Thursday, October 22, 2015

Resetting your Cisco Router Password via ROMMON

How to perform password recovery on your Cisco IOS router

Here's the tools you will need
1) Router/Switch
2) Rollover cable
3) Terminal Emulator Program such as Tera Term or Putty
4) Knowledge of Register values


  1. Connect the rollover cable's RJ-45 interface to your device and the serial or USB interface into to your computer
  2. Picture thanks to: https://es.wikibooks.org/wiki/Planificaci%C3%B3n_y_Administraci%C3%B3n_de_Redes/Tema_6/Texto_complete
  3. Fire up your terminal emulator
  4. Connect to the appropriate COM port (remember the appropriate serial settings)
    • 9600 baud rate
    • No parity
    • 8 data bits
    • 1 stop bit
    • No flow control
  5. Reboot the Router
  6. Send the break signal to the Router - the keystroke to signal break varies by terminal emulator
  7. The break signal drops you into ROMMON mode instead of booting the IOS in this low level mode (kind of like booting to BIOS/CMOS on a desktop) you get different options such as configuring the boot register (like changing the boot order or hardware in BIOS)
  8. To tell the system to boot normally, except without loading the startup configuration type:
    • ROMMON>confreg 0x2142
  9. To reboot type:
    • ROMMON>reset
  10. When the system boots you may be prompted to configure setup using the prompts - if so type:
    • no
  11. You have an un-configured system - log on by typing:
    • Router#enable
  12. Now load your startup configuration by typing:
    • Router#copy start run
    • (DO NOT DO THE OPPOSITE (copy run start) OR YOU WILL LOSE THE STARTUP CONFIG!!!)
    • Yes, I did that once. Thank God for TFTP backups.
  13. Now your configuration has loaded but you're already in, without having to have typed the official password! Sneaky! Now you can set the password to access privileged mode by typing:
    • Router#conf t
    • Router(config)#enable secret <enter your secret here>
  14. Reset the device to boot normally instead of skipping the startup config by typing:
    • Router(config)#config-register 0x2102 
    • Router(config)#end
  15. Backup your current configuration to survive rebooting by typing:
    • Router#copy run start
    • (if you type the opposite you will lose all your hard work and it will revert to the unknown secret)
  16. Reboot the device to prove correct configuration and trigger all interfaces to return to an up / up status by typing
    • Router#Reload
And that's how I get into all those systems where no one knows the password because it was set by a contractor who emailed the password to the guy who quit six months ago!

Hope it helps!