Tuesday, August 21, 2012

Howto Recover Lost Cisco Enable Password

In this blog post, we will recover from a lost Cisco switch enable password.

Connect the console cable to a running Linux or FreeBSD machine's serial port. Make sure the screen(1) software is installed.

# FreeBSD or PC-BSD version :
cd /usr/ports/sysutils/screen
sudo make install clean

# Linux version :
sudo yum -y install screen

Then use screen(1) to connect to the serial port and thus get the Cisco switch's console output :

# FreeBSD or PC-BSD version :
sudo screen -S cisco /dev/cuau0

# Linux version :
sudo screen -S cisco /dev/ttyS0

Now hold the Mode button, and at the same time reconnect the power cord to the switch. You can release the Mode button a second or two after the LED above port 1X goes off. Several lines of information about the software appear, as do instructions:

The system has been interrupted prior to initializing the flash 
file system. The following commands will initialize the flash 
file system, and finish loading the operating system software:



At the switch: prompt, issue the following command to initialize the Flash file system :

switch: flash_init

Load any helper files:

switch: load_helper

Display the contents of Flash memory:

switch: dir flash:

Directory of flash:/

2    -rwx  1645810   <date>               c2900XL-c3h2s-mz-120.5.2-XU.bin
3    -rwx  105970    <date>               c2900XL-diag-mz-120.5.2-XU
4    drwx  6784      <date>               html
111  -rwx  3087      <date>               config.text
112  -rwx  286       <date>               env_vars
113  -rwx  1456      <date>               vlan.dat
114  -rwx  25        <date>               snmpengineid

829952 bytes available (2782720 bytes used)

We can see several files with their sizes. The file that we're interested in is config.text which holds the switch's configuration and the lost password. So let's move all this aside for now. Be carefull to use the rename command and not the copy command here.

switch: rename flash:config.text flash:config.old

Boot the system.

switch: boot

You are prompted to start the setup program. Enter N at the prompt.

Continue with the configuration dialog? [yes/no]: N

That will drop you to the Switch> prompt. Move to EXEC mode.

Switch> enable

This will change the prompt to Switch# instead of Switch>. We can now load the old configuration into memory. But before we can do this, we need to rename the configuration file to its original name:

Switch# rename flash:config.old flash:config.text

Copy the configuration file into memory and press Return in response to the confirmation prompts.

Switch# copy flash:config.text system:running-config
Source filename [config.text]?
Destination filename [running-config]?

The configuration file is now reloaded, and you can use the following normal commands to change the password.

Enter global configuration mode:

Switch# config terminal

Change the password:

Switch(config)# enable secret <password>

While we're at it, let's change the user passwords as well.

Switch(config)# line con 0
Switch(config-line)# login
Switch(config-line)# password <password>
Switch(config-line)# line vty 0 15 
Switch(config-line)# login
Switch(config-line)# password <password>
Switch(config-line)# end

We're now ready to reload the switch and test our new passwords.

Switch# reload

Once the switch is back, we will be able to login with our new passwords.

Finally, to exit from the screen(1), simply hit « Ctrl-A » then hit the « K » key. You will be asked if you really want to kill the screen, simply say « yes ».




No comments:

Post a Comment