top of page
  • Writer's pictureMc Cube

Dive into Router Password Recovery




Introduction


There is little worse than when you accidentally lock yourself out of your own device because you have forgotten the password.

What can you do to gain access to the device that is crucial to your infrastructure? Basically, you need to trick the device in to letting you into a higher privilege level.

While this is an impressive trick it does require a few things that offers it a level of security.

  1. This will involve outage. So, people will notice.

  2. This involves physical presence at the device and cannot be achieved remotely.

The trick here comes with understanding what is known as the "Configuration Register" You can view what "Confreg" you are running by issuing the show version command.



McCube-R1# show version
Cisco IOS Software [Everest], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 

-----[output omitted]-----

Configuration register is 0x2102

McCube-R1# 

So, what is confreg? In short, it refers to a series of instructions for the device to follow when booting, such as, what the console baud rate should be, when to boot in to rommon mode, if break keys should be ignored, etc. (You can see an entire list here.)


A common one to see is "0x2102" (above) This one achieves a few things but for the sake of keeping this simple we will focus on the one important to this lab. It instructs the device to look for content in NVRAM, meaning if start-up configuration is present, use it.

And here lies our problem. Every time we boot the start up file will be loaded, this configuration holds the password to privilege exec mode that we don't know. We need to change this!


Below is a simplistic diagram of how we will achieve this.





Instructions


In this lab (Download lab pack here) we will break into our router and reset the password that we don't know. this will be broken down into the following steps.

  1. Force the device in to ROMmon Mode

  2. Change the Configuration Register

  3. Import the start-up configuration

  4. Clean-up


Topology


Activity

Let's get to it.


Part 1 - Force the device in to ROMmon Mode


Log on to the router via the PCs console connection. You can access this line with the password "madcon".

However, you cannot gain access to PrivExec mode. You don't know the password. So, we need to boot into ROMmon mode.

Now this part is difficult to simulate in Packet Tracer. Under normal circumstances it involves

  1. Walking up to the router

  2. Turning it off

  3. Ejecting the Flash card from the device

  4. Turning the device back on.

"Why?" you ask? Because Configuration Register 0x2102 instructs the device that if no IOS file (stored on flash) is present it will boot in to ROMmon (which is like a BIOS for routers). By the flash card not being present the device will boot into ROMmon.


For this lab it is set up so that when if the device boots it automatically ignores IOS booting up into ROMmon where we need it.

So simply go to the "physical" tab and turn the router off. Then turn it back on.


Part 2 - Change the Configuration Register


The fun can now begin.

On the PC reopen the terminal emulator and you will see the following prompt.

rommon 1 > 
rommon 1 > 
rommon 1 >

In the real world, it is at this point you would reinsert the Flash card back into the device.

The next step is to change the configuration register so that the start-up configuration file stored in NVRAM is ignored. It is probably good to note at this point that TAB has no power here.

rommon 1 >
rommon 1 > confreg 0x2142
rommon 2 >

Now that the config register is set, we can reboot the device with either the Reset or Boot command

rommon 2 >
rommon 2 > reset
Initializing Hardware ...

If done correctly you should find yourself watching the image decompress and after see the following that should look familiar (answer "no").

Located isr4300-universalk9.16.06.04.SPA.bin
##########################################################################################################################

-----[output omitted]-----

         --- System Configuration Dialog ---
Would you like to enter the initial configuration dialog? [yes/no]:  no

** Note - If you see McCube-R1 something has gone wrong, and you should start the lab again. In the real world you would just repeat the steps, turn off, eject flash, power on.


Part 3 - Import the start-up configuration


At this point we can easily gain PrivExec access.

Router>
Router> enable
Router#

Now that we are at escalated privileges, we import the configuration from start-up into running configuration.

This step is important to get right! Get it wrong and you will erase all your configuration.

Router#
Router# copy startup-config running-config 

Destination filename [running-config]? 

1465 bytes copied in 0.416 secs (3521 bytes/sec)
McCube-R1#
%SYS-5-CONFIG_I: Configured from console by console

McCube-R1#
McCube-R1#

You should notice immediately if it has been successful because your hostname will change.

But more importantly, notice that you are still are PrivExec level! This means we have bypassed the password! Now we can change it.

McCube-R1#
McCube-R1# conf t
McCube-R1(config)# enable secret maden
McCube-R1(config)# end
McCube-R1#

We are almost done there is just one final and important step.


Part 4 - Clean up

If we left everything as is, should the device reboot, we will be... without a paddle.

The device will boot to ROMmon and the password will revert to one we don't know. Good network admins clean up after themselves.

First, we need to reset the configuration register back to what it was prior to all this.

McCube-R1#
McCube-R1# conf t
McCube-R1(config)# config-register 0x2102
McCube-R1(config)# end
McCube-R1#

Next, we should save the config to make sure our new password is stored. (Be careful though we are switching the previous copy command around again).

McCube-R1#
McCube-R1# copy running-config startup-config 
Destination filename [startup-config]? 
Building configuration...
[OK]
McCube-R1#

Other than verifying, the job is complete



Other Verifications

There are not many verification commands here, but show version is interesting to look at with regards to the configuration register, to see how it differs from earlier.



McCube-R1#
McCube-R1# show version
Cisco IOS Software [Everest], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 

-----[output omitted]-----

Configuration register is 0x2142 (will be 0x2102 at next reload)

McCube-R1#


Can you figure out how I got packet tracer to boot straight in to ROMmon? Answers in the comments.

93 views0 comments

Recent Posts

See All

Comments


bottom of page