMYCISCO NETWORKING ACADEMY
Step-by-Step: 5Step-by-Step: 5• Reboot the router (again):
>i
(Initialize)
Abort at 0x10EA83C (PC)
>o/r 0x2142 >i
(The router reboots, but ignores its config file.)
CISCO NETWORKING ACADEMYCISCO NETWORKING ACADEMY
Step-by-Step: 6Step-by-Step: 6• Do not enter the system config dialog.
(Use control-C to skip all questions.)^C
--- System Configuration Dialog --- Would you like to enter the initial configuration dialog? [yes/no]:
^C
CISCO NETWORKING ACADEMYCISCO NETWORKING ACADEMY
Step-by-Step: 7Step-by-Step: 7• Enable the privileged mode
en
• No password is required, because the router has not loaded a configuration file.• This is the key step.
Now you can do whatever you want!
Router>enRouter#
CISCO NETWORKING ACADEMYCISCO NETWORKING ACADEMY
Step-by-Step: 8Step-by-Step: 8• Load the config file by copying the startup config to the running config:
copy start run
• It’s OK to load the config now - you’re already in privileged mode!
Router#Router#copy start runoak#
CISCO NETWORKING ACADEMYCISCO NETWORKING ACADEMY
Step-by-Step: 9Step-by-Step: 9• View the running config:
show run
• You can now see all passwords except the enable secret! (it is encrypted, so you’ll need to change it.)
oak#oak#show run
CISCO NETWORKING ACADEMYCISCO NETWORKING ACADEMY
Step-by-Step: 10Step-by-Step: 10• Change the enable secret:
conf tenable secret [word]
• Now you’re all set.
oak#oak#conf toak(config)#enable secret chabot
CISCO NETWORKING ACADEMYCISCO NETWORKING ACADEMY
Step-by-Step: 11Step-by-Step: 11• Restore the original setting of the configuration register:
config-register 0x2102
• This step causes the router to load its config file normally at next reboot.
oak#oak#conf toak(config)#config-register 0x2102
CISCO NETWORKING ACADEMYCISCO NETWORKING ACADEMY
Step-by-Step: 12Step-by-Step: 12• Bring up all interfaces that are in use:
no shut
• The interfaces were administratively shut down when the router booted with no config file.
oak#(config)#int e0oak(config-if)#no shutoak(config-if)#int s0oak(config-if)#no shutoak(config-if)#int s0oak(config-if)#no shut
CISCO NETWORKING ACADEMYCISCO NETWORKING ACADEMY
Step-by-Step: 13Step-by-Step: 13• Save the current config-register setting to NVRAM, and then reboot:
copy run startreload
oak#conf toak(config)#config-register 0x2102oak(config)^Zoak#copy run startoak#reload
CISCO NETWORKING ACADEMYCISCO NETWORKING ACADEMY
Done...Done...• So…• Why should Cisco routers be kept in
physically secure areas, where the general public can’t get access to the console port?