Skip to content

Password Recovery – Cisco IOS Routers

In this post I want to cover how to recover passwords on a Cisco IOS Router. This is helpful in lab environments as well as production environments. Although this method can be used the correct "legal" way you can also use this method to break into these devices "illegally" if you have physical console access to the device. However to get into it physical power must be turned off first causing a disruption in the environment, let get started!

So I have a router called R2-D2 at ACME Corp, I have been given permission to recover the password and access the device. I have tried some passwords that where written down but all failed. 

R2-D2 con0 is now available 
Press RETURN to get started. 

************************************************************************
*                             LEGAL NOTICE                            *
************************************************************************
*                                                                      *
* You must have explicit permission to access or configure this device.*
* All activities performed on this device are logged, and violations   *
* of this policy may result in criminal prosecution.                   *
*                                                                      *
* This system is for the use of authorized users only. Individuals     *
* using this computer system without authority, or in excess of their *
* authority, are subject to having all of their activities monitored   *
* and recorded by system personnel.                                    *
*                                                                      *
* Anyone using this system expressly consents to such monitoring and   *
* is advised that if such monitoring reveals possible evidence of      *
* criminal activity, system personnel may provide the evidence to law  *
* enforcement officials.                                               *
************************************************************************

User Access Verification

Username: admin
Password: 
% Login invalid

Username: admin
Password: 
% Login invalid
It is after-hours so I can physically power off the device and that's what I need to do next. Immediately I have to press the "break sequence" (which depends on the terminal application you are using. In TeraTerm this sequence is ALT + B) I like to think of this as a BIOS like on a computer, but it is normally called ROMon in Cisco terms or ROM Monitor, notice the prompt? At this prompt you have to type confreg 0x2142 which ignores or bypass the startup-config file. Then type the command "reset" to reload the router which will bypass the statup-config. 
System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2006 by Cisco Systems, Inc.

Initializing memory for ECC...
c2811 platform with 262144 Kbytes of main memory
Main memory is configured to 64-bit mode with ECC enabled

Upgrade ROMMON initialized

PC = 0xbfcd0d54, Cause = 0x2000, Status Reg = 0x3040a803

rommon 1 > confreg 0x2142
!! Comment: Setting configuration register to 0x2142 to bypass the startup configuration.

You must reset or power cycle for new config to take effect

rommon 2 >
Now that the router bypassed its startup-config we have to go into the privilege mode and type the command copy startup-config running-config which will load the startup-config into the running-config. 
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
125440K bytes of ATA CompactFlash (Read/Write)

--- System Configuration Dialog ---
Would you like to enter the initial configuration dialog? [yes/no]: no
Press RETURN to get started!

--- Output Omitted ---

Router#copy startup-config running-config
Destination filename [running-config]?
2341 bytes copied in 0.288 secs (8128 bytes/sec)

R2-D2#
Next we change the password to something that we know, I'm changing the login password and the enable secret: 
R2-D2(config)#username admin password $%^cisco
R2-D2(config)#enable secret !!@@cisco
After that we have to change config-register back to the default 0x2102 which will load the startup-config file when reloaded. ``` R2-D2(config)#config-register 0x2102 R2-D2#copy startup-config running-config Destination filename [running-config]? 2341 bytes copied in 0.292 secs (8017 bytes/sec) R2-D2#reload Copy the running-config to save those password changes by using the "copy running-config startup-config command and reload the device one last time to confirm changes. you should be able to access the device and the configuration by using the passwords you just created . :)

I hope this information was helpful some may ask what do those config-resister values do? Well there is some documention on Cisco's website and it goes over the Use of the Configuration Register on All Cisco Routers and if you have other questions comment below!