Symptom: As a network administrator, you need to have access to all the routers in the internetwork. For some reason, the enable password on R1 is not working. No one in the IT department remembers changing it. You need to gain access to the router and change the enable password so that you can correctly manage the router.
Objective: Successfully break into the router and change the enable password to falcons.
The first issue is to research how to initiate the password-recovery process for the Cisco router model that you have. R1 is a Cisco 2500 series router. With this information, you can search on Cisco CCO (www.cisco.com/) with the keywords password recovery 2500 to find the password-recovery document for the 2500 series routers. Review the steps that follow outlined in the document for password recovery.
Attach a terminal or PC with terminal emulation to the console port of the router. Use the following terminal settings:
9600 baud rate
No parity
8 data bits
1 stop bit
No flow control
The required console cable specifications are described in the Cabling Guide for RJ-45 Console and AUX Ports (Cisco's 1000 series, 2500 series, and AS5100).
Note
You also can find documentation on password recovery at www.cisco.com/warp/public/474/pswdrec_2500.html. For password recovery, a laptop or PC will be connected directly into the router. A terminal server will not be used.
Now that you have reviewed the procedures, connect your PC to the console port of the router with the following terminal parameters:
9600 baud rate
No parity
8 data bits
1 stop bit
No flow control
When this is done, you can follow the steps according to the document for password recovery:
R1> show version Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-JS-L), Version 11.2(17), RELEASE SOFTWARE (fc1) Copyright (c) 1986-1999 by cisco Systems, Inc. Compiled Mon 04-Jan-99 17:27 by ashah Image text-base: 0x00001448, data-base: 0x00764DA8 ROM: System Bootstrap, Version 11.0(10c), SOFTWARE BOOTFLASH: 3000 Bootstrap Software (IGS-BOOT-R), Version 11.0(10c), RELEASE SOFT WARE (fc1) R1 uptime is 1 minute System restarted by power-on System image file is "c2500-js-l_112-17.bin", booted via tftp from 192.168.1.5 cisco 2500 (68030) processor (revision N) with 14336K/2048K bytes of memory. Processor board ID 06158021, with hardware revision 00000000 Bridging software. SuperLAT software copyright 1990 by Meridian Technology Corp). X.25 software, Version 2.0, NET2, BFE and GOSIP compliant. TN3270 Emulation software. 1 Ethernet/IEEE 802.3 interface(s) 2 Serial network interface(s) 32K bytes of non-volatile configuration memory. 8192K bytes of processor board System flash (Read/Write) Configuration register is 0x2102 R1>The configuration register is 0x2102. You need to note this so that you can set it back to the original setting when you are finished with the password recovery procedure.
R1> System Bootstrap, Version 11.0(10c), SOFTWARE Copyright (c) 1986-1996 by cisco Systems 2500 processor with 14336 Kbytes of main memory <ctrl-Break> Abort at 0x1098FEC (PC) >The > prompt indicates that you are in ROMMON mode.
>o/r 0x2142 >
>i System Bootstrap, Version 11.0(10c), SOFTWARE Copyright (c) 1986-1996 by cisco Systems 2500 processor with 14336 Kbytes of main memory F3: 8010312+98616+315708 at 0x3000060 Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-JS-L), Version 11.2(17), RELEASE SOFTWARE (fc1) Copyright (c) 1986-1999 by cisco Systems, Inc. Compiled Mon 04-Jan-99 17:27 by ashah Image text-base: 0x03040148, data-base: 0x00001000 cisco 2500 (68030) processor (revision N) with 14336K/2048K bytes of memory. Processor board ID 06158021, with hardware revision 00000000 Bridging software. SuperLAT software copyright 1990 by Meridian Technology Corp). X.25 software, Version 2.0, NET2, BFE and GOSIP compliant. TN3270 Emulation software. 1 Ethernet/IEEE 802.3 interface(s) 2 Serial network interface(s) 32K bytes of non-volatile configuration memory. 8192K bytes of processor board System flash (Read ONLY) --- System Configuration Dialog --- At any point you may enter a question mark '?' for help. Use ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Would you like to enter the initial configuration dialog? [yes]:
Would you like to enter the initial configuration dialog? [yes]: no Press RETURN to get started! %LINK-3-UPDOWN: Interface Ethernet0, changed state to up %LINK-3-UPDOWN: Interface Serial0, changed state to down %LINK-3-UPDOWN: Interface Serial1, changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1, changed state to down %SYS-5-RESTART: System restarted -- Cisco Internetwork Operating System Software IOS (tm) 25 Router>00 Software (C2500-JS-L), Version 11.2(17), RELEASE SOFTWARE (fc1) Copyright (c) 1986-1999 by cisco Systems, Inc. Compiled Mon 04-Jan-99 17:27 by ashah %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed state to down %LINK-5-CHANGED: Interface Ethernet0, changed state to administratively down %LINK-5-CHANGED: Interface Serial0, changed state to administratively down %LINK-5-CHANGED: Interface Serial1, changed state to administratively down Router>
Router> enable Router#
Remember, by bypassing the configuration on the router, there is no enable password, so you never get prompted for a password. Router# copy startup-config running-config R1# %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up %SYS-5-CONFIG_I: Configured from memory by console R1#
You are still in privileged EXEC mode, but with the startup config now copied into running config. R1# show running-config Building configuration... Current configuration: ! version 11.2 no service password-encryption no service udp-small-servers no service tcp-small-servers ! hostname R1 ! boot system c2500-js-l_112-17.bin 255.255.255.255 boot system flash c2500-js-l_112-17.bin enable password ducks ! no ip domain-lookup ip host R1 192.169.1.1 ip host R2 192.169.2.2 ip host R3 192.169.3.3 ip host R4 192.169.4.4 ip host R5 192.169.5.5 ip host R6 192.169.6.6 ipx routing 0000.0000.1111 ! interface Loopback0 ip address 192.169.1.1 255.255.255.0 ! interface Ethernet0 description This interface connects to R2's E0 ip address 192.168.1.1 255.255.255.0 shutdown ipx network 2100 ! interface Serial0 no ip address shutdown no fair-queue ! interface Serial1 no ip address shutdown ! router rip network 192.168.1.0 network 192.169.1.0 ! no ip classless ip route 0.0.0.0 0.0.0.0 192.168.1.2 ! ! ! ! banner motd ^C This is Router 1 ^C ! line con 0 exec-timeout 0 0 password falcons logging synchronous line aux 0 line vty 0 4 password falcons login ! end R1#From the highlighted text, you see that the enable password was changed to ducks. You now know the enable password.
R1# config terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#
R1(config)# enable password falcons R1(config)#
R1(config)# interface ethernet 0 R1(config-if)# no shut R1(config-if)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed state to up R1(config-if)# %LINK-3-UPDOWN: Interface Ethernet0, changed state to up R1(config-if)# exit R1#sho ip interface brief Interface IP-Address OK? Method Status Protocol Ethernet0 192.168.1.1 YES NVRAM up up Loopback0 192.169.1.1 YES NVRAM up up Serial0 unassigned YES unset administratively down down Serial1 unassigned YES unset administratively down down R1#As you recall, the only interfaces that should be active on R1 is Ethernet 0 and Loopback 0. If other interfaces were being used, you would need to remove those from the shutdown state as well.
R1(config)# config-register 0x2102 R1(config)#
R1(config)# ^Z R1# %SYS-5-CONFIG_I: Configured from console by console R1# copy running-config startup-config Building configuration... [OK] R1#
You now have completed the password-recovery procedure. To verify that you have successfully changed the enable password, you can exit the router and re-enter privileged mode. Example 17-47 demonstrates this process.
R1# exit R1 con0 is now available Press RETURN to get started. This is Router 1 R1> enable Password: falcons R1#
Success! The enable password has been successfully changed.
Top |