Recovering a Router with the Password Recovery Service Disabled

By stretch | Monday, October 11, 2010 at 1:43 a.m. UTC

Password recovery is a process used to restore to working order a Cisco router which is no longer administratively accessible (e.g. the correct credentials to log in have been forgotten). The process enables anyone with access to the physical console to interrupt the boot sequence of the router, forcing it into ROM monitor mode (rommon). From rommon, the router can then be instructed to boot without referencing its startup-configuration, so the user can access privileged exec (enable) mode at the console and retrieve or modify the saved configuration.

Obviously, this means anyone with physical access to the device can view the potentially sensitive router configuration. Cisco provides the ability to disable the password recovery service to mitigate such physical attacks.

Disabling Password Recovery

Disabling the password recovery service is performed similar to disabling any other IOS service, with a derivation of the no service command. Note, however, that this particular command has been omitted from the context sensitive help due to its potentially dangerous nature.

Router(config)# no service password-?
password-encryption

Router(config)# no service password-recovery
WARNING:
Executing this command will disable password recovery mechanism.
Do not execute this command without another plan for
password recovery.

Are you sure you want to continue? [yes/no]: y
Router(config)#

The line no service password-recovery will appear in the running configuration at this point. The command itself is somewhat peculiar: it will persist across reloads without being written to the startup configuration (similar to manipulating the configuration register), but is displayed in the running configuration regardless.

On the next reload, a notice regarding the disabled password recovery service can be seen.

System Bootstrap, Version 12.3(8r)YH8, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2006 by cisco Systems, Inc.
C1800 platform with 131072 Kbytes of main memory with parity disabled

Upgrade ROMMON initialized
PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
program load complete, entry point: 0x80012000, size: 0xc0c0

Initializing ATA monitor library.......
program load complete, entry point: 0x80012000, size: 0xc0c0
...

Recovering a Device Without the Password Recovery Service

At this point, you may be wondering what recourse you're left with should password recovery need to be performed. Fortunately, even with password recovery disabled, a forgotten password won't turn your router into a brick. Although you won't be able to access rommon, you do have the option of erasing the startup configuration by sending a break signal during boot.

System Bootstrap, Version 12.3(8r)YH8, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2006 by cisco Systems, Inc.
C1800 platform with 131072 Kbytes of main memory with parity disabled

Upgrade ROMMON initialized
PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
program load complete, entry point: 0x80012000, size: 0xc0c0

Initializing ATA monitor library.......
program load complete, entry point: 0x80012000, size: 0xc0c0

Initializing ATA monitor library.......

program load complete, entry point: 0x80012000, size: 0x167e724
Self decompressing the image : #################################################
################################################################################
################################################################ [OK]

Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706

Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(24)T,
RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Thu 26-Feb-09 03:22 by prod_rel_team

[ Send the break signal at this point ]

PASSWORD RECOVERY IS DISABLED.
Do you want to reset the router to factory default
configuration and proceed [y/n] ? y
Reset router configuration to factory default.

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Installed image archive
Cisco 1811W (MPC8500) processor (revision 0x400) with 118784K/12288K bytes of me
mory.
Processor board ID FHK110913UQ, with hardware revision 0000

10 FastEthernet interfaces
1 Serial interface
1 terminal line
125440K bytes of ATA CompactFlash (Read/Write)
[OK][OK]
SETUP: new interface FastEthernet0 placed in "shutdown" state
SETUP: new interface FastEthernet1 placed in "shutdown" state

Press RETURN to get started!

*Oct 10 04:41:15.971: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(24)T,
RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Thu 26-Feb-09 03:22 by prod_rel_team
...
*Oct 10 04:41:18.503: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3, changed state to down
*Oct 10 04:41:18.503: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2, changed state to down
Router> enable
Router# show startup-config
Using 5 out of 196600 bytes
end

At this point you're able to restore the device's configuration (minus the forgotten credentials) from a backup.

One last note: attempting to manipulate certain fields of the configuration register while password recovery is disabled will result in an error.

Router(config)# config-register 0x2142
Password recovery is disabled, cannot enable diag or ignore configuration.

Router(config)# service password-recovery
Router(config)# config-register 0x2142
Router(config)#

About the Author

Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.

Posted in Security

Comments


ciscotophat
October 11, 2010 at 2:46 a.m. UTC

Great article! Could totally come in handy for the unorganized network administrator.


Stöge (guest)
October 11, 2010 at 6:35 a.m. UTC

Cool stuff, didn't know ... Hope i never have to use it ;-)


vsaltao
October 11, 2010 at 2:06 p.m. UTC

Also very handy to use it for implementations where you arent sure the physical security is good (for vpn implementations is always great to know that no one will be able to retrieve any credentials, altough psk encryption is also a good way to do it)


StuckInActive (guest)
October 12, 2010 at 4:10 a.m. UTC

Disabling password recovery works well when paired with the ios configuration archive feature. That is, when you're storing the configurations off-box of course.


A guest
October 12, 2010 at 6:04 a.m. UTC

So, remember kids..always backup your configuration files and keep them warm and save :) . Even if it´s from the last day, it´s better than nothing :)


r2d2 (guest)
December 6, 2010 at 2:52 a.m. UTC

i can do the same on 28 series routers ?


Guruprasadmys
February 16, 2011 at 11:22 a.m. UTC

Very useful stuff :)


Pranav (guest)
April 5, 2011 at 10:16 a.m. UTC

This has really helped in restoring the 2821. Awesome and thanks a lot.


G.Ming (guest)
March 22, 2012 at 9:02 a.m. UTC

Flash deleted and PASSWORD RECOVERY FUNCTIONALITY IS DISABLED

How can i go to the ROMmon if this happen?


C1sc0M4n1971 (guest)
February 28, 2013 at 7:18 p.m. UTC

I played around and discovered a way to circumvent this and still retain the config...at least in a 2600 series router and an ASA that uses a CF...

Router---kinda scary I know, but the only risk here is killing the NVRAM chip. So, boot the router without the NVRAM chip in it (in a 2600 series there are two small slightly rectangular socketed chips on the mainboard in front of the flash SIMM-the boot ROM and NVRAM chip. The NVRAM is the one closest to the power supply. If you try and boot the router without the boot ROM, it simply won't boot...wonder why ;) ). You can then do a break, after which you confreg 0x2142 and reset. When the router boots, it'll tell you that NVRAM is corrupt (well duh!), and give an exception error, blablabla but it's not a kernel panic so it will continue to decompress and load the IOS. After "press RETURN to get started!", or maybe before, it'll ask "Would you like to enter the initial configuration dialog?" or something to that effect---answer "no"!!! Then it may (older routers) ask if you want to terminate auto-install---yes! Then (here's the pretend scary part) you put the NVRAM chip back in, yes while the router is still running, and carry on as if you were doing a normal password recovery.

ASA---simple...take the CF module (the one on the inside, on the same IO module as the external one) and plug it into a card reader on a w1nd0z3 (Windows) box, go into folder options, select "Show hidden files, folders and drives", uncheck Hide protected operating systems and files" and then click "Apply to Folders". I'm pretty sure at this point you can figure out that the config file shows up and can be opened with Wordpad---so copy the config somewhere to back it up. You actually may as well copy all contents as they are into a new directory on your D0z3 box...then, put the CF back into the ASA and don't fear erasing the config and setting the ASA to "factory defaults" since you just backed it up!

I usually make a copy of the known working config on the flash with an intuitive name (date-known-working-config.cfg) so that if for some reason NVRAM ever bursts into flames and I lose the config on it, I can fix it and from a factory-default config do a copy flash:/date-known-working-config.cfg run.

Have fun! Wear an anti-static wrist strap if you want, even.


Wahab (guest)
November 27, 2013 at 4:21 p.m. UTC

Dear Jeremy Stretch you have been a wonderful cisco solution provider. The above provided worked out on my network pretty fine.

Thanks a million


Kispingwin (guest)
February 5, 2014 at 3:07 p.m. UTC

I have problem with resetting a 1812 too. This article is not work for me, because my ROMMON is readonly state.

Readonly ROMMON initialized
PASSWORD RECOVERY FUNCTIONALITY IS DISABLED

So I can't enter to ROMMON, and BREAK doesn't work too.

Have you any idea, how can I make a full reset to my router?


JB (guest)
July 2, 2014 at 9:22 p.m. UTC

I have problem with resetting a 2921. This article does not work for me. Readonly ROMMON initialized PASSWORD RECOVERY FUNCTIONALITY IS DISABLED

I can't enter to ROMMON, and BREAK doesn't work too.

Have any idea how can I make a full reset to my router?

Leave a Comment


Optional; will not be displayed publicly or given out.
No commercial links. Only personal (e.g. blog, Twitter, or LinkedIn) and/or on-topic links, please.
How many bytes in length is a UDP header?