From: Dennis (cc13@xxxxxxxxx)
Date: Fri Jun 21 2002 - 18:21:29 GMT-3
Here you go... Thanks to Joe for the original post...
Dennis
<quote>
All,
I sent an eariler email stating that if you issued the "no service
password-recovery" command that the only way to I had found to bypass the
command was to replace the bootrom. I was informed that the Scott Morris had
posted an earlier email showing another process that could be used to bypass
the command but you would loose your configuration. I took what he stated
and tryed a few things a little different and found a way around the command
so that if you issue the "no service password-recovery" command you can
totally bypass the effects of the command and keep your config. Please note
that I have successfully done this today on the 2600 series platform only. I
am posting below the entire screen capture of the commands needed to bypass
the effects of the command. Every piece of software is always written with a
hook (CISSP information) and Cisco IOS is no different.
Router-1#
Router-1#
Router-1#term leng 0
Router-1#sh ru
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router-1
!
enable secret 5 $1$sCnF$E51c1b/cHBjLYLw.zcboU1
!
!
!
!
!
ip subnet-zero
ip tcp synwait-time 15
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
cns event-service server
!
!
!
!
end
Router-1#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router-1(config)#no service password-recovery
WARNING:
Executing this command will disable password recovery mechanism.
Do not execute this command without another plan for
password recovery.
Are you sure you want to continue? [yes/no]: yes
Router-1(config)#end
Router-1#
00:04:00: %SYS-5-CONFIG_I: Configured from console by console
Router-1#wr mem
Building configuration...
[OK]
Router-1#sh ru
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
no service password-recovery
!
hostname Router-1
!
enable secret 5 $1$sCnF$E51c1b/cHBjLYLw.zcboU1
!
!
!
!
!
ip subnet-zero
ip tcp synwait-time 15
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
cns event-service server
!
!
!
!
end
Router-1#reload
Proceed with reload? [confirm]
00:05:00: %SYS-5-RELOAD: Reload requested
System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
C2600 platform with 49152 Kbytes of main memory
PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
program load complete, entry point: 0x80008000, size: 0x928024
Self decompressing the image :
############################################################################
############################################################################
############################################################################
############################################################################
############################################################################
############################################################################
############################################################################
############################################################################
############################################################################
############################################################################
############################################################################
############################################################################
############################################################################
########################################################## [OK]
!Do Not issue the break sequence here!!!!
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-JO3S56I-M), Version 12.0(7)T, RELEASE
SOFTWARE (fc2)
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Tue 07-Dec-99 07:11 by phanguye
Image text-base: 0x80008088, data-base: 0x8107A5D0
!
!Issue Break Sequence Here
!
PASSWORD RECOVERY IS DISABLED.
Do you want to reset the router to factory default
configuration and proceed [y/n] ?
!Answer this question with a "y", the question mark cannot be deleted
Reset router configuration to factory default.
Compliance with U.S. Export Laws and Regulations - Encryption
This product performs encryption and is regulated for export
by the U.S. Government.
This product is not authorized for use by persons located
outside the United States and Canada that do not have prior
approval from Cisco Systems, Inc. or the U.S. Government.
This product may not be exported outside the U.S. and Canada
either by physical or electronic means without PRIOR approval
of Cisco Systems, Inc. or the U.S. Government.
Persons outside the U.S. and Canada may not re-export, resell,
or transfer this product by either physical or electronic means
without prior approval of Cisco Systems, Inc. or the U.S.
Government.
cisco 2620 (MPC860) processor (revision 0x102) with 39936K/9216K bytes of
memory.
Processor board ID JAD042206GN (1804004596)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
1 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)
!Now for some reason (I have not figured it out yet) the router acts as
!though you just issued the command again and gives you a chance to
!reverse the command
WARNING:
Executing this command will disable password recovery mechanism.
Do not execute this command without another plan for
password recovery.
Are you sure you want to continue? [yes/no]: no
!As you can see I answered no to the question
Press RETURN to get started!
Passed
00:00:36: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
00:00:36: %LINK-3-UPDOWN: Interface Serial0/0, changed state to down
00:00:37: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0,
changed state to down
00:00:37: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed
state to down
00:00:48: %SYS-5-CONFIG_I: Configured from memory by console
00:00:48: %SYS-5-RESTART: System restarted --
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C260Translating "Router-1"
Router-1>0-JO3S56I-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Tue 07-Dec-99 07:11 by phanguye
00:00:49: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
00:00:49: %LINK-5-CHANGED: Interface Serial0/0, changed state to
administratively down
00:00:50: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0,
changed state to up
Router-1>en
Password:
00:00:57: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0,
changed state to down
!
!My config is still there
!
Router-1#sh ru
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router-1
!
enable secret 5 $1$sCnF$E51c1b/cHBjLYLw.zcboU1
!
!
!
!
!
ip subnet-zero
ip tcp synwait-time 15
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
cns event-service server
!
!
!
!
end
Router-1#
Router-1#
Router-1#
Router-1#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-JO3S56I-M), Version 12.0(7)T, RELEASE
SOFTWARE (fc2)
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Tue 07-Dec-99 07:11 by phanguye
Image text-base: 0x80008088, data-base: 0x8107A5D0
ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Router-1 uptime is 1 minute
System returned to ROM by reload
System image file is "flash:c2600-jo3s56i-mz.120-7.T.bin"
cisco 2620 (MPC860) processor (revision 0x102) with 39936K/9216K bytes of
memory.
Processor board ID JAD042206GN (1804004596)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
1 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Router-1#
-Joe Harris
CCIE# 6200
</quote>
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
P729
Sent: Friday, June 21, 2002 2:43 PM
To: Casey, Paul (6822); 'CCIE-Groupstudy'
Subject: Re: Please re- read a see can you help (More exact problem)
Too bad the archive search is still broken. I seem to recall a service of
some type that made it harder to break into the 26/3600 series routers.
Although the name of the service made it sound like it would be impossible
to break into rommon, someone wrote in that there is actually a small window
of opportunity to break in and set the config register with no echo and then
reboot. My CCO searches are coming up empty, so it may have been in an
special ISP train.
Can you post the output of 'show ver' ?
Regards,
Mas Kato
https://ecardfile.com/id/mkato
----- Original Message -----
From: "Casey, Paul (6822)" <Paul.Casey@o2.com>
To: "'CCIE-Groupstudy'" <ccielab@groupstudy.com>
Cc: "'Hyunseog Ryu'" <moonhunt@firewall.moonworld.org>; "'Bauer, Rick'"
<BAUERR@toysrus.com>
Sent: Friday, June 21, 2002 10:25 AM
Subject: Please re- read a see can you help (More exact problem)
> Password recovery page doesnt doesnt help
>
> You dont see anything with console access in Hyperterminal...
>
> Here my serious problem
>
> I have a router and I dont know the enable password for it, 12-14 months
old
> and no one can remember the password.
> Thats not the worst
> I can get into user mode and when I type show version the confreg register
> is set to 0x1202 ... (seemed a bit funny)
>
> Now when the router boots and I connect to the console port you cant see
> anything happening on the console port, therefore I cant get into romon
> mode Pressing keys has not effect, You just cant see anything or do
> anything
>
> This confreg-reg setting must have done something serious.
>
> However, after several minutes when I connect to the aux port I get
"press
> any key to continue" appears on hyper
> terminal screen and I am back in user mode again.
> Aux mode only becomes active after bootup,
>
> image is still booting so thats ok, but back in user access, without
> password.
> and cant get to console because of the confreg-reg setting ..... and cant
> change confreg-reg from user mode..
>
>
> I need to get access to this router ASAP and get access to romon fix the
> password problem.
>
> it is a 2600 series router .....
> Also when I check the interfaces for user mode, they are all
> administratively shut down... so thats no help...
>
> I seemed to be locked out of the router, except for user mode which seems
to
> be good for nothing.
> A bit of a catch 22 situation.
>
>
> Any help appreciated.,..
>
>
>
****************************************************************************
************
>
> This E-mail is from O2. The E-mail and any files
> transmitted with it are confidential and may also be privileged and
intended
> solely for the use of the individual or entity to whom they are addressed.
> Any unauthorised direct or indirect dissemination, distribution or copying
> of this message and any attachments is strictly prohibited. If you have
> received the E-mail in error please notify postmaster@O2.com or
> telephone ++ 353 1 6095000.
>
>
****************************************************************************
*************
This archive was generated by hypermail 2.1.4 : Tue Jul 02 2002 - 08:12:39 GMT-3