Password Recovery on Cisco Routers

Almost any novice Cisco water sooner or later finds itself in a situation where there is a router on its hands with a completely forgotten or unknown, alien password. As a Cisco course teacher, I personally come across this situation very often after laboratory work. Students build a topology, set passwords for access, play with a grid and ... forget to delete the configuration file before leaving. Of course, until the next lab, everyone successfully forgets their passwords. For some reason I don’t understand, Cisco does not pay enough attention to this topic in its training material, and the documentation on the off-site often scares beginners. I would like to eliminate this shortcoming today.


Introduction


If you have reached at least the CCENT level, you should know such a thing as configuration register. This is a 16-bit register located in the NVRAM, responsible for the boot sequence of the router. Namely, from where and in what order the router will load its operating system and settings file. Its default value is 2102. Its third digit is responsible for the settings file, the fourth for the OS. Our goal is to make the router ignore the settings file at boot (this is where the passwords are located) and give us access to privileged mode. We achieve this by changing the third number of the register to "4".

Algorithm


  1. We reboot the router, wait for the line “Self decompressing the image: ###” and press Ctrl-C or Ctrl-Break. With this, we suspended the loading of the router and are now in ROM Monitor (rommon) mode:

    image

  2. Change the value of the register to 2142 with the command confreg 0x2142 (do not forget that this number is hexadecimal) and reboot again:

    image

  3. After the reboot, we get into setup mode (which means that the router did not load the settings file, which we achieved). We exit this mode and switch to privileged mode:

    image

  4. Now we have full access to the router settings. If you care about your settings (which are still stored in startup-config), it's time to restore them with the copy start run command . All passwords are now valid, but since we are already “inside”, that is, we have configuration rights, we will no longer be asked this password:

    image

  5. We change all the passwords that interest us to new ones and save our settings in NVRAM:

    image

  6. We change the register to its previous value with the config-register 0x2102 command and reboot to check for new passwords:

    image


That's all. The whole process takes 5 minutes of power.

“But this is a hole!”


At first glance, the way it is. But note that Rommon can only be accessed through the console and during the recovery process we needed to reboot the router “hard”, which means that the attacker must have physical access to the equipment in order to use this “hole”. And if this happened, then the hacked password in tsisk is at least not your only problem.

But if this did not convince you, there is a way to close the possibility of password recovery in this way. This is the no service password-recovery command . It will close the ability to change the register to 2142. But keep in mind that if you lose your password now, in order to return the router from the dead you will need very massive dances with a tambourine.

Hope that was helpful.

See you on the pages of Habr!

Also popular now: