PASSWORD RECOVERY TECHNIQUES
_________________________________________________________________
Routers
Technique Product Technique#1 Cisco AGS, Cisco 2000 series, Cisco 2500
series, Cisco 3000 series, 680X0-Based 4000 series, Cisco 7000 series
running Cisco IOS 10.0 or later in ROMs, IGS series running Cisco IOS
9.1 or later in ROMs Technique#2 Cisco 1003, Cisco 4500, IDT
Orion-based Cisco 3600, Motorola 860-based Cisco 2600 Technique#3 IGS
routers running software earlier than Cisco IOS 9.1 Technique#4 CGS,
MGS, AGS, AGS+, 70X0 running ROMs earlier than Cisco IOS 10.0
Technique#5 500-CS Communication Servers Technique#6 Cisco 1020
Catalyst Switches
Technique Product Technique#7 Catalyst 1200, Catalyst 5000 Technique#8
Catalyst 1600 Technique#9 Catalyst 1800 Technique#10 Catalyst 2600
Technique#11 Catalyst 3000 Technique#12 Catalyst 2900xl
_________________________________________________________________
Introduction
This document will explain several password recovery techniques for
Cisco routers and Catalyst switches. You can perform password recovery
on most of the platforms without changing hardware jumpers, but all
platforms require the router to be reloaded. Password recovery can
only be done from the console port physically attached to the router.
There are three ways to restore enable access to a router when the
password is lost. You can _view_ the password, _change_ the password,
or _erase_ the configuration and start over as if the box were new.
Each procedure follows these basic steps:
1. Configure the router to boot up without reading the configuration
memory (NVRAM). This is sometimes called the "test system mode."
2. Reboot the system.
3. Access enable mode (which can be done without a password if you
are in test system mode).
4. _View_ or _change_ the password, or _erase_ the configuration.
5. Reconfigure the router to boot up and read the NVRAM as it
normally does.
6. Reboot the system.
_NOTE: _Some password recovery requires a terminal to issue a BREAK
signal; you must be familiar with how your terminal or PC terminal
emulator issues this signal. For example, in ProComm, the keys Alt-B
will by default generate the BREAK signal, and in Windows Terminal
you press Break or Ctrl+Break. Windows Terminal also allows you to
define a function key as BREAK. From the terminal window, select
Function Keys and define one as BREAK by filling in the characters
^$B (Shift 6, Shift 4, and Capital B).
The following 11 sections contain detailed instructions for specific
Cisco routers and Catalyst switches. Locate your product in the
section headings to determine which technique to use.
Technique #1
All Cisco AGS, Cisco 2000 Series, Cisco 2500 Series, Cisco 3000 Series,
680x0-Based Cisco 4000 Series, Cisco 7000 Series Running Cisco IOS 10.0 or
Later in ROMs, IGS Series Running Cisco IOS 9.1 or Later in ROMs
This technique can be used on the Cisco 7000 and Cisco 7010 only if
the router has Cisco IOS 10.0 ROMs installed on the RP card. It may be
booting Flash Cisco IOS 10.0 software, but it needs the actual ROMs on
the processor card as well.
1. Attach a terminal or PC with terminal emulation to the console
port of the router.
2. Type _show version_ and record the setting of the configuration
register. It is usually 0x2102 or 0x102.
3. Power the router down, then up.
4. Press the Break key on the terminal within 60 seconds of the power
up. You will see the _>_ prompt with no router name. If you don't,
the terminal is not sending the correct Break signal. In that
case, check the terminal or terminal emulation setup.
5. Type _o/r 0x42_ at the _>_ prompt to boot from Flash or _o/r 0x41_
to boot from the boot ROMs. (Note that this is the letter "o," not
the numeral zero.) If you have Flash and it is intact, 0x42 is the
best setting. Use 0x41 only if the Flash is erased or not
installed.
_NOTE: _If you use 0x41, you can only view or erase the
configuration. You cannot change the password.
6. Type _i_ at the _>_ prompt. The router will reboot but will ignore
its saved configuration.
7. Answer _no_ to all the setup questions.
8. Type _enable_ at the _Router>_ prompt. You'll be in enable mode
and see the _Router#_ prompt.
9. Choose one of these three options:
+ To _view_ the password type _show config_.
+ To _change_ the password (in case it is encrypted, for
example), do the following:
1. Type _config mem_ to copy the NVRAM into memory.
2. Type _wr term_.
_If_ you have _enable secret xxxx_, then:
Type _config term_ and make the changes.
Type _enable secret
_
Press _Ctrl-z_
If you do not, then:
Type _enable password
_.
Press _Ctrl-z_.
3. Type _write mem_ to commit the changes.
+ To _erase_ the config, type _write erase_.
10. Type _config term_ at the prompt.
11. Type _config-register 0x2102_, or whatever value you recorded in
step 2.
12. Press _Ctrl-Z_ to quit from the editor.
13. Type _reload_ at the prompt. You do not need to write memory.
Technique #2
Cisco 1003, Cisco 4500, IDT Orion-Based Cisco 3600, or Motorola 860 Based
Cisco 2600
1. Attach a terminal or PC with terminal emulation to the console
port of the router.
2. Type _show version_ and record the setting of the configuration
register. It is usually 0x2102 or 0x102.
3. Power the router down, then up.
4. Press the Break key on the terminal within 60 seconds of the
power-up. Follow the applicable guidelines in the table below,
according to your platform:
_Follow the steps in this column..._
if you have a Cisco 2000 Series, 2500 Series, 3000 Series,
680x0-based 4000 Series, 7000 Series running Cisco IOS 10.0 or
later in ROMs, IGS Series running 9.1 or later in ROMs
_OR_
if you see the _">" prompt_ after you issue the break key
sequence. _Follow the steps in this column..._
if you have a Cisco 1003, 1004, 3600, 4500, 4700 or IDT
Orion-based router (72xx, 75xx)
_OR_
if you see the _"ROMMON>" prompt_ after you issue the break key
sequence.
+ At the ">" prompt, type _o/r 0x42_ to boot from Flash, or
_o/r 0x41_ to boot from the boot ROMs. (Note that this is the
letter "o", not the numeral zero.) If you have Flash and it
is intact, 0x42 is the best setting. Use 0x41 only if the
Flash is erased or not installed.
_Note: _If you use 0x41, you can only view or erase the
configuration; you cannot change the password.
+ Type _i_ at the ">" prompt. The router will reboot but will
ignore its saved configuration.
+ At the "ROMMON>" prompt, type _confreg 0x42_ to boot from
Flash, or _confreg 0x41_ to boot from the boot ROMs. If you
have Flash and it is intact, 0x42 is the best setting. Use
0x41 only if the Flash is erased or not installed.
_Note: _If you use 0x41, you can only view or erase the
configuration; you cannot change the password.
+ Type _reset_; at the "ROMMON>" prompt, or power cycle your
router.
5. Once the router boots up, answer _no_ to all the Setup questions.
(If you accidentally type "yes" to a question, press _Ctrl-C_ to
break out of the initial configuration.)
6. Type _enable_ at the _Router>_ prompt. You'll be in enable mode
and see the _Router#_ prompt.
7. Choose one of these three options:
+ To _view_ the password type _show config_.
+ To _change_ the password (in case it is encrypted, for
example):
1. Type _config mem_ to copy the NVRAM into memory.
2. Type _wr term_.
_If_ you have _enable secret xxxx_, then:
Type _config term_ and make the changes.
Type _enable secret
_.
Press _Ctrl-z_
If you do not, then:
Type _enable password <password>_
Press _Ctrl-z_
3. Type _write mem_ to commit the changes.
+ To _erase_ the config, type _write erase_.
8. Type _config term_ at the prompt.
9. Type _config-register 0x2102_ or whatever value you recorded in
step 2.
10. Press _Ctrl-Z_ to quit from the editor.
11. Type _reload_ at the prompt. You do not need to write memory.
Technique #3
IGS Routers Running Software Earlier Than Cisco IOS 9.1
IGS routers have a bank of DIP switches on the rear panel. If they are
running software earlier than Cisco IOS 9.1, then these switches are
used for password recovery.
1. Attach a terminal or PC with terminal emulation to the console
port of the router.
2. Power the router down.
3. Record the settings of the switches on the rear panel.
4. Set switch 7 ON (or down).
5. Set switches 0-3 OFF (or up).
6. Power the router up. It will boot up to the _>_ prompt.
7. Type _b_ at the _>_ prompt. The router is in test-system mode.
8. Press return until the _Test-System>_ prompt appears.
9. Type _enable_ at the prompt. You'll be in enable mode and see the
_Test-System#_ prompt.
10. Choose one of these three options:
+ To _view_ the password type _show config_.
+ To _change_ the password (in case it is encrypted, for
example):
1. Type _config mem_ to copy the NVRAM into memory.
2. Type _wr term_.
_If_ you have _enable secret xxxx_, then:
Type _config term_ and make the changes
Type _enable secret
_
Press _Ctrl-z_
If you do not, then:
Type _enable password
_
Press _Ctrl-z_
3. Type _write mem_ to commit the changes.
+ To _erase_ the config, type _write erase_.
11. Restore the switch setting to those recorded in step 3.
12. Reboot the router.
Technique #4
CGS, MGS, AGS, AGS+, 70x0 Running ROMs Earlier Than In Cisco IOS 10.0
1. Attach a terminal or PC with terminal emulation to the console
port of the router.
2. Power the router down.
3. Remove the processor card (CSC/2 or CSC/3 or CSC/4 on AGS/CGS/MGS,
or RP on a 70x0).
4. Change the hardware register from bit position 0 (or 1) to
position 15.
5. Re-insert the processor card.
6. Power the router up.
7. Press _b_ at the _>_ prompt or _b flash_ if you have Flash memory
installed.
8. Press return until the _Test-System>_ prompt appears.
9. Type _enable_ at the prompt. You'll be in enable mode and see the
_Test-System#_ prompt.
10. Choose one of these three options:
+ To _view_ the password type _show config_.
+ To _change_ the password (in case it is encrypted, for
example):
1. Type _config mem_ to copy the NVRAM into memory.
2. Type _wr term_.
_If_ you have _enable secret xxxx_, then:
Type _config term_ and make the changes.
Type _enable secret
_.
Press _Ctrl-z_.
If you do not, then:
Type _enable password <password>_.
Press _Ctrl-z_.
3. Type _write mem_ to commit the changes.
+ To ERASE the config, type _write erase_.
11. Power the router down.
12. Remove the processor card and return the jumper on pin 15 to its
original position.
13. Power the router up.
Technique #5
500-CS Communication Servers
The password cannot be recovered from the 500-CS since it does not
have a console port. Your only option is to erase the configuration.
1. Power the router off by unplugging it.
2. Depress and hold the DEFAULT button on the front of the chassis.
3. Power the router back on.
4. Watch the OK and LAN LEDs. They will blink on, and then off.
5. When they blink off (after about 15 seconds), release the DEFAULT
button.
6. In about two to ten minutes, the 500-CS will enter setup mode, as
if it was factory new.
7. Configure the router.
You could also recover a password on a 500 by holding the DEFAULT
button down for 30-45 seconds. The system will then be in test mode,
and you can follow the normal procedure for password recovery. See the
earlier sections for details.
Technique #6
Cisco 1020
You must call the Cisco TAC to recover Cisco 1020 passwords. The Cisco
1020 will issue a password override challenge that can only be
interpreted by TAC personnel.
Technique #7
Catalyst 1200 and 5000
To recover a lost password on Catalyst 1200, Catalyst 5000, and all
concentrators:
1. You must be on the console.
2. Reboot the device.
3. When you see the password prompt, press Enter (null password for
30 seconds).
4. Type _Enable_.
5. When you see the password prompt press Enter (null password for 30
seconds).
6. Change the password.
Technique #8
Catalyst 1600
To recover a lost password on the Catalyst 1600, you need to push and
hold the reset button on the switch until the LCD display displays
"erasing mgmt passwd". If you let go at that point, the switch will
reset and will come back without a password. This can also be achieved
from TrueView.
Technique #9
Catalyst 1800
To recover a lost password on the Catalyst 1800, first look on the
left side of the Catalyst 1800 switch. There should be two small black
buttons mounted on a red holding device, located side by side inside
the left cover. The black button located nearer to the front of the
switch is the NMI switch.
To do the password recovery, let the box boot up. When the box has
finished booting up and asks for the password, press the NMI switch
five times. This will reload the switch and reset the password to its
default value of "public."
Technique #10
Catalyst 2600
Press the System Request button to access the System Request Menu, and
then Clear NVRAM. _This will clear the password, but will also reset
all configuration parameters to their default values, which means
losing all options previously configured on the switch._
Technique #11
Catalyst 3000
1. Press the sys req button.
2. Move the arrow key to clear NVRAM.
3. Press Return.
4. The box will now reboot, no password required.
Technique #12
Catalyst 2900XL Password Recovery
1.Unplug the power cord from the back of the switch.
2.While holding down the "Mode" button, reconnect the power cord to the
switch. You can release the "Mode" button a second or two after the
LED above Port 1 x goes off.
3.Enter the flash_init command.
The baud rate of the console port has now been reset to 9600; if your
console stops working,
reset its baud rate to 9600 as well.
4.Enter the load_helper command.
5.Enter the dir flash: command.
6.Rename the configuration file; from "config.text" to "config.old", for
example. Do this by entering the rename flash:config.text
flash:config.old command.
7.Boot the system with the boot command.
8.Enter "N" when promted to start the Setup program.
9.Enter "N" when asked if you want to continue with the configuration.
10.Enter "en" at the switch prompt.
11.Rename the configuration file with the rename flash:config.old
flash:config.text command.
12.Copy the configuration file in to memory using the copy flash:config.text
system:running-config.
Press
in response to the two confirmation prompts.
13.The configuration file is now loaded, and you can configure a new
password normally:
Enter the config terminal command.
Enter the enable password [new_password] command.
Write the running configuration to the configuration file using
the write mem command.
_________________________________________________________________