WEBVTT 0:00:07.400000 --> 0:00:12.920000 This video covers the CCT routing and switching topic of performing password 0:00:12.920000 --> 0:00:18.180000 recovery. My name is Keith Bogart and I will be your instructor for this 0:00:18.180000 --> 0:00:21.480000 video. So what are we going to cover in this video? 0:00:21.480000 --> 0:00:24.400000 What we're going to talk about as it says, password recovery. 0:00:24.400000 --> 0:00:27.760000 I'm going to show you how to do that in a Cisco router and in a Cisco 0:00:27.760000 --> 0:00:32.700000 switch. Now keep in mind what we're focusing on here is the CCT exam for 0:00:32.700000 --> 0:00:34.500000 routing and switching. 0:00:34.500000 --> 0:00:37.480000 The reason I emphasize that is because if you're dealing with data center 0:00:37.480000 --> 0:00:42.140000 devices like Nexus switches, password recovery for those is quite different. 0:00:42.140000 --> 0:00:45.420000 But that's not part of what we're objective here is and so we're going 0:00:45.420000 --> 0:00:49.680000 to focus primarily on the Cisco catalyst land switches as well as the 0:00:49.680000 --> 0:00:55.320000 routers. Okay, so what exactly is meant by password recovery? 0:00:55.320000 --> 0:00:59.140000 Password recovery basically this means you have forgotten your password 0:00:59.140000 --> 0:01:02.720000 for example. You get access to a device. 0:01:02.720000 --> 0:01:06.700000 I've conveniently named this locked out router but notice in this particular 0:01:06.700000 --> 0:01:09.260000 device I'm at the user exec level. 0:01:09.260000 --> 0:01:10.480000 What do you normally do? 0:01:10.480000 --> 0:01:12.800000 First thing you do is you type enable. 0:01:12.800000 --> 0:01:15.060000 Oh there's a password on here. 0:01:15.060000 --> 0:01:16.020000 Oh man what is it? 0:01:16.020000 --> 0:01:18.900000 I have no idea is it Bob123? 0:01:18.900000 --> 0:01:20.060000 Nope that's not it. 0:01:20.060000 --> 0:01:23.540000 Is it 111? Nope is it 1234? 0:01:23.540000 --> 0:01:26.480000 Nope. I am locked out of this router. 0:01:26.480000 --> 0:01:29.880000 I don't know the enabled password or maybe it's an enabled secret. 0:01:29.880000 --> 0:01:32.600000 Whatever it is I don't know what it is. 0:01:32.600000 --> 0:01:36.460000 So now I'm going to show you what is the procedure to deal with something 0:01:36.460000 --> 0:01:40.160000 like that. So first of all I want to make sure that you're clear on this 0:01:40.160000 --> 0:01:45.380000 term password recovery and as you're hopefully familiar with with a little 0:01:45.380000 --> 0:01:48.320000 bit of Cisco knowledge you know that with Cisco routers and switches you 0:01:48.320000 --> 0:01:52.580000 can have either an enabled password or an enabled secret. 0:01:52.580000 --> 0:01:55.240000 What's the difference as far as this is concerned? 0:01:55.240000 --> 0:01:59.360000 Well if I'm in a device and I have forgotten let's say it has an enabled 0:01:59.360000 --> 0:02:03.380000 password configured which most devices nowadays don't. 0:02:03.380000 --> 0:02:06.860000 Well there is a benefit to it though if it does have an enabled password 0:02:06.860000 --> 0:02:09.560000 configured because if I go through this series of steps I'm about to show 0:02:09.560000 --> 0:02:13.860000 you right here I'm going to show you how to recover your actual enable 0:02:13.860000 --> 0:02:17.320000 password to where you can see what it is because when you issue the show 0:02:17.320000 --> 0:02:22.060000 run command the enable password is there in plain text. 0:02:22.060000 --> 0:02:25.700000 The problem right now is I can't issue the show run command because I 0:02:25.700000 --> 0:02:28.280000 can't get into privileged exec mode. 0:02:28.280000 --> 0:02:32.120000 I'm going to show you some sort of backdoor method to where you can get 0:02:32.120000 --> 0:02:37.180000 into privileged exec mode from there just issue the show run command and 0:02:37.180000 --> 0:02:41.800000 voila you've got your enable password now you have recovered it. 0:02:41.800000 --> 0:02:45.480000 However most devices these days are configured within an enabled secret 0:02:45.480000 --> 0:02:49.960000 because we don't want that enabled password showing up in plain text in 0:02:49.960000 --> 0:02:53.260000 our configuration file and so that's what enable secret is when you type 0:02:53.260000 --> 0:02:58.720000 in a Cisco router switch enable secret Cisco 123 or whatever your password 0:02:58.720000 --> 0:03:04.300000 has to be that password becomes encrypted so even if you do have access 0:03:04.300000 --> 0:03:09.480000 to the show run you can't tell what it is so there's no way to recover 0:03:09.480000 --> 0:03:15.040000 an enable secret if you forget your enable secret it's gone the best thing 0:03:15.040000 --> 0:03:19.260000 you can do is you can get back into the running config of the device and 0:03:19.260000 --> 0:03:22.820000 you can change it to something else but there's no way to tell what it 0:03:22.820000 --> 0:03:27.660000 previously was so that's the difference I want to emphasize there. 0:03:27.660000 --> 0:03:31.000000 Okay so what do we need to do to actually proceed with this well there's 0:03:31.000000 --> 0:03:36.220000 two primary things number one we have to have physical access to the actual 0:03:36.220000 --> 0:03:41.500000 console port of the router or switch this procedure cannot be done remotely 0:03:41.500000 --> 0:03:45.280000 that's the probably hardest part for most people somehow you're gonna 0:03:45.280000 --> 0:03:48.960000 have to make your way to the wiring closet or the data center where that 0:03:48.960000 --> 0:03:53.520000 router or switch is bring your laptop or your terminal or whatever it 0:03:53.520000 --> 0:03:56.900000 is that you use and you're gonna have to station yourself right there 0:03:56.900000 --> 0:04:00.820000 in front of the router or the switch and then you're also going to need 0:04:00.820000 --> 0:04:03.700000 some sort of a terminal emulator you are going to be connecting to the 0:04:03.700000 --> 0:04:08.940000 console port of the router or switch to do this procedure so we need physical 0:04:08.940000 --> 0:04:12.260000 access to the console port and we need to connect that to a terminal emulator 0:04:12.260000 --> 0:04:18.720000 on our laptop so let's go ahead and take a look at how we proceed with 0:04:18.720000 --> 0:04:22.480000 this so I'm going to start with password recovery procedure on a router 0:04:22.480000 --> 0:04:26.520000 so here you can see I am locked out and as you can see when I tied typing 0:04:26.520000 --> 0:04:30.720000 and password I didn't know what it was so the main objective behind password 0:04:30.720000 --> 0:04:35.540000 recovery on a router is number one we're gonna power cycle the device 0:04:35.540000 --> 0:04:39.940000 so clearly that's why we have to be in front of it if I'm at user exec 0:04:39.940000 --> 0:04:43.960000 mode like this it doesn't take the reboot command or any reset command 0:04:43.960000 --> 0:04:47.780000 or anything else I have to physically be able to power cycle it by pressing 0:04:47.780000 --> 0:04:51.820000 the on and off button or in the cases of a switch removing the power cable 0:04:51.820000 --> 0:04:57.440000 plugging it back in again now keep in mind if there were any unsafe changes 0:04:57.440000 --> 0:05:01.160000 in the configuration in the running config that were not saved to the 0:05:01.160000 --> 0:05:05.840000 startup config they will be lost but this point nothing you can do about 0:05:05.840000 --> 0:05:08.880000 that you don't have access to the running config because you forgot what 0:05:08.880000 --> 0:05:12.840000 the password was or somebody didn't tell you so just be aware that once 0:05:12.840000 --> 0:05:17.960000 we complete this procedure the configuration might not match what it previously 0:05:17.960000 --> 0:05:23.180000 was if there were some unsafe changes but nothing we can do to get around 0:05:23.180000 --> 0:05:28.260000 that okay so we're gonna power cycle the device secondly we're not going 0:05:28.260000 --> 0:05:31.160000 to let it go through the complete boot sequence because if we power cycle 0:05:31.160000 --> 0:05:34.660000 it and just sit back it's gonna come right back to this point again and 0:05:34.660000 --> 0:05:38.540000 this is gonna leave us empty we can't do anything from here so the point 0:05:38.540000 --> 0:05:43.360000 is as it's booting up we want to break into that boot up process and go 0:05:43.360000 --> 0:05:47.760000 into what's called ram on state remember from the earlier videos ram is 0:05:47.760000 --> 0:05:52.480000 a type of memory read only memory and that contains some basic boot up 0:05:52.480000 --> 0:05:57.340000 software packages like the bootstrap image as well as a little diagnostic 0:05:57.340000 --> 0:06:02.840000 and troubleshooting tool called ram monitor and so when we reset or reload 0:06:02.840000 --> 0:06:06.300000 the router we're gonna see that we're gonna break into what's called ram 0:06:06.300000 --> 0:06:10.200000 on state and it's actually gonna say ram on with a greater than sign after 0:06:10.200000 --> 0:06:15.480000 that from there what are we gonna do here's what we're gonna do our objective 0:06:15.480000 --> 0:06:20.200000 is we need to change the configuration register remember the configuration 0:06:20.200000 --> 0:06:23.540000 register that we looked at right here do you remember in the configuration 0:06:23.540000 --> 0:06:31.540000 register bit number six that was a very important bit so bit number six 0:06:31.540000 --> 0:06:37.420000 normally is set to a zero which means go into envy ram and pull up the 0:06:37.420000 --> 0:06:42.060000 start startup configuration file we don't want it to do that if we let 0:06:42.060000 --> 0:06:45.460000 it pull up the start of configuration file that's got the password in 0:06:45.460000 --> 0:06:49.520000 it that we don't know what it is so we want to change the configuration 0:06:49.520000 --> 0:06:54.540000 register while we are in ram on state we want to set that bit to a one 0:06:54.540000 --> 0:06:59.860000 so that when it completes its boot cycle it will ignore that start up 0:06:59.860000 --> 0:07:04.960000 configuration file we're not deleting it we're just ignoring it and so 0:07:04.960000 --> 0:07:08.380000 now when the router powers up the rest of the way it'll give you the initial 0:07:08.380000 --> 0:07:13.500000 configuration dialogue as if it didn't have a configuration at all from 0:07:13.500000 --> 0:07:17.380000 that point what are we gonna do from that point we're going to go into 0:07:17.380000 --> 0:07:22.060000 privilege exec mode because there's no configuration is empty and once 0:07:22.060000 --> 0:07:25.960000 we're in privilege exec mode in that default empty config then we're going 0:07:25.960000 --> 0:07:32.200000 to import in our old startup config but because we're in privilege exec 0:07:32.200000 --> 0:07:36.500000 mode we will stay in privilege exec mode so that's how we sort of circumvented 0:07:36.500000 --> 0:07:41.040000 it and now once we have imported it in we can change the password so let's 0:07:41.040000 --> 0:07:44.380000 go through that process so remember we got to change this bit right here 0:07:44.380000 --> 0:07:50.180000 so i'm going to leave my configuration register as a two a one and this 0:07:50.180000 --> 0:07:54.400000 is going to be four because i'm going to set the four bit two so zero 0:07:54.400000 --> 0:08:00.740000 x two one four two is ultimately my objective here to change the configuration 0:08:00.740000 --> 0:08:05.020000 register so it ignores the startup config so let's go ahead and do that 0:08:05.020000 --> 0:08:11.500000 so step number one i am physically in front of my router so i have to 0:08:11.500000 --> 0:08:16.020000 turn it off turn it on and then once it comes back on i have to send the 0:08:16.020000 --> 0:08:21.000000 break signal to the router now that's sometimes the toughest part is what 0:08:21.000000 --> 0:08:24.860000 is the break signal the break signal really depends on what kind of terminal 0:08:24.860000 --> 0:08:28.680000 emulator you happen to be running as you can see i'm running secure CRT 0:08:28.680000 --> 0:08:32.600000 so what i'm going to do is up here in the upper left i'll go ahead and 0:08:32.600000 --> 0:08:37.600000 zoom in on this for you here it says edit no stand at the bottom it says 0:08:37.600000 --> 0:08:43.000000 edit send break so in secure CRT if i do edit and send break while the 0:08:43.000000 --> 0:08:46.580000 router is reloading it will send the break signal and it will bring it 0:08:46.580000 --> 0:08:50.000000 into ramon state if you're using some other type of terminal emulator 0:08:50.000000 --> 0:08:53.700000 you might have to play around with some other options sometimes it's just 0:08:53.700000 --> 0:08:58.880000 the escape key sometimes it's f1 uh there's several different things you 0:08:58.880000 --> 0:09:04.360000 can try but in this particular case send break is going to work all right 0:09:04.360000 --> 0:09:09.360000 so here i go i'm going to turn it off okay my router is now off now i'm 0:09:09.360000 --> 0:09:14.560000 going to turn it on again here it comes and i'm just going to start sending 0:09:14.560000 --> 0:09:21.080000 that send break sequence might have to do it a couple of times there it 0:09:21.080000 --> 0:09:26.480000 is so now we are in ramon state now i just have to change my configuration 0:09:26.480000 --> 0:09:38.360000 register conf reg 0x 2142 okay now i'm going to type reset now i'm just 0:09:38.360000 --> 0:09:42.520000 going to wait a couple of minutes until the device fully comes back up 0:09:42.520000 --> 0:09:46.720000 after which point we should see the initial configuration dialogue because 0:09:46.720000 --> 0:10:12.220000 it will have bypassed the nv ram it will bypass the startup config file 0:10:12.220000 --> 0:10:16.740000 so okay so at this point the reloading of the router is almost complete 0:10:16.740000 --> 0:10:20.800000 any moment now we should see that it's going to prompt us for the initial 0:10:20.800000 --> 0:10:27.040000 configuration dialogue indicating that it did indeed bypass the startup 0:10:27.040000 --> 0:10:33.600000 config located in nv ram and there we are now it's asking us for the initial 0:10:33.600000 --> 0:10:41.780000 configuration dialogue so we say no i don't want to get into that okay 0:10:41.780000 --> 0:10:49.280000 so now i am in the default or empty config there we go so now enable because 0:10:49.280000 --> 0:10:55.540000 there's no password now that i'm here i can say directory nv ram colon 0:10:55.540000 --> 0:11:01.520000 and now i'm going to import my startup config back into where i am so 0:11:01.520000 --> 0:11:18.540000 copy from nv ram colon startup config to running config and there we are 0:11:18.540000 --> 0:11:23.020000 now notice i have my old configuration back but look i was able to bypass 0:11:23.020000 --> 0:11:28.000000 the enable password so now the first thing i want to do is go in there 0:11:28.000000 --> 0:11:41.740000 enable secret and change it to something i do know like maybe i and e 0:11:41.740000 --> 0:11:47.460000 because i was able to type it in so that was the procedure on a sisco 0:11:47.460000 --> 0:11:54.580000 router now what about a lower end sisco switch the password recovery procedure 0:11:54.580000 --> 0:11:57.600000 for a sisco switch also you have to be physically in front of the device 0:11:57.600000 --> 0:12:00.500000 but it's a little bit different we're not going to be changing the configuration 0:12:00.500000 --> 0:12:07.760000 register on a sisco switch so on a sisco switch like a 3500 or a 3700 0:12:07.760000 --> 0:12:10.980000 series switch you'll notice that on the front of the switch there's a 0:12:10.980000 --> 0:12:15.680000 button like you can see right here called the mode button and so we need 0:12:15.680000 --> 0:12:19.780000 physical access to both the power cable so we can pull it out as well 0:12:19.780000 --> 0:12:24.220000 as this mode button on the front now sisco's websites what they say that 0:12:24.220000 --> 0:12:29.140000 you should do is after you plug in the power cable press and hold that 0:12:29.140000 --> 0:12:34.040000 mode button within 15 seconds of having plugged in the power cable and 0:12:34.040000 --> 0:12:36.920000 then you hold it now here's where there's a little bit discrepancy between 0:12:36.920000 --> 0:12:40.420000 what they say when i've actually seen with my own eyeballs in the documents 0:12:40.420000 --> 0:12:44.780000 it says press and hold that mode button and after a few seconds the system 0:12:44.780000 --> 0:12:50.960000 led that we see right here will briefly turn amber in color and then it 0:12:50.960000 --> 0:12:55.720000 will go to a solid green and then you let go of the mode button well this 0:12:55.720000 --> 0:12:59.040000 is what i've seen when i press and hold that mode button yes this does 0:12:59.040000 --> 0:13:04.220000 go amper but it's for like a tenth of a second it's almost too fast to 0:13:04.220000 --> 0:13:07.900000 catch it and i'll show you what that looks like in just a second secondly 0:13:07.900000 --> 0:13:12.440000 after it did go amber it didn't go solid green it went back to a blinking 0:13:12.440000 --> 0:13:18.480000 green it went amber again went back to a blinking green and then it completely 0:13:18.480000 --> 0:13:22.120000 went off and that's when i let go of the mode button so let me show you 0:13:22.120000 --> 0:13:25.920000 um i can't put the video camera in front of it but i did capture a video 0:13:25.920000 --> 0:13:32.040000 here that i can show you of what that looks like so here you can see i'm 0:13:32.040000 --> 0:13:35.320000 removing the power cable from the device that's step number one you plug 0:13:35.320000 --> 0:13:40.500000 it back in and as soon as it comes on within 15 seconds at the most you 0:13:40.500000 --> 0:13:46.200000 want to go around find that mode button and press and hold it now watch 0:13:46.200000 --> 0:13:50.500000 that system led as it's blinking it will turn amberable it will be so 0:13:50.500000 --> 0:13:56.360000 fast you're hardly going to see it at all so keep watching it there do 0:13:56.360000 --> 0:13:59.920000 you see that there it goes again see how fast that was and then that's 0:13:59.920000 --> 0:14:06.280000 it and once you get to that point now your switch is in a completely different 0:14:06.280000 --> 0:14:15.780000 state so now once you've done that your switch is in this state the switch 0:14:15.780000 --> 0:14:21.720000 colon that's the prompt that you get okay so what do we do from this point 0:14:21.720000 --> 0:14:30.760000 so now we want to type in flash underscore init and this just takes a 0:14:30.760000 --> 0:14:36.860000 moment okay now we want to look at the contents of flash memory if you 0:14:36.860000 --> 0:14:40.260000 had not done flash underscore init and you just tried to do this command 0:14:40.260000 --> 0:14:44.180000 you would get nothing you would get no output whatsoever so that's why 0:14:44.180000 --> 0:14:48.020000 we had to do flash init so that directory flash would give us something 0:14:48.020000 --> 0:14:53.160000 so now what we're going to do here is our startup config except it's called 0:14:53.160000 --> 0:14:57.880000 config.text in here so first what we want to do is we want to rename that 0:14:57.880000 --> 0:15:06.480000 rename flash colon config.text and we want to instead call it flash colon 0:15:06.480000 --> 0:15:15.740000 config.text.old verify that actually took the new name okay now what we're 0:15:15.740000 --> 0:15:19.600000 going to do is we're going to type the boot command and now when the switch 0:15:19.600000 --> 0:15:23.340000 boots up it's going to be looking for a startup config file otherwise 0:15:23.340000 --> 0:15:28.280000 known as config.text and it's not going to find it because we renamed 0:15:28.280000 --> 0:15:33.620000 that to config.text.old so when it doesn't find it it will assume there's 0:15:33.620000 --> 0:15:36.540000 no configuration file and we're going to follow the exact same procedure 0:15:36.540000 --> 0:15:41.480000 it will put us into the initial configuration dialog we'll say no we'll 0:15:41.480000 --> 0:15:48.480000 then type enable we will then change config.text.old back to config.text 0:15:48.480000 --> 0:15:52.980000 and then we will import that into our running config very similar procedures 0:15:52.980000 --> 0:15:56.780000 to what we saw on the router so let's go ahead and start the boot up process 0:15:56.780000 --> 0:16:01.680000 now and we'll have to wait a couple of minutes for it to complete this 0:16:01.680000 --> 0:16:09.940000 process before we go into the initial configuration dialog okay so the 0:16:09.940000 --> 0:16:13.760000 boot up cycle is just about finished and just like with the router any 0:16:13.760000 --> 0:16:30.200000 moment now we should be prompted for the initial configuration dialog 0:16:30.200000 --> 0:16:34.860000 and there we have it so now it did not find its initial configuration 0:16:34.860000 --> 0:16:39.180000 so we get the configuration dialog we say no we don't want that just like 0:16:39.180000 --> 0:16:43.620000 on the router we say enable but here's where we do one additional step 0:16:43.620000 --> 0:16:50.700000 directory nvram no not nvram directory flash and we want to rename that 0:16:50.700000 --> 0:16:59.140000 rename flash colon config.text.old and we want to turn it back into what 0:16:59.140000 --> 0:17:06.920000 it previously was which was just config .text and now we want to say copy 0:17:06.920000 --> 0:17:29.480000 from flash colon config.text to the running config and now we are back 0:17:29.480000 --> 0:17:32.780000 in and we have bypassed that password so now just like in the router we 0:17:32.780000 --> 0:17:38.340000 can say enable secret and convert it to something that we do know what 0:17:38.340000 --> 0:17:45.600000 it is and that concludes this video on performing the password recovery