From: Basel Tashkandi (basel@xxxxxxxxxxxxx)
Date: Sat Dec 01 2001 - 05:51:20 GMT-3
Hi Joe,
When you wanted to go into the enable mode did you enter the password or it
just let you in?
thanks
At 23:04 30/11/2001 -0600, Harris, Joe F wrote:
>All,
>
>I sent an eariler email stating that if you issued the "no service
>password-recovery" command that the only way to I had found to bypass the
>command was to replace the bootrom. I was informed that the Scott Morris had
>posted an earlier email showing another process that could be used to bypass
>the command but you would loose your configuration. I took what he stated
>and tryed a few things a little different and found a way around the command
>so that if you issue the "no service password-recovery" command you can
>totally bypass the effects of the command and keep your config. Please note
>that I have successfully done this today on the 2600 series platform only. I
>am posting below the entire screen capture of the commands needed to bypass
>the effects of the command. Every piece of software is always written with a
>hook (CISSP information) and Cisco IOS is no different.
>
>Router-1#
>Router-1#
>Router-1#term leng 0
>Router-1#sh ru
>Building configuration...
>
>Current configuration:
>!
>version 12.0
>service timestamps debug uptime
>service timestamps log uptime
>no service password-encryption
>!
>hostname Router-1
>!
>enable secret 5 $1$sCnF$E51c1b/cHBjLYLw.zcboU1
>!
>!
>!
>!
>!
>ip subnet-zero
>ip tcp synwait-time 15
>no ip domain-lookup
>!
>ip audit notify log
>ip audit po max-events 100
>cns event-service server
>!
>!
>!
>!
>end
>
>Router-1#config t
>Enter configuration commands, one per line. End with CNTL/Z.
>Router-1(config)#no service password-recovery
>WARNING:
>Executing this command will disable password recovery mechanism.
>Do not execute this command without another plan for
>password recovery.
>
>Are you sure you want to continue? [yes/no]: yes
>Router-1(config)#end
>Router-1#
>00:04:00: %SYS-5-CONFIG_I: Configured from console by console
>Router-1#wr mem
>Building configuration...
>[OK]
>Router-1#sh ru
>Building configuration...
>
>Current configuration:
>!
>version 12.0
>service timestamps debug uptime
>service timestamps log uptime
>no service password-encryption
>no service password-recovery
>!
>hostname Router-1
>!
>enable secret 5 $1$sCnF$E51c1b/cHBjLYLw.zcboU1
>!
>!
>!
>!
>!
>ip subnet-zero
>ip tcp synwait-time 15
>no ip domain-lookup
>!
>ip audit notify log
>ip audit po max-events 100
>cns event-service server
>!
>!
>!
>!
>end
>
>Router-1#reload
>Proceed with reload? [confirm]
>
>00:05:00: %SYS-5-RELOAD: Reload requested
>System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
>Copyright (c) 1999 by cisco Systems, Inc.
>TAC:Home:SW:IOS:Specials for info
>C2600 platform with 49152 Kbytes of main memory
>
>PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
>program load complete, entry point: 0x80008000, size: 0x928024
>Self decompressing the image :
>############################################################################
>############################################################################
>############################################################################
>############################################################################
>############################################################################
>############################################################################
>############################################################################
>############################################################################
>############################################################################
>############################################################################
>############################################################################
>############################################################################
>############################################################################
>########################################################## [OK]
>!Do Not issue the break sequence here!!!!
>
> Restricted Rights Legend
>
>Use, duplication, or disclosure by the Government is
>subject to restrictions as set forth in subparagraph
>(c) of the Commercial Computer Software - Restricted
>Rights clause at FAR sec. 52.227-19 and subparagraph
>(c) (1) (ii) of the Rights in Technical Data and Computer
>Software clause at DFARS sec. 252.227-7013.
>
> cisco Systems, Inc.
> 170 West Tasman Drive
> San Jose, California 95134-1706
>
>
>
>Cisco Internetwork Operating System Software
>IOS (tm) C2600 Software (C2600-JO3S56I-M), Version 12.0(7)T, RELEASE
>SOFTWARE (fc2)
>Copyright (c) 1986-1999 by cisco Systems, Inc.
>Compiled Tue 07-Dec-99 07:11 by phanguye
>Image text-base: 0x80008088, data-base: 0x8107A5D0
>!
>!Issue Break Sequence Here
>!
>
>PASSWORD RECOVERY IS DISABLED.
>Do you want to reset the router to factory default
>configuration and proceed [y/n] ?
>!Answer this question with a "y", the question mark cannot be deleted
>
>Reset router configuration to factory default.
>
>
>Compliance with U.S. Export Laws and Regulations - Encryption
>
>This product performs encryption and is regulated for export
>by the U.S. Government.
>
>This product is not authorized for use by persons located
>outside the United States and Canada that do not have prior
>approval from Cisco Systems, Inc. or the U.S. Government.
>
>This product may not be exported outside the U.S. and Canada
>either by physical or electronic means without PRIOR approval
>of Cisco Systems, Inc. or the U.S. Government.
>
>Persons outside the U.S. and Canada may not re-export, resell,
>or transfer this product by either physical or electronic means
>without prior approval of Cisco Systems, Inc. or the U.S.
>Government.
>
>cisco 2620 (MPC860) processor (revision 0x102) with 39936K/9216K bytes of
>memory.
>Processor board ID JAD042206GN (1804004596)
>M860 processor: part number 0, mask 49
>Bridging software.
>X.25 software, Version 3.0.0.
>SuperLAT software (copyright 1990 by Meridian Technology Corp).
>TN3270 Emulation software.
>1 FastEthernet/IEEE 802.3 interface(s)
>1 Serial network interface(s)
>32K bytes of non-volatile configuration memory.
>16384K bytes of processor board System flash (Read/Write)
>
>!Now for some reason (I have not figured it out yet) the router acts as
>!though you just issued the command again and gives you a chance to
>!reverse the command
>
>WARNING:
>Executing this command will disable password recovery mechanism.
>Do not execute this command without another plan for
>password recovery.
>
>Are you sure you want to continue? [yes/no]: no
>!As you can see I answered no to the question
>
>
>Press RETURN to get started!
>
>Passed
>00:00:36: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
>00:00:36: %LINK-3-UPDOWN: Interface Serial0/0, changed state to down
>00:00:37: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0,
>changed state to down
>00:00:37: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed
>state to down
>00:00:48: %SYS-5-CONFIG_I: Configured from memory by console
>00:00:48: %SYS-5-RESTART: System restarted --
>Cisco Internetwork Operating System Software
>IOS (tm) C2600 Software (C260Translating "Router-1"
>
>Router-1>0-JO3S56I-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2)
>Copyright (c) 1986-1999 by cisco Systems, Inc.
>Compiled Tue 07-Dec-99 07:11 by phanguye
>00:00:49: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
>00:00:49: %LINK-5-CHANGED: Interface Serial0/0, changed state to
>administratively down
>00:00:50: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0,
>changed state to up
>Router-1>en
>Password:
>00:00:57: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0,
>changed state to down
>!
>!My config is still there
>!
>Router-1#sh ru
>Building configuration...
>
>Current configuration:
>!
>version 12.0
>service timestamps debug uptime
>service timestamps log uptime
>no service password-encryption
>!
>hostname Router-1
>!
>enable secret 5 $1$sCnF$E51c1b/cHBjLYLw.zcboU1
>!
>!
>!
>!
>!
>ip subnet-zero
>ip tcp synwait-time 15
>no ip domain-lookup
>!
>ip audit notify log
>ip audit po max-events 100
>cns event-service server
>!
>!
>!
>!
>end
>
>Router-1#
>Router-1#
>Router-1#
>Router-1#sh ver
>Cisco Internetwork Operating System Software
>IOS (tm) C2600 Software (C2600-JO3S56I-M), Version 12.0(7)T, RELEASE
>SOFTWARE (fc2)
>Copyright (c) 1986-1999 by cisco Systems, Inc.
>Compiled Tue 07-Dec-99 07:11 by phanguye
>Image text-base: 0x80008088, data-base: 0x8107A5D0
>
>ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
>
>Router-1 uptime is 1 minute
>System returned to ROM by reload
>System image file is "flash:c2600-jo3s56i-mz.120-7.T.bin"
>
>cisco 2620 (MPC860) processor (revision 0x102) with 39936K/9216K bytes of
>memory.
>Processor board ID JAD042206GN (1804004596)
>M860 processor: part number 0, mask 49
>Bridging software.
>X.25 software, Version 3.0.0.
>SuperLAT software (copyright 1990 by Meridian Technology Corp).
>TN3270 Emulation software.
>1 FastEthernet/IEEE 802.3 interface(s)
>1 Serial network interface(s)
>32K bytes of non-volatile configuration memory.
>16384K bytes of processor board System flash (Read/Write)
>
>Configuration register is 0x2102
>
>Router-1#
>
>
>-Joe Harris
>CCIE# 6200
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:35 GMT-3