Chapter 17
IOS Backup & Password
Breaking Technique of
Routers & Switches
powered by DJ
1
Chapter Objectives
At the end of this Chapter you will be able to:
Manage system image
Configure device configuration files
Perform Disaster Recovery
Recover Cisco IOS from tftpdnld and xmodem commands
Break password of 2500, 2600, 2800 series Routers and also 1900
& 2950 series switches
powered by DJ
2
The Cisco IOS File System

NOTE: The Cisco IOS File System (IFS) provides a single interface to all the
file systems available on a routing device, including the flash memory file
system; network file systems such as TFTP, Remote Copy Protocol (RCP),
and File Transfer Protocol (FTP); and any other endpoint for reading and
writing data, such as NVRAM, or the running configuration.
powered by DJ
3
Commands
Cisco IOS Software Commands IFS Commands
copy tftp running-config
copy tftp: system:running-config
copy tftp startup-config
copy tftp: nvram:startup-config
show startup-config
more nvram:startup-config
erase startup-config
erase nvram:
copy running-config startup-config
copy system:running-config
nvram:startup-config
copy running-config tftp
copy system:running-config tftp:
show running-config
more system:running-config
powered by DJ
4
Backing Up Configurations to a TFTP Server
#copy running-config startupconfig
#copy running-config tftp
Address or name of remote
host[ ]?
192.168.119.20
Destination Filename [Denverconfg]? Enter
!!!!!!!!!!!!!!!
Saves the running
configuration from DRAM to
NVRAM (locally).
Copies the running
configuration to the remote
TFTP server.
The IP address of the TFTP
server.
The name to use for the file
saved on the TFTP server.
Each bang symbol (!) = 1
datagram of data.
624 bytes copied in 7.05 secs
#
powered by DJ
File has been transferred
successfully.
5
Restoring Configurations from a TFTP Server
#copy tftp running-config
Copies the configuration file from the
TFTP server to DRAM.
Address or name of remote host[
]?
192.168.119.20
The IP address of the TFTP server.
Source filename [ ]?Denver-confg
Enter the name of the file you want to
retrieve.
Destination filename [runningconfig]? R
Accessing
tftp://192.168.119.20/Denverconfg
…
Loading Denver-confg from
192.168.119.02
(via Fast Ethernet 0/0):
[OK-624 bytes]
624 bytes copied in 9.45 secs
!!!!!!!!!!!!!!
powered by DJ
#
6
File has been transferred
successfully.
Configuration Register & Password Recovery Procedure
router#show version
The last line of output tells you
what the configuration register
is set to.
router#configure terminal
Moves to global configuration
mode.
router(config)#config-register
0x2142
Changes the configuration
register
to 2142.
powered by DJ
7
Register Value
Hexadecimal
Meaning
0x0000–0x000F
Boot field
0x0040
Ignore NVRAM contents
0x0080
OEM bit enabled
0x0100
Break disabled
0x0200
Causes system to use secondary
bootstrap (typically not used).
0x0400
IP broadcast with all 0s
5, 11, 12
0x0020, 0x0800,
0x1000
Console line speed
13
0x2000
Boots default ROM software if network
boot fails.
14
0x4000
IP broadcasts do not have net numbers.
15
0x8000
Enables diagnostic messages and
ignores NVRAM
Bit Number
00–03
06
07
08
09
10
powered by DJ
8
Password-Recovery Procedures for Cisco Routers
Step
2500 Series Commands
Step 1: Boot the router
and interrupt the boot
sequence as soon as text
appears on the screen.
Press Ctrl-Break
>
Step 2: Change the
configuration register to
ignore contents of
NVRAM.
>o/r 0x2142
>
rommon 1>confreg
0x2142
rommon 2>
Step 3: Reload the router
Step 4: Enter privileged
mode. (Do not enter setup
mode.)
>i
Router>enable
Router#
rommon 2>reset
Router>enable
Router#
Step 5: Copy the startup
configuration into the
running configuration.
Router#copy startupconfig
running-config
…<output cut>…
#
Router#copy startupconfig
running-config
…<output cut>…
#
powered by DJ
1700/2600/ISR Series
Commands
Press Ctrl-Break
rommon 1>
9
Conti…
Step 6: Change the
password.
#configure
Terminal
(config)#enable
secret new
(config)#
Step 7: Reset the
(config)#configregister
configuration register back to 0x2102
its default value.
(config)#
Step 8: Save the
(config)#exit
configuration.
#copy runningconfig
startup-config
#
Step 9: Verify the
#show version
configuration register.
…<output cut>…
Configuration register
is 0x2142 (will be
0x2102 at next reload)
#
Step 10: Reload the router. #reload
powered by DJ
#configure
Terminal
(config)#enable
secret new
(config)#
(config)#configregister
0x2102
(config)#
(config)#exit
#copy runningconfig
startup-config
#
#show version
…<output cut>…
Configuration register
is 0x2142 (will be
0x2102 at next reload)
#
#reload
10
Password Recovery for 2960 Series
Unplug the power supply from the
Switches
back of the switch.
Press and hold the Mode button on the
front of the switch.
Plug the switch back in.
Release the Mode button when the
SYST LED blinks amber and then
turns solid green. When you release
the Mode button, the SYST LED blinks
green.
Issue the following commands:
switch: flash_init
Initializes the flash memory.
switch: load_helper
switch: dir flash:
Do not forget the colon. This displays
which files are in flash memory.
switch: rename flash:config.text
You are renaming the configuration
flash:config.old
file. The
config.text file contains the password.
switch: boot
Boots the switch.
powered by DJ
11
Conti..
When asked whether you want to enter
the
configuration dialog, enter n to exit out
to the switch prompt.
switch>enable
switch#rename flash:config.old
flash:config.text
Destination filename [config.text]
switch#copy flash:config.text
system:running-config
768 bytes copied in 0.624 seconds
2960Switch#
2960Switch#configure terminal
2960Switch(config)#
Proceed to change the passwords as
needed
2900Switch(config)#exit
2900Switch#copy
running-config
powered by DJ
startupconfig
Takes you to user mode.
Enters privileged mode.
Renames the configuration file back to
the original name.
Press Enter
Copies the configuration file into
memory.
The configuration file is now reloaded.
Notice the new prompt.
Enters global configuration mode.
Saves the configuration
into NVRAM
12
with new passwords.
THANK YOU
powered by DJ
13