0 r s c$

l rsrrHr

cl sf;o ruEruuftinillruG
AcAtrEfirlY
t$noR&M

Lab 5.2.6aPasswordRecoveryProcedures

Str:aight-through
cable
Serialcable
Console(Rollover)
Grossovercable

Objective

. Gainaccessto a routerwithan unknownprivileged

mode(enable)password.

tsackgrou nd/Preparation
Thislab demonstrates gainingaccessto a routerwithan unknownprivileged
mode(enable)
password.One pointto be madehereis thatanyonewiththis procedureand accessto a console
porton a routercan changethe passwordandtakecontrolof the router.That is why it is of critical
importance that routersalsohavephysicalsecurityto preventunauthorized
access.
Setupa networkas displayedin the figure.Any routerthat meetsthe interfacerequirements maybe
used.Possibleroutersinclude800,1600,1700,2500,2600routers,or a combination. Referto the
chartat the end of the lab to correctlyidentifythe interfaceidentifiers
to be usedbasedon the
equipment in the lab.The configuration outputusedin thislab is producedfrom 1721seriesrouters.
Any otherrouterusedmay produceslightlydifferentoutput.
sessionas performed
Starta HyperTerminal in the Establishing
a HyperTerminal
sessionlab.
Note: Configurethe hostnameand passwordson the router.Havean instructor,lab assistant,
or
otherstudentchangethe enablesecretpassword.Performcopy running-config
startup-config and reloadthe router.
Note:The versionof HyperTerminal provided
with\Mndows95, 98, NT and2000was
developed for Microsoft Someversionsmaynot issuea "break"sequence
by Hilgraeve. as
requiredfor the Ciscorouterpasswordrecoverytechnique.lf this is the case,upgradeto

1-5 CCNA2: RoutersandRoutingBasicsv 3.1- Lab5.2.6a Inc.

CopyrightO 2003,CiscoSystems,
 HyperTerminal
PrivateEdition(PE)available freeof chargefor personalandeducational
use.
The programmay be downloaded at http://www.hilgraeve.com.

Step 1 Attempt login to the router

a. Makethe necessaryconsoleconnections and establisha HyperTerminal
sessionwiththe router.
Attemptto logonto the routerusingthe enablepasswordcisco. The outputshouldtooklikethe
following:
Router)enable
Password:
Password:
Password:
% Bad secrets

Router>

Step 2 Documentthe currentconfig-registersetting

a. At theuserEXECprompt
typeshowversion.
b. Record
thevaluedisplayed
forconfiguration
register . Forexample0x2102.

Step 3 Enter the ROM Monitor mode

a. Turnthe routeroff,wait a few secondsandturn it backon. Whenthe routerstartsdisplaying
"SystemBootstrap,Version..." on the HyperTerminal screen,pressthe Ctrl keyand the Bieak
keytogether.The routerwill bootin ROMmonitormode.Dependingon the routerhardware,one
of severalpromptssuchas: "rommon1 >" or simplyu;" mdyshow-

Step 4 Examine the ROM Monitor mode help

a. Type? at the prompt.The outputshouldbe similarto this:

rommon 1 >?
:'l i re set and display aliases command
boot boot up an external process
break set/show,/cl-ear the breakpoint
r-nn f rorr ^^nf .i ^"--r.i ^,.1 qter ..i
v v r r ! I \ J u J - c ] . L - L V I . rco.i ru ru f+ 4 + I i iv-J r r

conEext display the context of a l-oaded imaqe

dev list the device table
dir l-ist files in file system
dis display instruction stream
help monitor builtin command help
h i qi- nrrr monitor command history
meminfo main memorv information
v ^ h ^ ^ t -
!Er/sc.,- o .,,'''vrr.rtor command
r a n n ^ f ^ - ^ * . ' i

re set system reset

^ ^ !
display the monitor variables
qrr<rof n ri ni- a rr{- i h€o
y!rrru vqu rtt!v !f ! vr o
r tm
t I] a- a
J Ls t s :v- s_ t_ e- .m
L , ref rrrn
l-ftndnld tftp image download
xmodem x/ymodem i-mage download

Step 5 Changethe configurationregistersettingto boot without loadingconfigurationfile

a. FromtheROMMonitor mode,typeconfreg Ox2t42to change theconfig-register.
rorunon 2 >confreg 0x2L42

2-5 CCNA2: Routersand RoutingBasicsv 3.1- Lab5.2.6a CopyrightO 2003,CiscoSystems,lnc.

Step 6 RestartRouter
mode,typereset or powercycletherouter.
a. FromtheROMMonitor
rommon 2 )reset

b. Dueto the new configuration

registersetting,the routerwill not loadthe configuration
file.The
systemprompts:
"Wouldyou liketo enterthe initialconfiguration
dialog?[yes]:"
Enterno and pressEnter.

Step 7 Enter Privileged EXEC mode and change password

a. Nowat the usermodepromptRoutep,typeenable dnd pressEnterto go to the privileged
modewithouta password.
b. Usethe commandcopy startup-config running-config to restorethe existing
Sincethe useris alreadyin privileged
configuration. EXECno passwordis needed.
c. Typeconfigure terminal to enterthe globalconfiguration
mode.
d. ln the globalconfiguration
modetypeenable secret class to changethe secretpassword.
e. Whilestillin the globalconfiguration
mode,type config-register xxxxxxx. XX$(XXX
is the
originalconfigurationregistervaluerecordedin Step2. PressEnter.
f. to returnto the privilegedEXECmode.
Usethe Gtrl z combination
g. Usethe copy running-config startup-config commandto savethe newconfiguration.
setting.Fromthe privilegedEXEC
h. Beforerestartingthe router,verifythe newconfiguration
prompt,enterthe show version commandandpressEnter.
i. Verifythatthe lastlineof the outputreads:
registeris 0x2142(willbe 0x2102at nextreload).
Configuration
i Usethe reload commandto restartthe router.

Step I Verify new password and configuration

a. Whenthe routerreloadsthe enablepasswordshouldbe class.

Uponcompletionof the previoussteps,logoffby typingexit. Turnthe routeroff.

3- 5 CCNA2: Routersand RoutingBasicsv 3.1- Lab5.2.6a @2003,CiscoSystems,Inc.

Copyright