Monday, September 14, 2009

Password Recovery on a Cisco Router

In this post I'll demonstrate how to perform password recovery on a Cisco router, and I'll also show you how to prevent password recovery.

Password recovery might be necessary for legtimate needs or it could be used by an attacker for nefarious purposes such as to gain access to router or switch configurations. Physical access is required for password recovery so if your routers (or switches) are in an accessible area and cannot be physically secured you may want to use the command listed below for preventing password recovery (if your router supports it that is).

Password Recovery

The process is quite simple.

  • Enter ROMMON mode and change the configuration register to bypass the startup-configuration (0x2142) & restart the router.
  • Log into the router which now has no configuration and copy the startup-config to running-config.
  • Change the enable password, any user passwords or anything else that needs changing.
  • Set the configuration register to boot back from the startup-config (0x2102).
  • Save the running-config back to startup-config and reload.
  • Access the router with your updated credentials.

So here's how this sort of looks on the router. I've cut some of the router output to save on text but it's pretty easy to follow.

To start with I connect up to the console port and reboot the router. During the very first part of boot up I press Ctrl+Break. This brings me to ROM monitor mode.

System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
TAC Support:
Copyright (c) 2002 by cisco Systems, Inc.
C800/SOHO series (Board ID: 29-129) platform with 49152 Kbytes of main memory

rommon 1 > confreg 0x2142
You must reset or power cycle for new config to take effect
rommon 2 > reset

Cisco C831 (MPC857DSL) processor (revision 0x300) with 44237K/4915K bytes of memory.
Processor board ID AMB07430HLJ (3718955443), with hardware revision 0000
Chassis serial number AMB07430HLJ
CPU rev number 7
3 Ethernet interfaces
4 FastEthernet interfaces
128K bytes of NVRAM.
16384K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)

--- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: no

Press RETURN to get started!

Router#copy startup-config running-config
Destination filename [running-config]?

1477 bytes copied in 2.252 secs (656 bytes/sec)

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#username syn password letmein
R1(config)#enable secret letmein
R1(config)#config-register 0x2102
R1#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
Proceed with reload? [confirm]

User Access Verification
Username: syn

So we can see that I was able to log in and access privileged mode with my new credentials.

Password Recovery Prevention

Okay, so how do we prevent this password recovery business? Before using this method you should be warned (and IOS will warn you!) that if you forget the password you cannot recovery the password in any way and you will have to go to Cisco with your tail between your legs! So only use this if absolutely necessary and use with caution.

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#no service password-recovery

What IOS is basically doing after setting this option is enabling ROMMON security which prevents you going into ROMMON mode and telling the router to bypass the Startup-config.

ROMMON security can be turned off from with IOS by issuing the following:

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#service password-recovery

Useful Links
Cisco Password Recovery
Cisco ROMMON Security

No comments: