Lab 1: Password Recovery-Part II

Lab 1: Password Recovery ”Part II

Lab Walkthrough

As discussed previously, password recovery is similar from one router platform to another. Therefore, you can apply the process outlined earlier in this chapter here, with a few modifications to fit the lab exercise.

The procedure outlined in the list that follows is valid for the following routers:

• Cisco 2000 series

• Cisco 2500 series

• Cisco 3000 series

• Cisco 4000 series with the 680x0 Motorola CPU

• Cisco 7000 series running Cisco IOS Software Release 10.0 or later in ROMs installed on the RP card

• IGS series running Cisco IOS Software Release 9.1 or later in ROMs

Step 1. Attach a PC or PDA with terminal-emulation software to the router's console port through Cisco rolled cable.

Step 2. Power-cycle the router.

Step 3. Issue a break signal.

Step 4. Determine what type of ROM monitor you have ”is CONREG supported?

- If you have a Basic ROM monitor: Set bit 6: > O/R 0x2142. Reload the router with the initialize command.

- If CONFREG is supported: Run the CONFREG utility: > CONFREG. Answer every question with the default or Enter until you come to the question Enable ignore system config info . Answer "yes" to this question. This also sets bit 6. Reload the router with the reset command.

Step 5. When the router reloads , it will try to run setup, abort the setup utility with CTRL-C.

Step 6. Enter enable mode, and examine the configuration found in NVRAM; use the show startup-config command to accomplish this.

For this walkthrough, you perform a password recovery operation to gain privileged level access to your access server. In this example, the access server is called skynet_access_1.

First, attach a PC or laptop with terminal-emulation software to the console port of the router. Power off the router and turn it back on. Within the first 60 seconds of initialization, issue a break signal from your terminal emulator. Example 1-38 demonstrates a successful break or halt of the OS.

Example 1-38 A Successful Break

 System Bootstrap, Version 5.2(8a), RELEASE SOFTWARE Copyright (c) 1986-1995 by cisco Systems 2500 processor with 14336 Kbytes of main memory Abort at 0x10EA888 (PC) > 

Getting the terminal-emulation software to send a break signal is a common problem with password recovery. Here are a few tips that might help if you have trouble sending a break signal:

• First, ensure that you are securely plugged into the console port of the router and using the Cisco rolled cable.

• If your portable or laptop computer is using Windows 95/98/2000 with HyperTerminal, the break signal is usually issued by pressing the Function key and the Break key, sometimes located on the Page Down or Pause key. Table 1-8, earlier in the chapter, documents where you can find standard break key combinations for all terminal-emulation software, platforms, and operating systems.

• On HyperTerminal, the break signal is issued by pressing the Ctrl-Break / Pause key sequence.

• On Windows NT, you must configure NT to send the break signal with a function key. Set the Break by entering the characters ^$B ( Shift 6, Shift 4, and uppercase B ). HyperTerm 5.0 private edition sends the Break for the Windows NT platform without any additional configuration.

• When using any other terminal-emulation software, consult the manufacturer's instructions on sending a break signal.

When you see the abort message, you are ready to proceed. If you don't recall what type of routers support CONFREG, this is a good point to key in the ? for help and look for the CONFREG utility. In Example 1-39, you can see what the output from the ? looks like on the access server.

Example 1-39 Output from the ? Command on Router That Doesn't Support CONFREG

 >  ?  $            Toggle cache state B [filename] [TFTP Server IP address  TFTP Server Name]              Load and execute system image from ROM or from TFTP server C [address]  Continue execution [optional address] D /S M L V   Deposit value V of size S into location L with modifier M E /S M L     Examine location L with size S with modifier M G [address]  Begin execution H            Help for commands I            Initialize K            Stack trace L [filename] [TFTP Server IP address  TFTP Server Name]              Load system image from ROM or from TFTP server, but do not              begin execution O            Show configuration register option settings P            Set the break point S            Single step next instruction T function   Test device (? for help) Deposit and Examine sizes may be B (byte), L (long) or S (short). Modifiers may be R (register) or S (byte swap). Register names are: D0D7, A0A6, SS, US, SR, and PC > 

Example 1-40 illustrates the same break, followed by the ? command; however, this time, it was performed on a router that supports CONFREG.

Example 1-40 A Successful Break, Followed by the Output from the ? Command on Router That Supports CONFREG

 System Bootstrap, Version 5.3(16) [richardd 16], RELEASE SOFTWARE (fc1) Copyright (c) 1996 by cisco Systems, Inc. C4500 processor with 16384 Kbytes of main memory monitor: command "boot" aborted due to user interrupt rommon 1 > rommon 1 >  ?  alias               set and display aliases command boot                boot up an external process break               set/show/clear the breakpoint confreg             configuration register utility cont                continue executing a downloaded image context             display the context of a loaded image cookie              display contents of cookie PROM in hex dev                 list the device table dir                 list files in file system dis                 disassemble instruction stream dnld                serial download a program module frame               print out a selected stack frame help                monitor built in command help history             monitor command history meminfo             main memory information repeat              repeat a monitor command reset               system reset set                 display the monitor variables stack               produce a stack trace sync                write monitor environment to NVRAM sysret              print out info from last system return unalias             unset an alias unset               unset a monitor variable rommon 2 > 

Set bit 6 of the register to 1 to ignore NVRAM on startup. This is done by keying in O/R hex-value and then pressing Enter. Then initialize, or reload, the router by keying in init. Example 1-41 demonstrates this procedure.

Example 1-41 Setting Bit 6 to Ignore NVRAM, Followed by the initialization Command

 System Bootstrap, Version 5.2(8a), RELEASE SOFTWARE Copyright (c) 19861995 by cisco Systems 2500 processor with 14336 Kbytes of main memory Abort at 0x10205A6 (PC)  >o/r 0x2142   >init  System Bootstrap, Version 5.2(8a), RELEASE SOFTWARE Copyright (c) 19861995 by cisco Systems 

On a router that supports CONFREG, this process is just as straightforward. Example 1-42 demonstrates how this procedure is done on such a platform. In this example, a Cisco 4700 series router is used.

Example 1-42 Setting Bit 6 to Ignore NVRAM, Followed by the reset Command

 rommon 1 >  confreg  Configuration Summary enabled are: load rom after netboot fails console baud: 9600 boot: image specified by the boot system commands       or default to: cisco2-C4500 do you wish to change the configuration? y/n  [n]:  y  enable  "diagnostic mode"? y/n  [n]:  n  enable  "use net in IP bcast address"? y/n  [n]:  n  disable "load rom after netboot fails"? y/n  [n]:  n  enable  "use all zero broadcast"? y/n  [n]:  n  enable  "break/abort has effect"? y/n  [n]:  n  enable  "ignore system config info"? y/n  [n]:  y  change console baud rate? y/n  [n]:  n  change the boot characteristics? y/n  [n]:  n  Configuration Summary enabled are: load rom after netboot fails ignore system config info console baud: 9600 boot: image specified by the boot system commands       or default to: cisco2-C4500 do you wish to change the configuration? y/n  [n]:  n  You must reset or power cycle for new config to take effect rommon 2 >  reset  System Bootstrap, Version 5.3(16) [richardd 16], RELEASE SOFTWARE (fc1) Copyright (c) 1996 by cisco Systems, Inc. 

When the router reloads, it will no longer have a running-configuration. The router will still have a startup-configuration, which is stored in NVRAM. To view this configuration, first enter enable mode and then enter the show startup-configuration command.

If you want to preserve the existing configuration, perform the following steps, paying strict attention to the order.

Step 1. Enter enable mode with enable.

Step 2. Copy the startup-config to running-config with copy startup-config running-config.

Step 3. Enter the configuration mode, and change the boot register back to the normal configuration with configure-register 0x2102.

Step 4. Bring up all interfaces because they will be in the default down status.

Step 5. Configure a new enable password.

Step 6. Save the configuration with copy running-config startup-config.