PASSWORD RECOVERY

Sometimes, situations occur that make it necessary to recover a router's password. Two of the most common such situations are:

• A password is forgotten, and a record of it cannot be found

• A router is bought used, and it came with passwords on it

Password recovery naturally involves somehow getting into the router's configuration file to find the lost password, change it, or erase the entire configuration file and reconfigure the router from scratch.

The trouble is that the configuration file sits inside the Privileged EXEC (enable mode) level of IOS, which itself is password-protected. For that reason, recovering a password means getting to the unconfigured version of the IOS software. This is why password recovery procedures are so involved.

There are several procedures for recovering passwords from Cisco routers, depending on whether a Line or Enable password was lost, the model of router hardware, and the version of IOS software. All the procedures involve resetting settings that tell the router how to boot. Older Cisco routers use physical hardware jumpers, so you need to go inside the router box to reset them. Newer Cisco routers have "soft jumpers," called configuration registers, where settings can be changed. An example configuration register setting is 0x2102. The first four bits (0–3) are the ones that select the boot mode:

• When the four bits are 0000 (0), it indicates the router will enter rommon>> mode upon reboot.

• When the four bits are 0001 (1), it means the router will boot from the IOS system stored in ROM.

• When the four bits are 0010 (2) through 1111 (F), it indicates the router will look to the configuration file in NVRAM to find which IOS system image to boot from.

Recovering Enable Passwords

Two procedures are used to recover Enable passwords (Enable and Enable Secret). The one to use depends on the router model, and sometimes on the CPU or IOS software version the router runs on. If you don't find what you need here, a quick search of the Cisco Web site for the term "password recovery" should help you find a specific procedure.

To recover a password, you must get to the rommon>> prompt to recover Enable or Enable Secret passwords, and the test-system>> prompt to recover a Line password. This is done by sending a Break signal from the console terminal to the router to interrupt the normal boot process.

Getting to the rommon> Prompt

For either of the two procedures to recover Enable/Enable Secret passwords, the first part-getting to the rommon> prompt level of IOS-is the same:

1. Attach a terminal, or a PC running terminal emulation software, to the router's console port using these settings:

   • 9600 baud rate

   • No parity

   • 1 stop bit

   • No flow control

2. Go to the > prompt, and type the show version command. (Remember, you lost either the Enable or Enable Secret password, which only locks you out of enable mode, not out of the IOS entirely.)

    TN3270 Emulation software. 2 FastEthernet/IEEE 802.3 interface(s) 4 Serial network interface(s) 128K bytes of non-volatile configuration memory. 4096K bytes of processor board System flash (Read/Write) 4096K bytes of processor board Boot flash (Read/Write) Configuration register is 0x2102 

3. The last line of the show version display is the configuration register. The factory default setting is usually 0x2102; sometimes it is 0x102. Write down the settings in your router for later use.

4. Reboot the router by turning off the power and then turning it back on.

5. Press the Break key on the terminal (or combination of keys required to send Break from your terminal emulator) within 60 seconds of having turned the router back on.

6. The rommon> prompt-without the router's name showing-should appear.

Now that you've gotten to the rommon> prompt, the battle of password recovery is half won. From this point on, the router model will determine what you need to do to recover the password (in some cases, the IOS version and CPU also come into play). From here, there are two ways that the password recovery process can proceed. Again, check for your router's model at http://www.cisco.com. It'll tell you which procedure your particular model uses. Most often, you'll be following procedure 2.

Enable Password Recovery Procedure 1 If your router model requires that you follow procedure 1 for password recovery, follow these steps:

1. Type o/r 0x2142, and then press Enter at the > prompt. This loads from flash memory without loading the router's configuration file.

2. Type i at the prompt, and then press ENTER.

3. You will be asked a series of setup questions. Answer no to each question, or press CTRL -C to skip this sequence altogether.

4. At the Router> prompt, type enable.

5. Type configure memory or copy startup-config running-config. This copies the NVRAM into memory.

6. Type write terminal or show running-config. These commands show the router's configuration. This will show that all the interfaces are currently shut down. Additionally, you will see the passwords, either encrypted or unencrypted. Unencrypted passwords can be reused, while encrypted passwords must be changed with a new password.

7. Type configure terminal and make any desired changes. Now, the prompt will be hostname(config)#.

8. To change a given password, type enable secret <password> to change the enable secret password, for instance.

9. On each interface, type the no shutdown command.

10. Type config-register 0x2102 (or whatever value you wrote down in step 2).

11. Press Ctrl-Z or End to exit configuration mode. The prompt should now be hostname#.

12. Type write memory or copy running-config startup-config to save your changes.

13. Type Reload to restart the router with the Cisco IOS software booting from flash memory.

Enable Password Recovery Procedure 2 Use this procedure for routers that must use password recovery procedure 2.

1. Type the confreg 0x2142 command at the rommon> prompt. (Note that confreg is not a mistyping of config. It stands for configuration register). When the "Do you wish to change configuration?" prompt appears, answer yes.

2. Type reset at the rommon 2> prompt. The router will reboot, but ignore the saved configuration.

3. A number of setup questions will appear. Type no for each one. Alternatively, you can press Ctrl-C to skip the initial setup sequence.

4. Type enable at the Router> prompt. This will put you into the enable mode, and you'll see the Router# prompt.

5. Type configure memory or copy startup-config running config. This copies the nonvolatile RAM into memory.

6. Type write terminal or show running-config. These commands show the router's configuration, and will show that all the interfaces are currently shut down. Additionally, you will see the passwords, either encrypted or unencrypted. Unencrypted passwords can be reused; encrypted passwords must be changed with a new password.

7. Type configure terminal and make any desired changes. Now, the prompt will be hostname(config)#.

8. To change a given password, type enable secret <password> to change the enable secret password, for instance.

9. On each interface, type the no shutdown command.

10. Type config-register 0x2102 (or whatever the previously noted configuration register value was).

11. Press Ctrl-Z or End to exit configuration mode. The prompt should now be host name#.

12. Type write memory or copy running-config startup-config to save your changes.

13. Type Reload to restart the router with the Cisco IOS software booting from flash memory.

Recovering a Line Password

The router must be forced into factory diagnostic mode in order to recover a lost Line password. Refer to the hardware installation/maintenance publication for the router product for specific information on configuring the processor configuration register for factory diagnostic mode. Table 4-5 summarizes the hardware or software settings required by the various products to boot into factory diagnostic mode.

Once the router has been forced into factory diagnostic mode, follow these steps:

1. Type yes when asked if you want to set the manufacturer's addresses. The test-system> prompt appears.

2. Type the enable command to get the test-system> enable prompt.

3. Type config term, and then show startup-config. You should now be looking at the system configuration file. Find the password and write it down. Do not attempt to change the password.

4. Restart the router.

5. Use the recovered Line password (the one you wrote down) to log into the router.

Recovering Passwords from Older Cisco Routers

To recover passwords from legacy Cisco routers, it is necessary to change the configuration register setting using a hardware jumper switch. Those procedures are not covered here. Refer to http://www.cisco.com. to find password recovery procedures for legacy products listed in Table 4-6.