Example 17-34

   

Scenario 4

Symptom: As a network administrator, you need to have access to all the routers in the internetwork. For some reason, the enable password on R1 is not working. No one in the IT department remembers changing it. You need to gain access to the router and change the enable password so that you can correctly manage the router.

Objective: Successfully break into the router and change the enable password to falcons.

The first issue is to research how to initiate the password-recovery process for the Cisco router model that you have. R1 is a Cisco 2500 series router. With this information, you can search on Cisco CCO (www.cisco.com/) with the keywords password recovery 2500 to find the password-recovery document for the 2500 series routers. Review the steps that follow outlined in the document for password recovery.

Attach a terminal or PC with terminal emulation to the console port of the router. Use the following terminal settings:

9600 baud rate

No parity

8 data bits

1 stop bit

No flow control

The required console cable specifications are described in the Cabling Guide for RJ-45 Console and AUX Ports (Cisco's 1000 series, 2500 series, and AS5100).

Step 1. Type show version and record the setting of the configuration register.

The configuration register setting is usually 0x2102 or 0x102.

Step 2. Using the switch, turn off the router and then turn it on.

Step 3. Press Break on the terminal keyboard within 60 seconds of the powerup to put the router into ROMMON.

Step 4. Type o/r 0x2142 at the > prompt to boot from Flash without loading the configuration. (For a review of the purpose of the configuration register, see Chapter 2, "Cisco Router Review.")

Step 5. Type i at the > prompt.

The router reboots but ignores its saved configuration.

Step 6. Type no after each setup question, or press Ctrl-C to skip the initial setup procedure.

Step 7. Type enable at the Router> prompt.

You'll be in enable mode and see the Router# prompt.

Step 8. Important: Type config mem or copy start running to copy the nonvolatile RAM (NVRAM) into memory. Do not type config term .

Step 9. Type wr term or show runnin g. The show running and wr term commands show the configuration of the router. In this configuration, you see under all the interfaces the shutdown command, which means that all interfaces are currently shutdown. Also, you can see the passwords in either encrypted or unencrypted format.

Step 10. Type config term and make the changes.

The prompt is now hostname(config)#.

Step 11. Type enable <passwor d.

Step 12. Issue the no shutdown command on every interface that is used. If you issue a show ip interface brief command, every interface that you want to use should be up, up.

Step 13. Type config-register 0x2102 or the value that you recorded in step 2.

Step 14. Press Ctrl-z to leave the configuration mode.

The prompt is now hostname#.

Step 15. Type write mem or copy running startup to commit the changes.

Note

You also can find documentation on password recovery at www.cisco.com/warp/public/474/pswdrec_2500.html. For password recovery, a laptop or PC will be connected directly into the router. A terminal server will not be used.


Now that you have reviewed the procedures, connect your PC to the console port of the router with the following terminal parameters:

  • 9600 baud rate

  • No parity

  • 8 data bits

  • 1 stop bit

  • No flow control

When this is done, you can follow the steps according to the document for password recovery:

Step 1. Type show version and record the setting of the configuration register. See Example 17-34.

Example 17-34 show version Command Output
 R1>  show version  Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-JS-L), Version 11.2(17), RELEASE SOFTWARE (fc1) Copyright (c) 1986-1999 by cisco Systems, Inc. Compiled Mon 04-Jan-99 17:27 by ashah Image text-base: 0x00001448, data-base: 0x00764DA8 ROM: System Bootstrap, Version 11.0(10c), SOFTWARE BOOTFLASH: 3000 Bootstrap Software (IGS-BOOT-R), Version 11.0(10c), RELEASE SOFT WARE (fc1) R1 uptime is 1 minute System restarted by power-on System image file is "c2500-js-l_112-17.bin", booted via tftp from 192.168.1.5 cisco 2500 (68030) processor (revision N) with 14336K/2048K bytes of memory. Processor board ID 06158021, with hardware revision 00000000 Bridging software. SuperLAT software copyright 1990 by Meridian Technology Corp). X.25 software, Version 2.0, NET2, BFE and GOSIP compliant. TN3270 Emulation software. 1 Ethernet/IEEE 802.3 interface(s) 2 Serial network interface(s) 32K bytes of non-volatile configuration memory. 8192K bytes of processor board System flash (Read/Write)  Configuration register is 0x2102  R1> 
The configuration register is 0x2102. You need to note this so that you can set it back to the original setting when you are finished with the password recovery procedure.

Step 2. Using the switch, turn off the router and then turn it on.

Step 3. Press Break on the terminal keyboard within 60 seconds of the powerup to put the router into ROMMON. (For HyperTerminal, the break sequence is Ctrl-Break. The Break key is in the upper-right of your keyboard, usually the same key as the Pause key.) See Example 17-35.

Example 17-35 Rebooting R1 and Initiating the Break Sequence
 R1> System Bootstrap, Version 11.0(10c), SOFTWARE Copyright (c) 1986-1996 by cisco Systems 2500 processor with 14336 Kbytes of main memory  <ctrl-Break>  Abort at 0x1098FEC (PC)  >  
The > prompt indicates that you are in ROMMON mode.

Step 4. Type o/r 0x2142 at the > prompt to boot from Flash without loading the configuration. See Example 17-36.

Example 17-36 Changing the Configuration Register to Bypass the Startup Confg File
  >o/r 0x2142  > 
Step 5. Type i at the > prompt.

The router reboots but ignores its saved configuration. See Example 17-37.

Example 17-37 Reinitialize R1 and Ignore Saved Configuration
  >i  System Bootstrap, Version 11.0(10c), SOFTWARE Copyright (c) 1986-1996 by cisco Systems 2500 processor with 14336 Kbytes of main memory F3: 8010312+98616+315708 at 0x3000060               Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013.            cisco Systems, Inc.            170 West Tasman Drive            San Jose, California 95134-1706 Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-JS-L), Version 11.2(17), RELEASE SOFTWARE (fc1) Copyright (c) 1986-1999 by cisco Systems, Inc. Compiled Mon 04-Jan-99 17:27 by ashah Image text-base: 0x03040148, data-base: 0x00001000 cisco 2500 (68030) processor (revision N) with 14336K/2048K bytes of memory. Processor board ID 06158021, with hardware revision 00000000 Bridging software. SuperLAT software copyright 1990 by Meridian Technology Corp). X.25 software, Version 2.0, NET2, BFE and GOSIP compliant. TN3270 Emulation software. 1 Ethernet/IEEE 802.3 interface(s) 2 Serial network interface(s) 32K bytes of non-volatile configuration memory. 8192K bytes of processor board System flash (Read ONLY)          --- System Configuration Dialog --- At any point you may enter a question mark '?' for help. Use ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Would you like to enter the initial configuration dialog? [yes]: 
Step 6. Type no or press Ctrl-C to skip the initial setup procedure. See Example 17-38.

Example 17-38 Exiting Setup Configuration Mode on R1
 Would you like to enter the initial configuration dialog? [yes]:  no  Press RETURN to get started! %LINK-3-UPDOWN: Interface Ethernet0, changed state to up %LINK-3-UPDOWN: Interface Serial0, changed state to down %LINK-3-UPDOWN: Interface Serial1, changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1, changed state to down %SYS-5-RESTART: System restarted -- Cisco Internetwork Operating System Software IOS (tm) 25 Router>00 Software (C2500-JS-L), Version 11.2(17), RELEASE SOFTWARE (fc1) Copyright (c) 1986-1999 by cisco Systems, Inc. Compiled Mon 04-Jan-99 17:27 by ashah %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed state to down %LINK-5-CHANGED: Interface Ethernet0, changed state to administratively down %LINK-5-CHANGED: Interface Serial0, changed state to administratively down %LINK-5-CHANGED: Interface Serial1, changed state to administratively down Router> 
Step 7. Type enable at the Router> prompt.

You'll be in enable mode and see the Router# prompt. See Example 17-39.

Example 17-39 Gaining Access to Privileged Exec Mode (Enable Mode)
 Router>  enable  Router# 
Remember, by bypassing the configuration on the router, there is no enable password, so you never get prompted for a password.

Step 8. This is very important. Type config mem or copy start running to copy the nonvolatile RAM (NVRAM) into memory. Do not type config term. This will overwrite your configuration in the startup config file. See Example 17-40.

Example 17-40 Placing the Startup Config File into R1's RAM (Running Confg)
 Router#  copy startup-config running-config  R1# %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up %SYS-5-CONFIG_I: Configured from memory by console R1# 
You are still in privileged EXEC mode, but with the startup config now copied into running config.

Step 9. Type show running.

The show running command shows the configuration of the router. In this configuration, you see under all the interfaces the shutdown command, which means that all interfaces currently are shut down. Also, if service password-encryption is enabled, you will see the password in the output, but it will encrypted. If no service password-encryption is in the config file, the password will be in clear text. By initiating the password-recovery procedure, you will not change whether the passwords appear encrypted or in clear text in the output. See Example 17-41.

Example 17-41 show running-config Output
 R1#  show running-config  Building configuration... Current configuration: ! version 11.2 no service password-encryption no service udp-small-servers no service tcp-small-servers ! hostname R1 ! boot system c2500-js-l_112-17.bin 255.255.255.255 boot system flash c2500-js-l_112-17.bin  enable password ducks  ! no ip domain-lookup ip host R1 192.169.1.1 ip host R2 192.169.2.2 ip host R3 192.169.3.3 ip host R4 192.169.4.4 ip host R5 192.169.5.5 ip host R6 192.169.6.6 ipx routing 0000.0000.1111 ! interface Loopback0  ip address 192.169.1.1 255.255.255.0 ! interface Ethernet0  description This interface connects to R2's E0  ip address 192.168.1.1 255.255.255.0  shutdown  ipx network 2100 ! interface Serial0  no ip address  shutdown  no fair-queue ! interface Serial1  no ip address  shutdown ! router rip  network 192.168.1.0  network 192.169.1.0 ! no ip classless ip route 0.0.0.0 0.0.0.0 192.168.1.2 ! ! ! ! banner motd ^C This is Router 1 ^C ! line con 0  exec-timeout 0 0  password falcons  logging synchronous line aux 0 line vty 0 4  password falcons  login ! end R1# 
From the highlighted text, you see that the enable password was changed to ducks. You now know the enable password.

Step 10. Type config term and make the changes. The prompt is now hostname(config)#. See Example 17-42.

Example 17-42 Entering Global Configuration Mode on R1
 R1#  config terminal  Enter configuration commands, one per line.  End with CNTL/Z. R1(config)# 
Step 11. Type enable password. Use just the enable password command, not the enable secret password command. Change the password back to the original password of falcons. See Example 17-43.

Example 17-43 Changing the Enable Password on R1
 R1(config)#  enable password falcons  R1(config)# 
Step 12. Issue the no shutdown command on every interface that is used. If you issue a show ip interface brief command, every interface that you want to use should be up, up. See Example 17-44.

Example 17-44 Remove Interfaces from Shutdown State
 R1(config)#  interface ethernet 0  R1(config-if)#  no shut  R1(config-if)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed state to up R1(config-if)# %LINK-3-UPDOWN: Interface Ethernet0, changed state to up R1(config-if)#  exit  R1#sho ip interface brief Interface              IP-Address     OK? Method Status                Protocol  Ethernet0              192.168.1.1    YES NVRAM  up                    up   Loopback0              192.169.1.1    YES NVRAM  up                    up  Serial0                unassigned     YES unset  administratively down down Serial1                unassigned     YES unset  administratively down down R1# 
As you recall, the only interfaces that should be active on R1 is Ethernet 0 and Loopback 0. If other interfaces were being used, you would need to remove those from the shutdown state as well.

Step 13. Type config-register 0x2102 or the value that you recorded in Step 2. See Example 17-45.

Example 17-45 Resetting the Original Configuration Register on R1
 R1(config)#  config-register 0x2102  R1(config)# 
Step 14. Press Ctrl-z to leave the configuration mode. The prompt is now hostname#.

Step 15. Type write mem or copy running startup to commit the changes. See Example 17-46.

Example 17-46 Exiting Configuration Mode and Saving Configuration
 R1(config)#  ^Z  R1# %SYS-5-CONFIG_I: Configured from console by console R1#  copy running-config startup-config  Building configuration... [OK] R1# 

You now have completed the password-recovery procedure. To verify that you have successfully changed the enable password, you can exit the router and re-enter privileged mode. Example 17-47 demonstrates this process.

Example 17-47 Exiting and Re-entering Privileged EXEC Mode
 R1#  exit  R1 con0 is now available Press RETURN to get started. This is Router 1 R1>  enable  Password:  falcons  R1# 

Success! The enable password has been successfully changed.


   
Top


CCNA Practical Studies
CCNA Practical Studies (Cisco Certification & Training)
ISBN: 1587200465
EAN: 2147483647
Year: 2005
Pages: 127

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net