Cisco Password Recovery

This entry shows how to reset the password on a Cisco router. We are doing this on a Cisco 1841. This will require taking the device down but the configuration will not be lost.

Console Connection
First we need to connect our computer to the console port on the Cisco router using a Cisco console cable or rollover cable. If your computer doesn’t have a serial port you will need a USB to DB9 serial adapter. We will be using an adapter made by Pluggable. This uses a prolific chipset which will allow us to send the break sequence we will need soon.
If you are using windows you can use a program like putty to make the serial connection. In the *nix world minicom works well.
You will need to specify the com port to use such as COM3
Speed: 9600
Data bits: 8
Stop bits: 1
Parity: None
Flow control: None
Make your connection to the router now.

We will show two ways to do this.
First we will get to rommon by sending the break sequence.
Power cycle the router and press break in your console session as soon as text starts to scroll.
Note: On a Lenovo Thinkpad T430 you press FN + B for break.
You should see this:

System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
Technical Support:
Copyright (c) 2006 by cisco Systems, Inc.
PLD version 0x10
GIO ASIC version 0x127
c1841 platform with 262144 Kbytes of main memory
Main memory is configured to 64 bit mode with parity disabled

Readonly ROMMON initialized
rommon 1 >

If you can't send the break key to get to rommon then you can try removing the flash. To remove the flash first power the router off. Use the black button to pop the compact flash out. Power the router on and it should boot to the rommon prompt. If you removed the compact flash then you need to power it down after changing the configuration register, do not type reset. Once the router is powered off you can then insert the compact flash and turn it back on.

Now type confreg 0x2141 followed by reset.

rommon 1 > confreg 0x2141
You must reset or power cycle for new config to take effect.
rommon 2 > reset

The router will now reboot

Recover Configuration and Reset Password
When it starts back up you should now see:

--- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]:

Choose no. Then you want to enter enable mode and copy the start-up configuration to the running configuration. By going in to rommon and changing the configuration register we prevented the router from loading the startup-config. The router booted and has no configuration loaded. We can now enter enable mode and load the startup-config. At this point the router is up and running with its configuration and we are logged in. We can now change the password and overwrite the existing password which we don't know. Then we just need to restore the configuration register and save our changes.

Would you like to enter the initial configuration dialog? [yes/no]: no
Press RETURN to get started! 

Router#copy start run
Destination filename [running-config]?
1430 bytes copied in 2.756 secs (519 bytes/sec)
stupiderror#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
stupiderror(config)#user stupiderror priv 15 secret 0 stupidpass
stupiderror(config)#enable secret 0 stupidpass
stupiderror(config)#config-reg 0x2102
*Feb 21 15:50:23.991: %SYS-5-CONFIG_I: Configured from console by console
stupiderror#wr mem
Building configuration...

At this point the router should be back up and running with a password we now know.

Leave a Reply

Your email address will not be published. Required fields are marked *