Password Recovery for Cisco Router 2900 - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Friday, June 3, 2016

Password Recovery for Cisco Router 2900


I have to reset one Cisco 2901 router to factory default. Unfortunately no one knows user name and password.

Cisco documentation Password Recovery Procedure for the Cisco 2900 Integrated Services Router has listed all steps, but not enough detail how to "Remove the compact flash that is on the rear of the router."

I understand Cisco 2900 series is using a different way to do password recovery than a usual way by press 'Break' key during booting process. Cisco 2900 will automatically boot into ROMMOM mode after you removed Compact Flash card. But how to remove CF card from the rear of router, it does not say enough from Password Recovery Procedure for the Cisco 2900 Integrated Services Router.

Here are what I figured out by using a flat head screw driver. Lets find out where the compact flash card locates from following photo:






There are two CF slots. The right one is 0 which usually holds CF inside.

Before you process to remove CF slot cover, turn off your router first.

Using a flat head screwdriver to plug into the cover spring place as show in the next photo, slightly push and pry it a bit to left. The CF slot cover can be lifted out. After removed the cover, you will see CF is securely plugged inside. Taking CF card out will be quite easy now.










Basic steps to do 2900 router's password recovery.

After boot into ROMMON mode, change config-register value to 0x2142 to ignore startup-configuration during next boot process.

Press RETURN to get started.


System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2010 by cisco Systems, Inc.

Total memory size = 512 MB - On-board = 512 MB, DIMM0 = 0 MB
CISCO2901/K9 platform with 524288 Kbytes of main memory
Main memory is configured to 72/-1(On-board/DIMM0) bit mode with ECC enabled


Readonly ROMMON initialized
Compact Flash0: Not present

System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2010 by cisco Systems, Inc.

Total memory size = 512 MB - On-board = 512 MB, DIMM0 = 0 MB
CISCO2901/K9 platform with 524288 Kbytes of main memory
Main memory is configured to 72/-1(On-board/DIMM0) bit mode with ECC enabled


Readonly ROMMON initialized
Compact Flash1: Not present

System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2010 by cisco Systems, Inc.

Total memory size = 512 MB - On-board = 512 MB, DIMM0 = 0 MB
CISCO2901/K9 platform with 524288 Kbytes of main memory
Main memory is configured to 72/-1(On-board/DIMM0) bit mode with ECC enabled


Readonly ROMMON initialized
Compact Flash0: Not present

System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2010 by cisco Systems, Inc.

Total memory size = 512 MB - On-board = 512 MB, DIMM0 = 0 MB
CISCO2901/K9 platform with 524288 Kbytes of main memory
Main memory is configured to 72/-1(On-board/DIMM0) bit mode with ECC enabled


Readonly ROMMON initialized
rommon 1 > confreg 0x2142


You must reset or power cycle for new config to take effect
rommon 2 > reset

System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2010 by cisco Systems, Inc.

Total memory size = 512 MB - On-board = 512 MB, DIMM0 = 0 MB
CISCO2901/K9 platform with 524288 Kbytes of main memory
Main memory is configured to 72/-1(On-board/DIMM0) bit mode with ECC enabled


Readonly ROMMON initialized
program load complete, entry point: 0x80803000, size: 0x1b340
program load complete, entry point: 0x80803000, size: 0x1b340


IOS Image Load Test
___________________
Digitally Signed Release Software
program load complete, entry point: 0x81000000, size: 0x3bc7164
Self decompressing the image : ##################################################
###########################################################################
###########################################################################
###########################################################################
###########################################################################
######################## [OK]

Smart Init is enabled
smart init is sizing iomem
                 TYPE      MEMORY_REQ
          HWIC Slot 0      0x00200000
          HWIC Slot 1      0x00200000
          HWIC Slot 2      0x00200000
    Onboard devices &
         buffer pools      0x0228F000
-----------------------------------------------
               TOTAL:      0x0288F000

Rounded IOMEM up to: 44Mb.
Using 8 percent iomem. [44Mb/512Mb]

              Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

           cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706



Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.0(1)M4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Thu 28-Oct-10 18:32 by prod_rel_team
Image text-base: 0x2100E358, data-base: 0x2593FA80


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
[email protected].

Cisco CISCO2901/K9 (revision 1.0) with 479232K/45056K bytes of memory.
Processor board ID FTX15110600
2 Gigabit Ethernet interfaces
3 Serial interfaces
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
254464K bytes of ATA System CompactFlash 0 (Read/Write)


         --- System Configuration Dialog ---


Would you like to enter the initial configuration dialog? [yes/no]: n




After logged into enable mode, copy startup-config to running-config. You may get some warning messages, but they can be ignored.

Router#copy startup-config running-config
Destination filename [running-config]?

% Hostname "Test-Test-       " is not a legal LAT node name, Using "CISCO_4269D0"
*Jun  3 20:09:12: %SYS-6-CLOCKUPDATE: System clock has been updated from 20:09:12 UTC Fri Jun 3 2016 to 20:09:12 GMT Fri Jun 3 2016, configured from console by console.
*Jun  3 20:09:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
% Warning: use /31 mask on non point-to-point interface cautiously
%Error: This command applies only to DCE interfaces
%Error: This command applies only to DCE interfaces
%Error: This command applies only to DCE interfaces

10112 bytes copied in 7.808 secs (1295 bytes/sec)




Change enable password and add a new user admin into configuration.
Change config-register to default 0x2102 to load start-up configuration during boot process

test-test-2183(config)#enable secret 0 admin
The enable secret you have chosen is the same as your enable password.

This is not recommended.  Re-enter the enable secret.
test-test-2183(config)#username admin privilege 15 password admin
test-test-2183(config)#config-register 0x2102




Reference:








No comments:

Post a Comment