How To: Password Recovery for Cisco Routers
By Michael Govinda
Password recovery has become a necessary procedure for most Administrators and Cisco Instructors teaching the introductory courses such as the CCNA. Recovering the passwords for most Cisco devices via the console port is very simple. However, Cisco has acquired so many other vendors that put the Cisco label on their devices that the procedures for password recovery vary greatly from one Cisco device to another. In addition, the Cisco password recovery procedures have also changed with IOS upgrades.
The purpose of this article is to present a clear and concise approach to password recovery for Cisco 2600 and 2811 routers. It de-scribes how to recover the enable password and the enable secret passwords. These passwords protect access to privileged EXEC and configuration modes. The enable password can be recovered, but the enable secret password is encrypted and must be replaced with a new password. Use the steps outlined below to recover your password:
- Attach a PC to the console port of the router. Ensure that you have a terminal emulation program running on your PC. Hyper Terminal is a good example of a terminal emulation program. Use the following terminal settings:
- 9600 baud rate;
- No parity;
- 8 data bits;
- 1 stop bit;
- No flow control.
- Power the router off and then back on.
- Press Break on the terminal keyboard within 60 seconds of power-up in order to put the router into ROMvMON.This is usually achieved by holding down the CTRL and Break keys simultaneously.
- Type confreg 0x2142 at the rommon1> prompt in order to boot from Flash. This step bypasses the startup configuration where the passwords are stored.
- Type reset at the rommon2> prompt. The router reboots, but ignores the saved configuration.
- Type no after each setup question.
- Type enable at the Router> prompt.
- Type configure terminal. The Router(config)# prompt appears.
- Type enable secret to change the enable secret password. For example: Router(config)#enable secret
- Type config–register .Router(config)#config–register 0x2102
Press Ctrl–z or end in order to leave the configuration mode. The Router# prompt appears.
- Type copy running–config startup–config to save the changes.
A Final Precautionary Word
Cisco advises that, “Physical access to a computer or router usually gives a sophisticated user complete control over the device. Software security measures can often be circumvented when access to the hardware is not controlled.”
For this reason, while Password recovery may be a useful procedure in allowing you access back into your router, it can also be extremely dangerous and damaging if it is performed by someone who is not authorized to configure your router. An unauthorized person can and will execute the same procedure outlined above, and then take control of your router and possibly the rest of your network.
Ensure that console access to your router and other devices is restricted only to authorized personnel. In addition, you should regu-larly perform accounting, auditing and logging on all routers.