{"id":1062,"date":"2018-05-20T16:43:49","date_gmt":"2018-05-20T22:43:49","guid":{"rendered":"http:\/\/www.jedge.com\/wordpress\/?p=1062"},"modified":"2018-05-22T18:14:39","modified_gmt":"2018-05-23T00:14:39","slug":"cisco-router-password-recovery-console-access","status":"publish","type":"post","link":"https:\/\/www.jedge.com\/wordpress\/2018\/05\/cisco-router-password-recovery-console-access\/","title":{"rendered":"Cisco Router Password Recovery &#8211; Console Access"},"content":{"rendered":"<p>I was strolling through my local Goodwill and I spotted a Cisco 871w on the shelf for the same $3.99 price tag as the shitty Netgear sitting next to it. I have zero need for this device but for $3.99 I had to get it.  I wondered if the previous owner had failed to wipe the device before donating it.  This quick tutorial shows you how to recover your password if you forget it&#8230;or see what the previous owner set for the password, among all other interesting information.  TL;DR &#8211; David should have followed the information detailed on <a href=\"https:\/\/www.netequity.com\/how-to-get-rid-of-your-old-cisco-equipment\/\" target=\"_blank\">this site<\/a> before donating his device.<br \/>\n<!--more--><br \/>\nFirst step is connecting the Cisco console to our workstation. I chose to use the Console cable (<a herf=\"https:\/\/dcloud-cms.cisco.com\/help\/connect_console\" target=\"_blank\">RJ45-to-DB9<\/a>) plugged into a <a herf=\"https:\/\/www.amazon.com\/Plugable-Adapter-Prolific-PL2303HX-Chipset\/dp\/B00425S1H8\" target=\"_blank\">Prolific Serial-to-USB<\/a> adapter. While you can plug your adapter into your Windows workstation and connect via Putty I do not recommend it. Even at Windows 7 I have issues with the adapter and I\u2019m not using one of those cheap Chinese knockoffs. Without fail my workstation will eventually BSoD. Lenovo work laptop or Acer personal laptop it doesn\u2019t matter. I prefer to connect to my Ubuntu workstation and use minicom.<\/p>\n<p>Plug in your adapter and check &#8220;dmesg&#8221; to identify your serial device (usually \/dev\/ttyUSB0).<br \/>\n<pre><code>$ dmesg |tail\n[&nbsp;&nbsp; 88.483038] usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=0\n[&nbsp;&nbsp; 88.483050] usb 1-3: Product: USB-Serial Controller\n[&nbsp;&nbsp; 88.483053] usb 1-3: Manufacturer: Prolific Technology Inc.\n[&nbsp;&nbsp; 89.517987] usbcore: registered new interface driver usbserial\n[&nbsp;&nbsp; 89.518001] usbcore: registered new interface driver usbserial_generic\n[&nbsp;&nbsp; 89.518012] usbserial: USB Serial support registered for generic\n[&nbsp;&nbsp; 89.520965] usbcore: registered new interface driver pl2303\n[&nbsp;&nbsp; 89.520998] usbserial: USB Serial support registered for pl2303\n[&nbsp;&nbsp; 89.521033] pl2303 1-3:1.0: pl2303 converter detected\n[&nbsp;&nbsp; 89.521962] usb 1-3: pl2303 converter now attached to ttyUSB0<\/code><\/pre><\/p>\n<p>The connection details are as follows:<\/p>\n<ul>\n<li>9600 baud<\/li>\n<li>8 data bits<\/li>\n<li>2 stop bits<\/li>\n<li>No parity<\/li>\n<li>None (flow control)<\/li>\n<\/ul>\n<p><pre><code>$sudo minicom \u2013s\nconfiguration -&gt; Serial port setup\nA -&gt; \/dev\/ttyUSB0 -&gt; Enter\nE -&gt; C -&gt; X -&gt; Enter\nF -&gt; Enter\nconfiguration -&gt; Exit -&gt; Enter<\/code><\/pre><\/p>\n<p>The easiest way I&#8217;ve found to issues a &#8220;break key sequence&#8221; from Ubuntu and minicom is to simulate the effect described at the bottom of the Cisco support document found <a herf=\"https:\/\/www.cisco.com\/c\/en\/us\/support\/docs\/routers\/10000-series-routers\/12818-61.html\" target=\"_blank\">here<\/a>.<\/p>\n<p>The connection details to simulate the break key sequence are as follows:<\/p>\n<ul>\n<li>1200 baud<\/li>\n<li>8 data bits<\/li>\n<li>1 stop bits<\/li>\n<li>No parity<\/li>\n<li>None (flow control)<\/li>\n<\/ul>\n<p><pre><code>$sudo minicom \u2013s\nconfiguration -&gt; Serial port setup\nA -&gt; \/dev\/ttyUSB0 -&gt; Enter\nE -&gt; C -&gt; B -&gt; B -&gt; B -&gt; Enter\nF -&gt; Enter\nconfiguration -&gt; Exit -&gt; Enter<\/code><\/pre><br \/>\nPower cycle (switch off and then on) the router and press the SPACEBAR for 10-15 seconds in order to generate a signal similar to the break sequence.<br \/>\nModify minicom settings back to the default settings for communicating with a Cisco device as detailed above. While in minicom enter the following commands.<br \/>\n<pre><code>CTRL-A -&gt; SHIFT-Z -&gt; SHIFT-P\nE -&gt; C -&gt; X -&gt; Enter\nconfiguration -&gt; Exit -&gt; Enter<\/code><\/pre><br \/>\nWe are now in ROM Monitor mode<br \/>\n<pre><code>\nrommon 1 &gt; confreg 0x2142\nYou must reset or power cycle for new config to take effect\nrommon 2 &gt; reset\n\nmonitor: command &quot;reset&quot; not found<\/code><\/pre><br \/>\nThere is no option to reset so power cycle the router by turning it off and on.<br \/>\n<pre><code>--- System Configuration Dialog ---\n\nWould you like to enter the initial configuration dialog? [yes\/no]: no\n\nPress RETURN to get started!\n\nRouter&gt;enable\n\nRouter#show start\nUsing 8289 out of 131072 bytes\n!\nversion 12.4\nno service pad\nservice timestamps debug datetime msec localtime show-timezone\nservice timestamps log datetime msec localtime show-timezone\nno service password-encryption\nservice sequence-numbers\n!\nhostname 871W\n!\nboot-start-marker\nboot-end-marker\n!\nlogging buffered 51200\nlogging console critical\nenable secret 5 $1$giUt$JYQ\/N5nR71S9umxAsLNKj1\n\n... SNIP ...\n\nbanner login ^CAuthorized personel Only!^C\n!\nline con 0\n password axe55z\n no modem enable\nline aux 0\nline vty 0 4\n password axe55z\n!\nscheduler max-task-time 5000\nend<\/code><\/pre><br \/>\nHIGHLIGHT EVERYTHING AND MAKE A COPY OF THE CONFIGURATION INTO A NOTEPAD. We will examine the configuration file for fun (and no profit) to see what details were left by the previous owner.  I left the most interesting details in the snippet shown above which include cleartext credentials and the encrypted &#8220;enable&#8221; password.<\/p>\n<p>Now lets put everything back were we found it so the device will boot with the current configuration.<br \/>\n<pre><code>Router#config t\nEnter configuration commands, one per line.&nbsp;&nbsp;End with CNTL\/Z.\nRouter(config)#config-register 0x2102\nRouter(config)#exit\nRouter#write mem\nBuilding configuration...\n[OK]\n\nRouter#show ver\nCisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T5, RELEASE SOFTWARE (fc4)\nTechnical Support: http:\/\/www.cisco.com\/techsupport\nCopyright (c) 1986-2008 by Cisco Systems, Inc.\nCompiled Thu 01-May-08 02:31 by prod_rel_team\n\nROM: System Bootstrap, Version 12.3(8r)YI2, RELEASE SOFTWARE\n\n. . . SNIP . . .\n\nCisco 871W (MPC8272) processor (revision 0x200) with 236544K\/25600K bytes of memory.\nProcessor board ID FHK102153YM\nMPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10\n5 FastEthernet interfaces\n1 802.11 Radio\n128K bytes of non-volatile configuration memory.\n24576K bytes of processor board System flash (Intel Strataflash)\n\nConfiguration register is 0x2142 (will be 0x2102 at next reload)\n\nRouter#reload\nProceed with reload? [confirm]\n\n*Jan 29 01:15:08.479: %SYS-5-RELOAD: Reload requested&nbsp;&nbsp;by console. Reload Reason: Reload Command.<\/code><\/pre><\/p>\n<p>Resources<br \/>\n<a href=\"https:\/\/dcloud-cms.cisco.com\/help\/connect_console\" target=\"_blank\">https:\/\/dcloud-cms.cisco.com\/help\/connect_console<\/a><br \/>\n<a href=\"https:\/\/www.cisco.com\/c\/en\/us\/support\/docs\/routers\/10000-series-routers\/12818-61.html\" target=\"_blank\">https:\/\/www.cisco.com\/c\/en\/us\/support\/docs\/routers\/10000-series-routers\/12818-61.html<\/a><br \/>\n<a href=\"https:\/\/www.netequity.com\/how-to-get-rid-of-your-old-cisco-equipment\/\" target=\"_blank\">https:\/\/www.netequity.com\/how-to-get-rid-of-your-old-cisco-equipment\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I was strolling through my local Goodwill and I spotted a Cisco 871w on the shelf for the same $3.99 price tag as the shitty Netgear sitting next to it. I have zero need for this device but for $3.99 I had to get it. I wondered if the previous owner had failed to wipe [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[163,162],"tags":[161,130,79],"class_list":["post-1062","post","type-post","status-publish","format-standard","hentry","category-hacking","category-networking","tag-cisco","tag-hacking","tag-password"],"_links":{"self":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/1062","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/comments?post=1062"}],"version-history":[{"count":12,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/1062\/revisions"}],"predecessor-version":[{"id":1074,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/1062\/revisions\/1074"}],"wp:attachment":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/media?parent=1062"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/categories?post=1062"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/tags?post=1062"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}