Cisco Password Recovery

“Physical access to a computer or router usually gives a sophisticated user complete control over the device.
Software security measures can often be circumvented when access to the hardware is not controlled.”
– Cisco Systems, Inc.

Recovering the passwords for most Cisco devices via the console port is very simple. However, Cisco has purchased so many other manufacturers and put the Cisco label on their devices that the procedures for password recovery vary greatly from one Cisco device to another. In addition, the Cisco password recovery procedures have also changed with IOS upgrades. I have attempted to make these password recovery instructions as generic as possible, to account for past and future oddities that you may run into.

These Cisco password recovery instructions will enable you to recover from a lost password or most Cisco devices. Unless otherwise stated the instruction below refer to the 2000, 2500, 3000, 4000, 7000 and IGS series routers.

Part I: The Configuration Register

To begin password recovery, connect a terminal or a computer running terminal emulation software to the console port of the Cisco device. Set your terminal to 9600 bps, eight data bits, no parity, and two stop bits.

Some Cisco devices, such as the AccessPro Card, prefer 9600 bps, eight data bits, no parity, and one stop bit.

Power cycle the Cisco device.

Within 60 seconds of turning on the Cisco device, send a BREAK signal from your terminal or terminal emulation software. If you are using:

  • Telix, press <CONTROL-END>
  • Procomm, press <ALT-B>
  • Hyperterminal, press <CONTROL-PAUSE>

If the cable you are using to connect to the Cisco device is good and you are sending a break signal correctly, you will be rewarded with a ‘>’ prompt. This is not an IOS prompt. This is the ROM monitor prompt.

Note: The Cisco 1003, 1600, 2600, 3600, 4500, 7200, 7500, 12000, AS5200, AS5300, uBR7246 and IDT Orion-Based routers use “rommon” as the ROM monitor prompt.

Note: The Cisco 3800 ERM uses “3800-ERM(boot)>” as the boot monitor prompt. You can enter privileged mode directly from the 3800 ERM boot monitor, at which point the prompt changes to “3800-ERM(boot)#”.

Look at the configuration register using the command `e/s 2000002`. Write down the value of the configuration register. Use the `Q` command to return to the ROM monitor prompt.

Note: If you can login to the device, you can view the configuration register simply by using the command `show version`. Some Cisco devices do not require passwords to login from the console port.

Note: The Cisco 1003, 1600, 2600, 3600, 4500, 7200, 7500, 12000, AS5200, AS5300, uBR7246 and IDT Orion-Based routers use the `confreg` or `config-register` command to enter the configuration register utility. You will be asked a series of questions. Answer yes to “Do you wish to change the configuration[y/n]?”, “ignore system config info[y/n]?”, and “change boot characteristics[y/n]?”. Answer no to all of the other questions. At the “enter to boot:” prompt enter `2` and press return. Answer no to the question “Do you wish to change the configuration[y/n]?” the second time you see it.

Set the configuration register. Enter the command `o/r0x42` to cause the device to boot from the flash ROM’s. If the flash ROM’s are corrupted, you can use the command `o/r0x41` to cause the device to boot from the boot ROM’s.

Note: Some older Cisco devices, such as CGS, MGS, AGS, AGS+ and early 7000 routers require you to change the configuration register by moving hardware jumpers. On many of these devices the jumpers are on the CSC processor card and must be changed by removing jumper eight and placing it in position fifteen.

Early Cisco IGS routers use DIP switches to set the configuration register. On the IGS, you will need you will need to set switches 0-3 OFF/UP and switch 7 ON/DOWN.

Part II: Modifying The Configuration

Power cycle the device.

Answer `No` to all of the setup questions.

At the “Router>” prompt, use the `enable` command to enter privileged mode. Your prompt will change to “Router#”.

Use the `show startup-config` command to view the devices configuration file. Look for the passwords. If the passwords are not encrypted, note the passwords and reboot the device. If the passwords are encrypted, continue along with these directions.

Use the `configure memory` command to copy the configuration file from NVRAM into RAM. Before you do this, the device configuration will be empty. After you do this, the device configuration will be the configuration previously stored in NVRAM by the devices administrator.

Use the `configure terminal` command to enter configuration mode.

If desired, use the `password` command to set the login password, or the `no password` command to remove the login password.

If desired, use the `enable password` command to set the enable password, or the `no enable password` command to remove the enable password.

If desired, use the `enable secret` command to set the secret password or the `no enable secret` command to remove the secret password.

If desired, use the `line 0` and `password` commands to set a password on the console port, or the `line 0` and `no password` commands to remove a password on the console port.

Changing these password may inconvenience and annoy any previous administrator of this device! If the passwords are not encrypted, you will not need to change them. If the password are encrypted, you will need to either change them or decrypt them. For information on decrypting these passwords, read How do I decrypt Cisco passwords?.

Press <CONTROL-Z> to exit configuration mode.

Use the `copy running-config startup-config` command to copy the configuration you have been editing back into the startup-config. This will save the changes you have just made to the configuration.

Part III: Cleaning Up

Power cycle the device.

Restore the configuration register to its original value. Use the `configure terminal` command to enter configuration mode and then use the `config-register` command to set the configuration register. If you were not able to note the configuration register earlier, you will almost always be fine by setting it to 0×2102, which is the default for most Cisco devices.

Note: The default configuration register value for the Router Switch Processor (RSP4) is 0×0101.

Note On devices where you moved jumpers or set DIP switches, you will need to change them back to their original configuration.

Some Cisco devices require you to delete their entire configurations to recover from a lost password. On the Catalyst 2820 ATM module, you reset to factory defaults from the Port Configuration Menu. On the 500-CS, press the reset button on the top of the case while you power on the device and the entire configuration is returned to factory default. On the Catalyst 3000, press the SysReq button on the back panel for five seconds, release it, and then select “Clear Non-Volatile RAM” from the menu.

  1. Thanks for this wonderful article! It has been extremely useful. I hope that you will continue posting your knowledge with us.

Leave a Comment


× 6 = six


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>