1
00:00:00,420 --> 00:00:07,200
A password recovery requires two things, you need to be able to power cycle the device, I'm going to

2
00:00:07,200 --> 00:00:12,600
be using an APC to do this so that I can power cycle the device remotely.

3
00:00:13,380 --> 00:00:18,000
I'm also connected to the console of this router via a terminal server.

4
00:00:18,750 --> 00:00:27,240
So I'm telnetting to a server and then accessing the console of this router through the terminal

5
00:00:27,240 --> 00:00:27,720
server.

6
00:00:28,680 --> 00:00:35,030
In the real world, you may have to physically walk to the router and plug your laptop into the console

7
00:00:35,040 --> 00:00:36,780
and then power cycle the device

8
00:00:37,680 --> 00:00:43,110
or if you've got access to an APC and a terminal server that's giving you out-of-band console access

9
00:00:43,110 --> 00:00:45,110
to the device, you can do what I'm doing here.

10
00:00:45,570 --> 00:00:46,980
The process is the same,

11
00:00:47,520 --> 00:00:56,100
the APC and terminal server only give me the ability to access the console and power cycle the device

12
00:00:56,100 --> 00:00:56,640
remotely.

13
00:00:57,390 --> 00:01:04,050
I'm connected to the console of this router and I'm told that I need to press return to get started.

14
00:01:04,500 --> 00:01:05,670
So I'm in user mode,

15
00:01:06,450 --> 00:01:12,330
I can type show version and we can see that this is a Cisco 1841 router.

16
00:01:12,960 --> 00:01:18,210
We can see that the configuration register is set to 2102, 

17
00:01:19,250 --> 00:01:26,000
that is the default of value, which means that the router will boot normally and has a console speed

18
00:01:26,000 --> 00:01:34,940
of 9600 bits per second startup of will be used and we can change the config register if necessary as

19
00:01:34,940 --> 00:01:35,420
follows.

20
00:01:36,080 --> 00:01:41,720
However, when I type enable, let's assume that I don't know what the password is.

21
00:01:45,160 --> 00:01:47,920
So I'm unable to access privilege mode on this router.

22
00:01:48,710 --> 00:01:54,380
Let's assume that the secret password was set and we don't know what that password is anymore.

23
00:01:56,830 --> 00:02:03,700
So what we can do is power cycle, the router, so I'm going to set the APC to do an immediate reboot

24
00:02:03,700 --> 00:02:04,390
on the router

25
00:02:08,539 --> 00:02:13,730
and what we will notice on the router is it's rebooting, I'm going to send a special command which

26
00:02:13,730 --> 00:02:18,890
is the break to the router, and notice I am now in ROM MON mode.

27
00:02:19,700 --> 00:02:25,940
So through the APC are remotely rebooted the router rather than physically doing it.

28
00:02:26,930 --> 00:02:36,770
Router has rebooted and I sent a break signal to the router so you could use your keyboard or your terminal

29
00:02:36,770 --> 00:02:39,620
emulation program to send the break.

30
00:02:40,100 --> 00:02:41,630
In this case, I'm using putty 

31
00:02:41,930 --> 00:02:49,100
and I just sent the brake command to the router which meant that it broke the boot process and went into

32
00:02:49,100 --> 00:02:50,060
ROM MON mode.

33
00:02:50,570 --> 00:02:51,950
Question mark shows me options

34
00:02:51,950 --> 00:02:56,210
in ROM MON, you'll notice that this is different to the traditional Cisco

35
00:02:56,210 --> 00:03:01,820
IOS,  this is the command that we're looking for, configuration register utility.

36
00:03:02,930 --> 00:03:06,950
So we're going to set tat to conf reg 0x142.

37
00:03:08,820 --> 00:03:15,690
The possible procedure I'm using is a little bit different to the 2900 possible procedure, but notice

38
00:03:15,690 --> 00:03:17,340
the same command is used.

39
00:03:18,210 --> 00:03:22,950
The Cisco website will give you the details for individual routers.

40
00:03:23,280 --> 00:03:29,060
So as an example, for an 1841 router, the full procedure is shown here.

41
00:03:29,340 --> 00:03:35,520
Just follow the procedure for the relevant device that you want to do a password recovery on.

42
00:03:35,970 --> 00:03:38,880
That includes both routers and switches.

43
00:03:39,370 --> 00:03:44,400
So in a document like this, we have high-end routers and switches and other devices.

44
00:03:45,510 --> 00:03:46,980
So conf reg is set, 

45
00:03:47,460 --> 00:03:49,980
we are told that we need to reset or power cycle

46
00:03:49,980 --> 00:03:53,370
the device, command to do that is going to be reset

47
00:03:56,450 --> 00:04:04,220
and what will happen now is the router will put normally, but it will bypass the startup configuration

48
00:04:04,760 --> 00:04:14,180
because when setting this value to 4 bit 6 is set, which means ignore NVRAM contents.

49
00:04:15,440 --> 00:04:19,149
So to save you some time, I'm going to speed up the process.

50
00:04:20,279 --> 00:04:27,030
What will happen is when the router boots up, it will bypass the startup configuration and ask us 

51
00:04:27,030 --> 00:04:34,500
whether we want to enter the initial startup dialogue and notice now that the router is prompting us 

52
00:04:34,500 --> 00:04:36,650
with the system configuration dialogue.

53
00:04:37,170 --> 00:04:39,230
We don't want to enter that, 

54
00:04:39,270 --> 00:04:40,170
so I'm going to say no.

55
00:04:40,770 --> 00:04:42,840
We're told to press return to get started

56
00:04:46,240 --> 00:04:54,430
and notice the name of the router is router, whereas previously it was called C1841 R1.

57
00:04:55,300 --> 00:05:05,050
So here's the critical piece enable, I can move to enable mode without a password show startup-config

58
00:05:05,770 --> 00:05:12,010
shows that there is an enable secret password configured in the startup-config

59
00:05:12,520 --> 00:05:15,310
and we can see the hostname of the router as an example.

60
00:05:16,060 --> 00:05:19,930
We can see other information such as IP addresses on serial interfaces.

61
00:05:20,470 --> 00:05:27,460
We can see that OPF was configured as part of the Start-Up config in the running config, however.

62
00:05:28,690 --> 00:05:31,740
we don't have the hostname configured, 

63
00:05:31,780 --> 00:05:33,730
we don't have a secret password, 

64
00:05:34,900 --> 00:05:40,870
we don't have IP addresses on our serial interfaces and we don't have OSPF configured. So to get the

65
00:05:40,870 --> 00:05:45,550
config back, I'm gonna type copy startup-config, running-config.

66
00:05:46,690 --> 00:05:49,090
Notice the router name has now changed, 

67
00:05:49,930 --> 00:05:50,920
show run 

68
00:05:52,670 --> 00:05:53,480
shows us

69
00:05:55,330 --> 00:06:03,910
the IP addresses and OSPF configuration in running config. Now OSPF was complaining that it couldn't allocate

70
00:06:03,910 --> 00:06:09,640
a unique router ID and that's because all interfaces on the router are shut down.

71
00:06:10,820 --> 00:06:19,730
So I'm going to go into serial 0/0/0 and no shut the interface and do that on the other serial

72
00:06:19,730 --> 00:06:24,110
interface and notice now OSPF is able to allocate

73
00:06:25,020 --> 00:06:32,440
a router ID and then form a neighbor relationship with a neighboring router. So as an example, show IP,

74
00:06:33,510 --> 00:06:37,590
OSPF neighbor shows us that the neighbor relationship has formed.

75
00:06:38,690 --> 00:06:44,780
Now, it's important to remember that we are now in privilege mode or enable mode, but we don't know

76
00:06:44,780 --> 00:06:46,970
the password, show run

77
00:06:48,910 --> 00:06:54,430
shows us that the secret password is configured, but we don't actually know what that password is,

78
00:06:55,060 --> 00:07:01,810
We moved from user mode to privilege mode without entering a password, and then we copied the startup-

79
00:07:01,930 --> 00:07:03,400
config to running-config.

80
00:07:04,150 --> 00:07:08,210
If we exit privilege mode now, we won't be able to get back in.

81
00:07:08,500 --> 00:07:16,720
So what we need to do is change the password, so change the secret password to something that we know.

82
00:07:17,330 --> 00:07:24,340
So it's really important that when you do the password recovery that you go to privilege mode or enable

83
00:07:24,340 --> 00:07:32,920
mode first and then copy the config from startup-config to running-config and then change the password

84
00:07:33,280 --> 00:07:35,720
and then save your config.

85
00:07:36,130 --> 00:07:43,960
So it's really important that you set the password and that you then save the configuration before continuing.

86
00:07:44,890 --> 00:07:46,120
Now show version

87
00:07:48,310 --> 00:07:56,080
shows us that the configuration register is still 2142, the configuration register configuration

88
00:07:56,080 --> 00:07:59,590
is separate to the running and startup config of a router.

89
00:08:00,640 --> 00:08:03,580
So what I'm going to do is save the config right now.

90
00:08:03,760 --> 00:08:07,360
So copy running-config, startup-config or write mem

91
00:08:10,190 --> 00:08:18,230
at the moment, the config register is 0x2142, if I rebooted the router now, it would

92
00:08:18,230 --> 00:08:21,560
end up booting without using the startup-config

93
00:08:21,560 --> 00:08:23,840
again, we don't want to do that.

94
00:08:23,840 --> 00:08:29,180
We want to use the config register command and set it for normal

95
00:08:29,180 --> 00:08:33,320
boot, so set it to 2102.

96
00:08:35,570 --> 00:08:45,500
Show version notice it will be this at next reload, I can reload the router without saving the configuration

97
00:08:45,830 --> 00:08:50,980
and it will reboot using the previously saved config.

98
00:08:52,010 --> 00:08:57,880
If you remember before I made the change, I saved the config.

99
00:08:58,310 --> 00:09:00,770
So that's the configuration that's going to be used.

100
00:09:01,810 --> 00:09:07,660
I don't need to save the configuration again for the configuration register change to be saved, it's

101
00:09:07,660 --> 00:09:14,950
saved independently of the running configuration on the router, so I'll speed up the boot process again.

102
00:09:16,980 --> 00:09:26,310
So notice that we're told to press enter to get started and interfaces come up and the OSPF neighbor relationship

103
00:09:26,820 --> 00:09:33,780
is formed, and that's because the startup-config was applied when the router booted up.

104
00:09:35,290 --> 00:09:41,920
Now, when we type enable, we can log in with the password that we configured, in other words,

105
00:09:41,920 --> 00:09:44,350
the reset secret password.

106
00:09:45,600 --> 00:09:53,430
We can't see that in the output here because it's hashed, but this is the password of Cisco that we configured

107
00:09:53,430 --> 00:09:54,450
the router to use.

108
00:09:55,230 --> 00:09:57,810
So that's an example of how to do password recovery.

109
00:09:58,920 --> 00:10:06,900
Don't forget that on Cisco's website, there are password recovery procedures for various routers that

110
00:10:06,900 --> 00:10:12,080
you may be using in your lab or that you may be using in the real world.

111
00:10:12,630 --> 00:10:18,390
Simply follow the step by step procedures to bypass an encrypted password.

112
00:10:18,810 --> 00:10:21,890
This does require physical access.

113
00:10:22,650 --> 00:10:29,250
In other words, you need access to the console to be able to do a password recovery.