Cisco Password Recovery Procedures

Posted on 11. January 2011 by fsormok

Contents
  • 1 Cisco Router
    • 1.1 Password Recovery Cisco Router
      • 1.1.1 Cisco 160x Series
      • 1.1.2 Cisco 250x Series
    • 1.2 The Recovery-Procedure
  • 2 Cisco Switches
    • 2.1 Password Recovery Cisco 3500XL
      • 2.1.1 COM Terminal Settings
      • 2.1.2 Booting the switch
      • 2.1.3 Resetting Config
      • 2.1.4 Initial Configuration
    • 2.2 Links

Cisco Router

Password Recovery Cisco Router

Unknown Cisco password and no documentation?

I’ve seen this numerous times. Customers tell you they have a spare Cisco router and ask you to configure it. “Sure, no problem”, you say and think but then their router comes without a console cable, nobody knows any passwords and/or who may have configured it, so that leaves you with only one option: recover.

Recover a Cisco Router

To recover a Cisco router, connect a terminal or PC with terminal emulation serial port such as COM1: to Cisco console (RJ-45) port. Communication parameters are 9600-8-n-1-none.

Right after you turn on your router power send Break (real DEC VT terminal emulations have F5 for that).

Depending on the Cisco model a simple prompt shows up.

Cisco 160x Series

 
User break detected at location 0x2006718
rommon 1 > confreg 0x2142
rommon 2 > i

Cisco 250x Series

 
Abort at 0x3171892 (PC)
>o/r 0x2142
>i

This will tell your Cisco to ignore its startup-config file from now on and then reboots.

The Recovery-Procedure

After reboot, now without any configuration, type:

> enable 	  	enable mode
# erase startup-config erase old configuration including passwords
# configure terminal 	prepare changes for register value
# config register 0x2102 recover original register value
# exit 	  	return to command mode
# reload 	  	do not save changes if any

Yes, it is that easy. 😉

Cisco Switches

Password Recovery Cisco 3500XL

COM Terminal Settings

Make sure your terminal program is running with the following characteristics.

9600 baud
Data bits set to 8
No parity
1 stop bit
No parity
Flow control off

Connect the console cable from the back of your computer to the console port on your switch.

Booting the switch
  • Hold down the mode button located on the left side of the front panel, while reconnecting the power cable to the switch.
  • Release the mode button after the LED above Port 1x goes out.

Resetting Config
  • Issue the flash_init command.
switch: flash_init
Initializing Flash...
flashfs[0]: 166 files, 2 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 3612672
flashfs[0]: Bytes used: 3136512
flashfs[0]: Bytes available: 476160
flashfs[0]: flashfs fsck took 5 seconds.
...done Initializing Flash.
Boot Sector Filesystem (bs:) installed, fsid: 3
Parameter Block Filesystem (pb:) installed, fsid: 4
switch:
  • Issue the load_helper command.
switch: load_helper
switch:
  • Issue the dir flash: command.
switch: dir flash:
Directory of flash:/

2    -rwx  1751538   <date>               c3500XL-c3h2s-mz.120-5.4.WC.1.bin
3    -rwx  94375     <date>               c3500XL-diag-mz-120-5.3.WC.1
4    drwx  10176     <date>               html
5    -rwx  272       <date>               env_vars
6    -rwx  111       <date>               info
167  -rwx  840       <date>               vlan.dat
166  -rwx  111       <date>               info.ver
168  -rwx  2268      <date>               config.text

476160 bytes available (3136512 bytes used)
switch:
  • Type rename flash:config.text flash:config.old to rename the configuration file.
switch: rename flash:config.text flash:config.old
switch:
  • Issue the boot command to boot the system.
switch: boot
  • Say Yes to the System Configuration Dialog
         --- System Configuration Dialog ---

At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.

Continue with configuration dialog? [yes/no]: y

Initial Configuration

 
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname cisco3500XL
!
enable secret 5 $1$VkuM$uHaZZqZdfbhRXYEInBDmLd1
!
!
!
!
!
!
ip subnet-zero
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface VLAN1
 ip address 10.150.0.152 255.255.255.0
 no ip directed-broadcast
 no ip route-cache
!
ip default-gateway 10.150.0.253
snmp-server engineID local 0000000902000007500D2D00
snmp-server community private RW
snmp-server community public RO
!
line con 0
 transport input none
 stopbits 1
line vty 0 4
 password XXXXXXXX
 login
line vty 5 15
 password XXXXXXXX
 login
!
end

Links

Password Recovery Procedure for the Catalyst Layer 2 Fixed Configuration and 3550 Series Switches

This entry was posted in Security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.