     ĳ
                              +-+-+-+-+-+-+-+-+
       ۲|O|u|t|b|r|e|a|k|𰰰
                              +-+-+-+-+-+-+-+-+
                          Issue #1 - Page 10 of 13 
     



Router Password Recovery
------------------------
by: Ryan <ryan@insidergaming.net>


This article is on how to recover the passwords on the Cisco 1600 and 2500
router series.  Each type has a slightly different way of going about
recovering the password, so I will explain both.  Although you still have to be
in enabled mode on the router to do all that is involved, it shouldn't be that
hard to get on the router when its in enable mode.  Since most of the time the
admin won't log off to save time later when doing more configuration to the
router.  Or you can always just put a keylogger on the machine that the admin
is consoleing from :-).  However, if you can get to the routers, just turn them
off from the back so that you won't even have to know the enable password.  Oh
and to console in just hook a rollover cable to the console port on the router
to the ethernet port on a computer then hyperterminal in to the  router.

Anyways, the first thing that you must do on the router is type in "show ver".
This command will show you the current configurations register settings.  Then
restart the router that you are consoled into.  After it has been turned off
for a few seconds, turn it back on.  Within 60 seconds of turning the router
back on, press and hold the ctrl key, then press the break key.  This will then
interupt the routers boot sequence.  You will now be at a prompt to change the
configuration register.  At this prompt you will tell the configuration register
to ignore the configuration file in NVRAM on the next startup.  However, here
is were the 1600 and 2500 series of of cisco routers differ.  

If you are on the 2500 series router simply type o/r 0x42 and press enter.  To
reload the router, just type I and press enter.  When prompted to enter the
initial config, just type N (for no) and press enter to see the router> prompt.

On the 1600 series of routers instead of > you will be greeted with rommon 1>
whenever you interupt the boot sequence.  First thing you do is type confreg at
the prompt, and type Y when asked to change the config.  Then type N til you get
to  the "ignore system congif info." question.  Here you will type Y (for yes).
Now you will be promoted to change the configuration again, just type N amd type
reset to reload the router.  Then when the router reboots type no when asked to
intially configure the router so you will go to the router> prompt.  

Now you will want to go into EXEC mode, to do this just type in enable at the
prompt.  You should not be prompted for a password, since that is what you just
hax0red.  Now you can take a little look at the router configuration by typing
in "sh run".  That step is mostly for fun, just to see what all you did to the
router.  Now to modify the routers password type "copy start run".  This will
load the config file from NVRAM to RAM so that stuff you change will be saved
on reload.  Now you can take a look at the passwords that are on the machine by
typing "sh run" again.  They might be encrypted and will look like 
$5$768548764567988876896, you know, just crap.  Now time to change/set a new
password.  To do this, just go into global configuration mode by typing config
t (configure terminal).  Now type "enable secret passwordhere", and exit by
typing ctrl-z.  Now to see what you have done type in "sh run" again.  Since
the password has been set by using "enable secret" it will be encrypted, but at
least you can see if your changes are being done.  

If you want to change everything back to the way it was you can do that as
well.  Say you didn't want to let the admin find out someone has been tampering
the routers so you can get back on them later and hax0r some more.  Then this
section is just for you.  First, enter global configuration mode again by
typing "config t" at the prompt.  Then use the command config-register 0x2101
and ctrl-z to exit.  Now reload the router by typing none other than "reload".
Amazing eh?  You will now be prompted to save your config, just type Y and hit
enter.  

Now you are all set to hax0r up some Cisco routers.  Why Cisco gave this option
I will never know, but if your a router admin, I suggest buying some good locks
ahead of anything else, since this is just a local hack.  

- Ryan (ryan@insidergaming.net)  
