IOS映像和密码恢复
IOS Image and Password Recovery
深圳职业技术学院计算机系网络专业
© 2006, Shenzhen Polytechnic. All rights reserved.
1
教学目标( Objectives )
1.路由器启动顺序(Router Startup Sequence )
2.路由器加载IOS顺序
(Router Load IOS Sequence )
3.配置路由器寄存器
(Configuring Router Configuration Register )
4.路由器密码破解(Router Password Recovery)
5. IOS和配置文件备份
(Backup IOS and Configuration File)
6. IOS的恢复或升级
( Recovery or Upgrade IOS )
© 2006, Shenzhen Polytechnic. All rights reserved.
2
Cisco IOS
Internetwork
Operating
System
Cisco
IOS
Software
互联网操作系统
© 2006, Shenzhen Polytechnic. All rights reserved.
3
启动顺序预览(An Overview of System Startup)
• 上电自检(Power on self test (POST))
• 装载引导程序(Load and run bootstrap code)
• 查找IOS(Find the IOS software)
• 装载IOS( Load the IOS software)
• 查找配置文件(Find the configuration)
• 装载配置文件(Load the configuration)
• 运行(Run)
© 2006, Shenzhen Polytechnic. All rights reserved.
4
启动顺序( Startup Sequence )
RAM
Bootstrap
ROM
装载启动程序Load Bootstrap
装载IOS
Flash
TFTP Server
ROM
Cisco
Internetwork
Operating
System
装载配置文件或
进入Setup模式
NVRAM
TFTP Server
Console
© 2006, Shenzhen Polytechnic. All rights reserved.
Locate and Load
Operating System
Configuration
File
Locate and Load
Configuration File or
Enter Setup Mode
5
加载 IOS顺序( Load IOS Sequence )
show
startup-config
Console
show
version
NVRAM
Config register
配置寄存器
1.在配置文件中,boot system命令指定了查找顺序,路由器会依次使用
Global configuration mode boot system commands can be specified
to enter fallback sources for the router to use in sequence. The
router will use these commands as needed, in sequence, when it
restarts.
2.否则,路由器会使用自己的Flash中的IOS软件
If NVRAM lacks boot system commands that the router can use, the
system by default uses the Cisco IOS software in flash memory.
© 2006, Shenzhen Polytechnic. All rights reserved.
6
定位IOS( Locating the Cisco IOS Software)
配置寄存器( Configuration Registers )
更改NVRAM中的寄存器,会改变Cisco IOS软件的基本选项,可以指定从哪里引导IOS
Router# configure terminal
Router(config)# boot system
Router(config)# boot system
Router(config)# boot system
[Ctrl-Z]
Router# copy running-config
flash IOS_filename
tftp IOS_filename tftp_address
rom
startup-config
Boot system commands not found In NVRAM
Get default Cisco IOS software from Flash
Flash memory empty
Get default Cisco IOS software from TFTP server
From ROM
© 2006, Shenzhen Polytechnic. All rights reserved.
7
ROM功能( ROM Functions )
ROM
Bootstrap
POST
show version
Mini IOS
ROM
monitor
Console
Mini IOS——RXBOOT模式
ROM monitor——ROMMON模式
© 2006, Shenzhen Polytechnic. All rights reserved.
8
查看当前配置寄存器的值
(Determining the Current Configuration Register Value)
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-I-M), Version 12.2(8)T1, RELEASE
SOFTWARE (fc2)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Sat 30-Mar-02 20:08 by ccai
Image text-base: 0x80008074, data-base: 0x80A29E20
ROM: System Bootstrap, Version 12.2(7r) [cmong 7r], RELEASE
SOFTWARE (fc1)
Router uptime is 5 minutes
System returned to ROM by reload
System image file is "flash:c2600-i-mz.122-8.T1.bin“
……
Configuration register is 0x2102
© 2006, Shenzhen Polytechnic. All rights reserved.
9
配置寄存器组成(Component of Configuration Registers )
寄存器组成:4位16进制
格式:0xABCD
15 14 13 12
实例
11 10 9 8
765 4
3210
A
B
C
D
2
1
0
2
Console口
D: 启动域
速率设定表
C:使得系统软件忽略NVRAM中的内容 ,关键位“6”
(1)值为0,当路由器启动后会从NVRAM里面的配
置文件调到RAM里运行
(2)值为1,路由器启动后会忽略NVRAM的配置
A:13位,网络启动次数,值为1 ——5次
值为0——无数次
© 2006, Shenzhen Polytechnic. All rights reserved.
12 11
速率
0
0
9600
0
1
4800
1
0
1200
1
1
2400
10
启动域取值( Boot Field Values)
Router#configure terminal
Router(config)#config-register 0x2102
[Ctrl-Z]
Router#reload
配置寄存器启动域值
Value of Boot Field
描述
Description
0x0
路由器启动后会进入
ROMMON模式
0x1
路由器从ROM中启动,进入
RXBOOT模式(FLASH空)
0x2 to 0xF
© 2006, Shenzhen Polytechnic. All rights reserved.
路由器属于正常启动,如果
路由器有FLASH,2是缺省值
11
Case Study(1)
分别按下面步骤修改寄存器的值,然后重新启动
,并比较不同点:
1.将寄存器的值修改为0x2100
2.将寄存器的值修改为0x2101
3.将寄存器的值修改为0x2102
4.将寄存器的值修改为0x2142
Configuration register value in show version
0x2102 :工业默认值
0x2142 :从FLASH中启动,但不使用NVRAM中的配置文件(用于口
令恢复)
© 2006, Shenzhen Polytechnic. All rights reserved.
12
路由器密码破解(Password Recovery)
?
Password
I don’t know.
So,how can I do?
密码恢复
© 2006, Shenzhen Polytechnic. All rights reserved.
13
破解步骤(Steps)
© 2006, Shenzhen Polytechnic. All rights reserved.
14
准备TFTP服务器(Preparing for TFTP)
FLASH
TFTP
Server
RAM
Router# show flash
System flash directory:
File Length
Name/status
1
5848552 c2600-i-mz.122-8.T1.bin
[5848616 bytes used, 10928600 available, 16777216 total]
16384K bytes of processor board System flash (Read/Write)
Router# ping tftp_address
...
!!!!!
(On the TFTP server, for example, a UNIX host)
dir c2600-i-mz.122-8.T1.bin
确定TFTP服务器有足够的空间
Verify that Flash memory has roomfor the Cisco IOS image
© 2006, Shenzhen Polytechnic. All rights reserved.
15
备份IOS (Backup IOS )
FLASH
copy flash tftp
RAM
TFTP
Server
Router# show flash
System flash directory:
File Length Name/status
1 5848552 c2600-i-mz.122-8.T1.bin
[5848616 bytes used, 10928600 available, 16777216 total]
16384K bytes of processor board System flash (Read/Write)
Router# copy flash tftp
Source filename [c2600-i-mz.122-8.T1.bin]?
Address or name of remote host []? 10.1.1.2
Destination filename [c2600-i-mz.122-8.T1.bin]?
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Router#
© 2006, Shenzhen Polytechnic. All rights reserved.
16
从网络升级IOS
(Upgrading IOS from the Network)
FLASH
RAM
copy tftp flash
TFTP
Server
Router# copy tftp flash
IP address or name of remote host [255.255.255.255]? 10.1.1.2
Name of tftp filename to copy into flash []? c2600-i-mz.122-8.T1.bin
copy c2600-i-mz.122-8.T1.binfrom10.1.1.2 into flash memory? [confirm] <Return>
xxxxxxxx bytes available for writing without erasure.
erase flash before writing? [confirm] <Return>
Clearing and initializing flash memory (please wait)####...##
Loading from 10.1.1.2: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!(text omitted) [OK - 324572/524212 bytes]
Verifying checksum...
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVV(text omitted)
Flash verification successful. Length = 1804637, checksum = 0xA5D3
© 2006, Shenzhen Polytechnic. All rights reserved.
17
备份配置文件到TFTP服务器
(Backup Running-config to Tftp Server)
Network
server
running-config
R1#copy running-config tftp
Address or name of remote host []? 10.1.1.2
Destination filename [r1-confg]?
!!
691 bytes copied in 0.725 secs
© 2006, Shenzhen Polytechnic. All rights reserved.
18
从TFTP下载配置文件
(Update Running-config from Tftp Server)
Network
server
running-config
R1#copy tftp running-config
Address or name of remote host []? 10.1.1.2
Source filename []? r1-confg
Destination filename [running-config]?
Accessing tftp://10.1.1.2/r1-confg...
Loading r1-confg from 10.1.1.2 (via FastEthernet0/0): !
[OK - 691/1024 bytes]
691 bytes copied in 0.854 secs
© 2002, Cisco Systems, Inc. All rights reserved.
Case Study (2)
1.Cisco IOS 备份
2.running-config备份与加载
R1
fa0/0:10.1.1.1/24
TFTP
SERVER
© 2006, Shenzhen Polytechnic. All rights reserved.
PC1:10.1.1.2/24
GW:10.1.1.1
20
深入实验(Further Study )
R1
R2
fa0/0:10.1.1.1/24
TFTP
SERVER
© 2006, Shenzhen Polytechnic. All rights reserved.
PC1:10.1.1.2/24
GW:10.1.1.1
21
Case Study(4)
从TFTP Server加载IOS
Router
© 2006, Shenzhen Polytechnic. All rights reserved.
Network
server
22
思考题(Questions)
1.Cisco 默认加载IOS的顺序是什么?
2.配置寄存器的启动域的0,1和2所代表的含义是什么?
3.用什么命令可以查看配置寄存器的值?
4.用什么命令可以修改配置寄存器的值?
5. 配置寄存器的值2102是十进制还是十六进制?
6.在什么模式下可以恢复路由器的密码?
7.当我们升级IOS时,应该注意哪些事情?
8.用什么命令可以从TFTP服务器上下载新的IOS?
9.路由器的启动顺序是怎样的?
10.如何查看IOS软件的大小?
11.备份配置文件的命令包含哪些?
12.路由器密码破解的核心思想是什么?
© 2006, Shenzhen Polytechnic. All rights reserved.
23
