Password Recovery Procedure for Cisco Routers

One of the problems that you may find yourself in is that you are not able to access a router due to not knowing the password. This can happen in various scenarios, for example if a network engineer has left the company and has not divulged the password details, or alternatively you have simply forgotten what the password is. Fortunately, there is a way to get around this problem, known as a password recovery.

Before we continue, I must mention that password recovery can be a very dangerous procedure and in the wrong hands can be used to compromise network security. It is not my intention for this information to be used maliciously, it is simply a procedure that network engineers need to know in order to perform their daily tasks. Make sure that you have authorization from whoever manages the network before attempting a password recovery.

Different router models have different ways of performing a password recovery. The method that I will be showing you in this article applies to most Cisco routers, however some routers may have variations to this procedure. You should therefore always refer to Cisco's website for the exact procedure for your particular model.

To perform a password recovery, you will need console access to the router. Password recovery cannot be performed remotely and requires you to be physically located next to the router. Additionally, the password recovery procedure requires the router to be restarted, which will cause a network outage.

Password Recovery Procedure

Step 1: Power-cycle the router

The first step is to turn the router off and on again. As the router is booting up, you need to perform the next step.

Step 2: Send a break sequence

As the router is booting up, you need to send a break sequence. This must be done within the first 60 seconds of the router powering on. The break sequence will interrupt the boot sequence and drop you into ROM Monitor mode.

The break sequence differs depending on the terminal emulation software that you are using:

• HyperTerminal: Press Ctrl + Break
• Putty: Right-click on the title bar of the Putty window and select "Special Command" > "Break"
• Tera Term: Go to Control > Send Break
• SecureCRT: Go to Tools > Send Special > Break

If successful, you should see the following prompt:

rommon 1 >

If you do not see this prompt, then the break sequence was not successful and you will need to try again.

Step 3: Change the configuration register

From the ROM Monitor prompt, we need to change the configuration register to 0x2142. This will cause the router to bypass the startup configuration on the next boot.

rommon 1 > confreg 0x2142

Step 4: Restart the router

Now restart the router from ROM Monitor mode:

rommon 2 > reset

The router will now boot up and bypass the startup configuration. This means that it will boot up with a blank configuration and you will not be prompted for a password.

Step 5: Enter privileged mode

Since the router has booted up with a blank configuration, you should be able to enter privileged mode without a password:

Router> enable
Router#

Step 6: Copy the startup configuration to the running configuration

At this point the router is running with a blank configuration. We need to copy the startup configuration (which contains all the original configuration including passwords) to the running configuration:

Router# copy startup-config running-config

Now the router is running with the original configuration, but since we bypassed the startup configuration during boot, we were able to get into the router without knowing the passwords.

Step 7: Change the passwords

Now that you have access to the router, you can change the passwords to something that you know. You may want to change the enable password, enable secret, and console password:

Router# configure terminal
Router(config)# enable secret newpassword
Router(config)# line console 0
Router(config-line)# password newpassword
Router(config-line)# login
Router(config-line)# exit

Step 8: Change the configuration register back to normal

This is a very important step that is often forgotten. We need to change the configuration register back to its normal value of 0x2102 so that the router will use the startup configuration on future reboots:

Router(config)# config-register 0x2102
Router(config)# exit

Step 9: Save the configuration

Finally, save the running configuration to the startup configuration:

Router# copy running-config startup-config

The password recovery procedure is now complete. The router will now boot normally with the new passwords that you have configured.

Important Notes

• This procedure requires physical access to the router and will cause a network outage
• Different router models may have variations to this procedure
• Always ensure you have proper authorization before performing password recovery
• Make sure to change the configuration register back to 0x2102 or the router will continue to bypass the startup configuration
• Document the new passwords in a secure location to avoid this situation in the future