Thursday, April 3, 2014

Cisco Catalyst Switch Password Recovery

This article is specific to:
2900XL, 3500XL, 2940, 2950, 2960, 2970, 3550, 3560, and 3750 series switches

It's important to understand what you're doing here, so, I've created a summary of steps and explained a little more in detail than Cisco will.

Summary
Connect to the switch's console port.
Reboot the switch and enter *rommon mode.
Initialize the flash and boot helper.
Rename the current config.text file which contains your unknown password to config.old so you can use it again later.
Boot the switch into the initial configuration mode.
Rename your config.old back to config.text so it can be loaded at the next bootup.
Copy your config.text to running-config so you can change the password.
"Change" the password. (You will actually overwrite it.)
Save the configuration with the new password.

Steps
Attach your PC with terminal emulation software such as SecureCRT (my favorite), or Hyper Terminal to the console port of the switch.

Use the following terminal settings:
¨ Bits per second (baud): 9600
¨ Data bits: 8
¨ Parity: None
¨ Stop bits: 1
¨ Flow Control: Xon/Xoff

1. To enter ROMMON mode, hold down the mode button located on the left side of the front panel, while you reconnect power to the switch. Release after 5 seconds. (For 3560 and 3750, 15 seconds. Also, note that the 2955 switches do not use an external mode button for password recovery. They use the "break" key function. Windows 2000 uses Ctrl + Break, UNIX is Ctrl−C, etc.)




2. Once you're at the switch prompt issue the "flash_init" command.

switch: flash_init
Initializing Flash...

3. Issue the "load_helper" command.

switch: load_helper

4. Issue the "dir flash:" command to see the files in your flash directory.

switch: dir flash:

Directory of flash:/
−rwx 1131 <date> config.text     <<< This is the configuration file.


5. Type "rename flash:config.text flash:config.old" to rename the configuration file. Doing this enables you to boot the switch without your configuration, but still retaining the config in flash memory.

switch: rename flash:config.text flash:config.old

6. Issue the "boot" command to boot the switch and get to the initial config dialog.

switch: boot
Loading "flash:c2960-lanbase-mz.122-46.SE.bin"...
######################################################
######################################################################
File "flash:c2960-lanbase-mz.122-46.SE.bin" uncompressed and installed, entry point: 0x3000
executing...

7. Enter "n" at the prompt to abort the initial configuration dialog.

−−− System Configuration Dialog −−−
At any point you may enter a question mark '?' for help.
Use ctrl−c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Continue with configuration dialog? [yes/no]: n
Switch>

8. At the switch prompt, type "en" to enter enable mode.

Switch>en
Switch#

9. Since you've booted up without a config.text file, one was created automatically for you. You need to overwrite this default one with your config so it will be loaded when you reboot.
Type "rename flash:config.old flash:config.text" to rename the config file with its original name.

Switch#rename flash:config.old flash:config.text
Destination filename [config.text]
!−−− Press Return or Enter.


Switch#

10. Since we've bypassed your config to boot, we need to load it back into memory to change your old password. Copy your configuration file into memory.

Switch#copy flash:config.text system:running−config
Destination filename [running−config]?
!−−− Press Return or Enter.
1251 bytes copied in 0.740 secs
Switch1#

11. Overwrite your current unknown password. Do whichever ones you need to overwrite:


Switch1# conf t

Switch1(config)#enable secret <new_secret_password> 
and/or

Switch1(config)#enable password <new_enable_password>
**Note

12. Write the memory to save your passwords!!!!

Switch1#write memory
Building configuration...
[OK]
Switch1#

* Rommon is a program in EPROM that is always available if you interrupt the switch/router from loading the IOS image. Great explanations here: http://basicnetworkingconcepts.blogspot.com/2011/02/rommon-in-cisco.html
http://basicnetworkingconcepts.blogspot.com/2011/02/cisco-device-bootup-steps.html
** Note: recently Cisco has discouraged the use of the "enable password" command as it is not very secure. Use the "enable secret" instead. It will override the "enable password" statement if any exists.