by joe elkins password recovery for cisco routers (aka breaking a cisco router)
TRANSCRIPT
by
Joe Elkins
Password Recovery for Cisco Routers
(aka Breaking a Cisco Router)
Copyright, University of Tulsa, 2002
Overview
• Equipment Requirements• Router Memory• Password Recovery
Sequence
Copyright, University of Tulsa, 2002
Equipment Equipment RequirementsRequirements
• PC with a DB9 or DB25 serial port• Rollover cable• DB9/DB25 to RJ45 converter• Windows with HyperTerminal
installed (Use HyperTerminal PE)
Copyright, University of Tulsa, 2002
Router MemoryRouter Memory
• Cisco Routers use three main memory types-Flash-NVRAM-DRAM
Copyright, University of Tulsa, 2002
Router MemoryRouter MemoryFLASHFLASH
• FLASH Memory-Contains the IOS-New routers have IOS images that are zipped-Can contain multiple images if the module is large enough.-Router(config)#boot system flash IOS_filename
Copyright, University of Tulsa, 2002
Router MemoryRouter MemoryNVRAMNVRAM
• Non-Volatile Random Access Memory-Stores the start-up config file-Stores register settings-Stores boot system commands
Copyright, University of Tulsa, 2002
Router MemoryRouter MemoryDRAMDRAM
• DRAM-Known as working memory-Stores working IOS image-Stores working config file called running-config-Stores routing table, ARP tables, NAT tables, DHCP, etc.
Copyright, University of Tulsa, 2002
Password Password Recovery Recovery SequenceSequence
1. Physical access2. Reset router3. Break start-up sequence4. Change register setting5. Reset router6. Enter privileged mode7. Copy start-up to running config8. Enter global config mode9. Change passwords10. Copy running config to start-up11. Change registers back12. Done
Copyright, University of Tulsa, 2002
Password Password Recovery Recovery
SequenceSequence Physical Physical AccessAccess
MUST HAVE PHYSICAL ACCESS!!!
Copyright, University of Tulsa, 2002
• If you have physical access you own the router.
• Switches are the same, but have different recovery process
-Some switches just reset, and it asks if you want to keep current password!!!!!
• Connect rollover cable
Password Password Recovery Recovery
SequenceSequence Physical Physical AccessAccess
Copyright, University of Tulsa, 2002
Password Password Recovery Recovery
SequenceSequence Physical Physical AccessAccess
• Set-up HyperTerminal– Name your
session– Select
COM1/COM2– Set Properties
Copyright, University of Tulsa, 2002
Password Password Recovery Recovery
SequenceSequence Reset Reset RouterRouter
• Reset Router• reload (EXEC mode)• reset (rommon mode)• Cycle power
Copyright, University of Tulsa, 2002
Password Password Recovery Recovery
Sequence Sequence Break Start-Break Start-upup
• 60 second time frame to break• Use Ctrl+Break• Puts router in rommon> mode
– ROM monitor– aka RXBoot– Known as programmer’s mode
Copyright, University of Tulsa, 2002
Password Password Recovery Recovery
Sequence Sequence Change Change RegistersRegisters
• At rommon1>– Type confreg 0x42– Type reset
Copyright, University of Tulsa, 2002
Password Password Recovery Recovery
Sequence Sequence Privileged Privileged ModeMode
• When the router reboots will be at Router> mode.
• Router> mode is the default empty config – No passwords, or anything else– Already in User EXEC mode– Type enable to gain privileged
mode– Router #
Copyright, University of Tulsa, 2002
Password Password Recovery Recovery
Sequence Sequence copy start copy start runrun
• At Router#– Type copy start run– This copies the start-up config,
which holds all the passwords, interface configs, routing info, ACLs, etc.
– The router should now regain functionality
– Now ready to change passwords
Copyright, University of Tulsa, 2002
Password Password Recovery Recovery
Sequence Sequence Enable modeEnable mode
• At router#– Type config terminal (config t)– Now in global mode – Router(config)#– Global mode means any commands
issued affect the router as a whole, not a specific aspect of the router
Copyright, University of Tulsa, 2002
Password Password Recovery Recovery
Sequence Sequence Change Change
PasswordsPasswords
• At Router(config)#
– Type enable secret (password)
– This changes the EXEC privilege password
Copyright, University of Tulsa, 2002
Password Password Recovery Recovery
Sequence Sequence Change Change
PasswordsPasswords
• The router will generally have two more passwords: User EXEC & VTY
• To change the User EXEC for the console – From the current prompt type: – line con 0 (the console port)– Router (config-line)#– Type password (password)
Copyright, University of Tulsa, 2002
Password Password Recovery Recovery
Sequence Sequence Change Change
PasswordsPasswords• To change the VTY User EXEC:
– Type line vty 0 4– vty 0 4 refers to the 5 telnet connections
the router will accept– Router (config-line)#– Type password (password)– The router can have different passwords
for the console and VTY User EXEC modes– When you exit your session, and then try
to start a new session your new passwords will be in effect, but they are not saved in the NVRAM start-up config. So….
Copyright, University of Tulsa, 2002
Password Password Recovery Recovery
Sequence Sequence copy run copy run startstart
• At Router (config-line)#– Type Ctrl +Z to return to privilege mode– Type copy run start– This copies the running config, which
holds the new passwords, to the start-up config in NVRAM.
– Now if the router should be reloaded your new passwords will be in the start-up config.
– There is one problem…if the router reloads now, it will load back to rommon> mode.
Copyright, University of Tulsa, 2002
Password Password Recovery Recovery
Sequence Sequence Change Registers Change Registers BackBack
• Now change your registers back to the original setting of 0x2102.
• At Router#– Type config t to return to global config
mode– Type config-reg 0x2102– The 02 tells the router to load the config
file from NVRAM and load IOS from FLASH– Type Ctrl + Z , then exit to exit your
session.
Copyright, University of Tulsa, 2002
QUESTIONSQUESTIONS
??????????????????????????????