³ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄij +-+-+-+-+-+-+-+-+ ÛÛÛÛÛÛÛÛÛ²²²²²±±±±±°°°ð|O|u|t|b|r|e|a|k|ð°°°±±±±±²²²²²ÛÛÛÛÛÛÛ +-+-+-+-+-+-+-+-+ Issue #1 - Page 10 of 13 ³ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Router Password Recovery ------------------------ by: Ryan This article is on how to recover the passwords on the Cisco 1600 and 2500 router series. Each type has a slightly different way of going about recovering the password, so I will explain both. Although you still have to be in enabled mode on the router to do all that is involved, it shouldn't be that hard to get on the router when its in enable mode. Since most of the time the admin won't log off to save time later when doing more configuration to the router. Or you can always just put a keylogger on the machine that the admin is consoleing from :-). However, if you can get to the routers, just turn them off from the back so that you won't even have to know the enable password. Oh and to console in just hook a rollover cable to the console port on the router to the ethernet port on a computer then hyperterminal in to the router. Anyways, the first thing that you must do on the router is type in "show ver". This command will show you the current configurations register settings. Then restart the router that you are consoled into. After it has been turned off for a few seconds, turn it back on. Within 60 seconds of turning the router back on, press and hold the ctrl key, then press the break key. This will then interupt the routers boot sequence. You will now be at a prompt to change the configuration register. At this prompt you will tell the configuration register to ignore the configuration file in NVRAM on the next startup. However, here is were the 1600 and 2500 series of of cisco routers differ. If you are on the 2500 series router simply type o/r 0x42 and press enter. To reload the router, just type I and press enter. When prompted to enter the initial config, just type N (for no) and press enter to see the router> prompt. On the 1600 series of routers instead of > you will be greeted with rommon 1> whenever you interupt the boot sequence. First thing you do is type confreg at the prompt, and type Y when asked to change the config. Then type N til you get to the "ignore system congif info." question. Here you will type Y (for yes). Now you will be promoted to change the configuration again, just type N amd type reset to reload the router. Then when the router reboots type no when asked to intially configure the router so you will go to the router> prompt. Now you will want to go into EXEC mode, to do this just type in enable at the prompt. You should not be prompted for a password, since that is what you just hax0red. Now you can take a little look at the router configuration by typing in "sh run". That step is mostly for fun, just to see what all you did to the router. Now to modify the routers password type "copy start run". This will load the config file from NVRAM to RAM so that stuff you change will be saved on reload. Now you can take a look at the passwords that are on the machine by typing "sh run" again. They might be encrypted and will look like $5$768548764567988876896, you know, just crap. Now time to change/set a new password. To do this, just go into global configuration mode by typing config t (configure terminal). Now type "enable secret passwordhere", and exit by typing ctrl-z. Now to see what you have done type in "sh run" again. Since the password has been set by using "enable secret" it will be encrypted, but at least you can see if your changes are being done. If you want to change everything back to the way it was you can do that as well. Say you didn't want to let the admin find out someone has been tampering the routers so you can get back on them later and hax0r some more. Then this section is just for you. First, enter global configuration mode again by typing "config t" at the prompt. Then use the command config-register 0x2101 and ctrl-z to exit. Now reload the router by typing none other than "reload". Amazing eh? You will now be prompted to save your config, just type Y and hit enter. Now you are all set to hax0r up some Cisco routers. Why Cisco gave this option I will never know, but if your a router admin, I suggest buying some good locks ahead of anything else, since this is just a local hack. - Ryan (ryan@insidergaming.net)