IOS Router Password Reset

Cisco - Enterprise

tl;dr

  1. Interrupt the boot sequence with a 'break' command.
  2. Set Config Register 0x2104.
  3. Boot the router.
  4. Copy the startup to the running config.
  5. Reset the secrets/passwords as needed.
  6. Reset the config register to 0x2102.
  7. Save the config.
  8. Test you have still have access.

What's this for?

IOS Router Password Reset is for when your colleague who's now happily retired has set a password on a device but forgot to put it in the password management software. It's also useful for you newbies to the land of networking who have received a second hand router from a popular online e-buying site but it's got a password set on it.

Demo Enviroment

The outputs below come from the following setup...

  • Hardware: Cisco C897VAG-LTE-GA-K9
  • OS: IOS
  • Version: 15.4(3)M8
  • Bootstrap: 15.4(3r)M1
  • Date: 09-08-2019

IOS Router Password Reset

So what were going to do in this ramblings is run through the steps needed to get back into your Cisco router.

Warning: if you do not own the router your about to attempt this on you will probably be breaking some sort of company policy / law of the land you live in. If in doubt seek legal advice and or permission from the person that owns the router. Please also read the disclaimer on the about page of this website.

The first step we need to take is to get physically consoled into the router. In this ramblings I will use PuTTY however any terminal emulator that supports sending 'breaks' will do. Note: you cannot use SSH or Telnet for this procedure.

Once you're connected up you might as well have one last stab at that password that will look something like this...

	router>en
	Password: password
	% Access denied
	
	router>en
	Password: Password123
	% Access denied
	
	router>en
	Password: P@$$w0rd123
	% Access denied

Once you get to the point where the swearing is starting to disturb your colleagues or/and the router is about to break some form or record for the longest flight without wings, then it's time to get the router rebooted. As the router is rebooting it's really important to keep sending break commands until you get the following output.

System Bootstrap, Version 15.4(3r)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2014 by cisco Systems, Inc.

Total memory size = 1024 MB
C897VAG-LTE-GA-K9 platform with 1048576 Kbytes of main memory
Main memory is configured to 32 bit mode

Readonly ROMMON initialized

monitor: command "boot" aborted due to user interrupt
rommon 1 >

You are now in rommon mode. Think of this as being a bit like the BIOS of the router. From here we want to check the current configuration regiester on the router.

Note: The configuration register tells the router how you want it to boot up.

monitor: command "boot" aborted due to user interrupt
rommon 1 > confreg
	
	
           Configuration Summary
   (Virtual Configuration Register: 0x2102)
enabled are:
load rom after netboot fails
console baud: 9600
boot: image specified by the boot system commands
      or default to: cisco2-C897VAG-LTE-GA-K9

do you wish to change the configuration? y/n  [n]:  n

Once we know what it used to be we can update the config register to tell it to ignore the startup configuration. We do this by changing the config register to 0x2142.

Note: You can do a lot more with the config register than just tell the router to ignore the startup config but that's a top for another ramblings.

rommon 2 > confreg 0x2142

You must reset or power cycle for new config to take effect

Do as the router says and reset the router.

Note: It's reset not reboot, cisco must not believe constancy is key!

rommon 3 > reset

System Bootstrap, Version 15.4(3r)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2014 by cisco Systems, Inc.

Total memory size = 1024 MB
C897VAG-LTE-GA-K9 platform with 1048576 Kbytes of main memory
Main memory is configured to 32 bit mode

Readonly ROMMON initialized

Once the router has booted you will get an output looking like this. We will answer "no" because we're real network engineers.

Cisco C897VAG-LTE-GA-K9 (revision 1.0) with 857164K/60339K bytes of memory. Installed image archive

Processor board ID FCZ########
1 DSL controller
1 Ethernet interface
9 Gigabit Ethernet interfaces
1 ATM interface
2 terminal lines
1 Virtual Private Network (VPN) Module
1 Cellular interface
DRAM configuration is 32 bits wide
255K bytes of non-volatile configuration memory.
1024128K bytes of ATA System CompactFlash (Read/Write)


         --- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: no

Dont worry if it freezes for a moment this it normal, it will eventually throw something out like this...

Press RETURN to get started!


*Jan  2 00:00:01.019: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = c800 Next reboot level = advipservices and License= advipservices
*Aug  9 06:47:47.623: c3600_scp_set_dstaddr2_idb(184)add = 80 name is Embedded-Service-Engine0
*Aug  9 06:47:47.919: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0  State changed to: Initialized
*Aug  9 06:47:47.923: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0  State changed to: Enabled Unknown WIC in slot(0/3), wic card has an unknown id of 0x7B

*Aug  9 06:48:04.599: %CTS-6-ENV_DATA_START_STATE: Environment Data Download in start statevdslmib_tbl_init: cannot create subblock.

*Aug  9 06:48:09.495: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-Null0, chang09.495: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM0, changed state to down
*Aug  9 06:48:09.495: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up
*Aug  9 06:48:09.495: %LINK-3-UPDOWN: Interface GigabitEthernet8, changed state to up
*Aug  9 06:48:09.711: %SYS-6-STARTUP_CONFIG_IGNORED: System startup configuration is ignored based on the configuration register setting.
*Aug  9 06:48:09.991: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
*Aug  9 06:48:10.535: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed state to down
*Aug  9 06:48:10.539: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet8, changed state to down
*Aug  9 06:48:12.099: %LINK-3-UPDOWN: Interface GigabitEthernet8, changed state to down
*Aug  9 07:41:21.287: %LINK-3-UPDOWN: Interface Ethernet5, changed state to up
*Aug  9 07:41:22.311: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet5, changed state to up
*Aug  9 07:41:22.883: %LINK-5-CHANGED: Interface ATM0, changed state to administratively down
*Aug  9 07:41:22.883: %LINK-5-CHANGED: Interface Ethernet0, changed state to administratively down
*Aug  9 07:41:22.883: %LINK-5-CHANGED: Interface GigabitEthernet8, changed state to administratively down
*Aug  9 07:41:24.023: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
*Aug  9 07:41:24.023: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1, changed state to down
*Aug  9 07:41:24.023: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2, changed state to down
*Aug  9 07:41:24.255: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3, changed state to down
*Aug  9 07:41:24.255: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet4, changed state to down
*Aug  9 07:41:24.255: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5, changed state to down
*Aug  9 07:41:24.255: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet6, changed state to down
*Aug  9 07:41:24.255: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet7, changed state to down
*Aug  9 07:41:24.771: %ENVMON-5-48V_STATUS: -48V supply OK
*Aug  9 07:41:26.107: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.4(3)M8, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Mon 31-Jul-17 06:05 by prod_rel_team
*Aug  9 07:41:26.331:  ifs_open failed, path flash:1:/env_vars errno 2574
*Aug  9 07:41:26.463: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*Aug  9 07:41:26.463: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
*Aug  9 07:41:31.199: %SECONDCORE-5-BOOTSTAGE: ROMMON on 2nd core UP
*Aug  9 07:41:31.211: %SECONDCORE-5-BOOTSTAGE: BOOTLOADER on 2nd core UP
*Aug  9 07:41:32.043: %SECONDCORE-5-BOOTSTAGE: LINUX on 2nd core UP

After its thrown this out just hit enter and you should be back to the trusty router user exec prompt. If at this point we try to move into privileged exec mode we should go straight in.

Router>en
Router#

At this point we can copy the startup configuration into the running configuration. After the copy has completed your router should be almost back to how it was before.

Warning: Do not get this the wrong way around otherwise bye bye configuration, hello bad day.

Note: On routers interfaces are shutdown by default, copying the startup to the running config will not "no shutdown" these ports you will have to go and do that manually.

Router#copy startup-config running-config
Destination filename [running-config]?
2271 bytes copied in 0.396 secs (5735 bytes/sec)

MyTestRouter01#

If at this point you get distracted and let the CLI session expire you will be back to square one and need to run through the procedure again. So let's quickly get the secrets updated on the router. First use the command below to find any secrets configured on the box.

Note: if you use passwords on your equipment instead of secrets, first consider upgrading to secrets, second change the command below to be "show run | include password". If you have both don't worry too much about the passwords as the secret will overrule the password.

MyTestRouter01# show run | include secret
enable secret 5 $1$q5HU$QjJh9JE9nswwNjCkR5qLc/
username AdmPri privilege 15 secret 5 $1$ifyh$p5J4cRoGg0eMTwWxoHEnO/
username AdmSec privilege 15 secret 5 $1$Q0BM$NXIdpYHnPZdSXXi2JS40x1

Now we know what we need to update let's move into danger mode / configure terminal and get them updated. 

MyTestRouter01# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
MyTestRouter01(config)#AdmPri privilege 15 secret PasswordICanRemember
MyTestRouter01(config)#AdmSec privilege 15 secret PasswordICanRemember
MyTestRouter01(config)#
MyTestRouter01(config)#enable secret PasswordICanRemember
MyTestRouter01(config)#

If we were to reboot the router now the config register is still set to tell the router to ignore the startup configuration so that's what it will do. 

MyTestRouter01(config)#config-register 0x2102
MyTestRouter01(config)#
MyTestRouter01(config)#end
MyTestRouter01#write 
Building configuration...
[OK]
MyTestRouter01#

Finally, I would ALWAYS recommend you try three tests:

  1. First, reboot the router to make sure the config register is set correctly. If you have just driven for a few hours to reset this router the last thing you want to do is have to drive all the way back in a weeks' time to work out why after that power cut the router didn't come back up.
  2. Second, after the reboot log into the router using all the usernames and passwords you have just reset. If the device is configured for TACACS disconnect the cables to ensure it fails back to the local credentials. Note: if your device is a massive ASR router with 40 cables going into it this is why labelling cables is important. To label cables like a Pro see this article for more information.
  3. Third, make sure you can remotely access the router. If your currently working at a remote site call your office up and get someone there to check.