10.3.1.11 Lab – Configure and Verify Password Recovery (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Topology
Objectives
Part 1: Configure Basic Device Settings
Part 2: Reboot Router and Enter ROMMON
Part 3: Reset Password and Save New Configuration
Part 4: Verify the Router is Loading Correctly
Background / Scenario
The purpose of this lab is to reset the enable password on a specific Cisco router. The enable password protects access to privileged EXEC and configuration mode on Cisco devices. The enable password can be recovered, but the enable secret password is encrypted and will need to be replaced with a new password.
In order to bypass a password, a user must be familiar with the ROM monitor (ROMMON) mode, as well as the configuration register setting for Cisco routers. ROMMON is basic CLI software stored in ROM that can be used to troubleshoot boot errors and recover a router when an IOS is not found.
In this lab, you will change the configuration register in order to reset the enable password on a Cisco router.
Required Resources
- 1 Router (Cisco 1941 with Cisco IOS Release 15.2(4)M3 universal image or comparable)
- 1 PC (Windows 7, Vista, or XP with terminal emulation program, such as Tera Term)
- Console cable to connect to the Cisco IOS device via the console port
Part 1: Configure Basic Device Settings
In Part 1, you will set up the network topology and copy the basic configuration into R1. The password is encrypted to setup the scenario of needing to recover from an unknown enabled password.
Step 1: Cable the network as shown in the topology.
Step 2: Initialize and reload the routers as necessary.
Step 3: Configure basic settings on the router.
Instructor note: The encrypted password is NoRecovery123.
a. Console into the router and enter global configuration mode.
b. Copy the following basic configuration and paste it to the running-configuration on the router.
no ip domain-lookup service password-encryption hostname R1 enable secret 5 $1$SBb4$n.EuL28kPTzxMLFiyMLl5/ banner motd # Unauthorized access is strictly prohibited. # line con 0 logging sync end write exit
c. Press Enter and try to enable Privileged Exec mode.
As you can see, access to a Cisco IOS device is very limited if the enable password is unknown. It is important for a network engineer to be able to recover from an unknown enable password issue on a Cisco IOS device.
Part 2: Reboot Router and Enter ROMMON
Step 1: Reboot the router.
a. While still consoled into R1, remove the power cord from the back of R1.
Note: If you are working in a NETLAB pod, ask your instructor how to power cycle the router.
b. From the console session on PC-A, issue a hard break to interrupt the routers normal boot process and enter ROMMON mode.
Note: To issue a hard break in Tera Term, press the Alt and the B keys simultaneously.
Step 2: Reset the configuration register.
a. From the ROMMON prompt, type a ?, then press Enter. This will display a list of available ROMMON commands. Look for the confreg command in this list.
rommon 1 > ? alias set and display aliases command boot boot up an external process break set/show/clear the breakpoint confreg configuration register utility cont continue executing a downloaded image context display the context of a loaded image cookie display contents of motherboard cookie PROM in hex dev list the device table dir list files in file system frame print out a selected stack frame help monitor builtin command help history monitor command history iomemset set IO memory percent meminfo main memory information repeat repeat a monitor command reset system reset rommon-pref Select ROMMON set display the monitor variables showmon display currently selected ROM monitor stack produce a stack trace sync write monitor environment to NVRAM sysret print out info from last system return tftpdnld tftp image download unalias unset an alias unset unset a monitor variable hwpart Read HW resources partition rommon 2 >
Note: The number at the end of the ROMMON prompt will increment by one each time a command is entered.
b. Type confreg 0x2142 and press Enter. Changing the register to Hex 2142 tells the router not to automatically load the startup configuration when booting. The router will need to be rebooted for the configuration register change to take effect.
rommon 2 > confreg 0x2142 You must reset or power cycle for new config to take effect rommon 3 >
c. Issue the reset ROMON command to reboot the router.
rommon 3 > reset System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2011 by cisco Systems, Inc. Total memory size = 512 MB - On-board = 512 MB, DIMM0 = 0 MB CISCO1941/K9 platform with 524288 Kbytes of main memory Main memory is configured to 64/-1(On-board/DIMM0) bit mode with ECC disabled Readonly ROMMON initialized program load complete, entry point: 0x80803000, size: 0x1b340 program load complete, entry point: 0x80803000, size: 0x1b340 IOS Image Load Test ___________________ Digitally Signed Release Software program load complete, entry point: 0x81000000, size: 0x480ce0c Self decompressing the image : ###################################################################################### ###################################################################################### ###################################################################################### ###################################################################################### ###################################################################################### ###################################################################################### ###################################################################################### ###################################################################################### ##################################################### [OK] < output omitted >
d. When asked if you would like to enter the initial configuration dialog, type no and press Enter.
Would you like to enter the initial configuration dialog? [yes/no]: no
e. The router will complete its boot process and display the User Exec prompt. Enter Privileged Exec mode.
Router> enable Router#
Part 3: Reset Password and Save New Configuration
a. While in Privileged Exec mode, copy the startup configuration to the running configuration.
Router# copy startup-config running-config Destination filename [running-config]? 1478 bytes copied in 0.272 secs (5434 bytes/sec) R1#
b. Enter global configuration mode.
c. Reset the enable secret password to cisco.
R1(config)# enable secret cisco
d. Reset the configuration register back to 0x2102 to allow the startup configuration to automatically load the next time the router is rebooted.
R1(config)# config-register 0x2102
e. Exit global configuration mode.
f. Copy the running configuration to the startup configuration.
R1# copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK] R1#
You have successfully reset the enable password on a router.
Part 4: Verify the Router is Loading Correctly
Step 1: Reboot R1.
Step 2: Verify that the startup configuration loaded automatically.
Step 3: Enter Privileged Exec mode.
The new enable secret password should be cisco. If you are able to enter Privileged Exec mode, then you have successfully completed this lab.
Reflection
Why is it of critical importance that a router be physically secured to prevent unauthorized access?
__________________________________________________
Because the password recovery procedure is based on a console connection, which requires direct physical access to the device, preventing unauthorized users access to the physical device is an imperative part of an overall security plan.
Device Configs
Router R1
R1#sh run Building configuration... Current configuration : 1488 bytes ! version 15.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! enable secret 5 $1$KeL6$8EZ80eEADp2oedOcy5J0L. ! no aaa new-model memory-size iomem 15 ! no ip domain lookup ip cef no ipv6 cef ! multilink bundle-name authenticated ! cts logging verbose ! redundancy ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 no ip address shutdown duplex auto speed auto ! interface GigabitEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/0/0 no ip address shutdown clock rate 2000000 ! interface Serial0/0/1 no ip address shutdown ! ip forward-protocol nd ! no ip http server no ip http secure-server ! control-plane ! banner motd ^C Unauthorized access is strictly prohibited. ^C ! line con 0 logging synchronous line aux 0 line 2 no activation-character no exec transport preferred none transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 login transport input none ! scheduler allocate 20000 1000 ! end