Recovering a Cisco Router with the Password Recovery Service Disabled

 

Password recovery er en proces, der anvendes til at gendanne en Cisco router, der ikke længere administrativt tilgængelige (fx de korrekte legitimationsoplysninger til at logge på er blevet glemt). Processen giver mulighed for alle med adgang til det fysiske konsol til at afbryde startrækkefølgen af routeren, tvinger det til ROM monitor mode (rommon). Fra rommon kan routeren derefter blive bedt om at starte op uden henvisninger sin start-konfiguration, så brugeren kan få adgang til privilegeret exec (enable) funktionen på konsollen og hente eller ændre den gemte konfiguration.

Naturligvis betyder dette, alle med fysisk adgang til enheden kan se potentielt følsomme router konfiguration. Cisco giver mulighed for at deaktivere password recovery service til at afbøde sådanne fysiske angreb.

Sådan stopper du Password Recovery

Disabling the password recovery service udføres svarende til at stoppe en anden IOS service, med en afledning af ingen service kommando. Bemærk dog, at denne særlige kommando er blevet udeladt fra kontekstafhængig hjælp på grund af sin potentielt farlige karakterer.

Router(config)# no service password-?

password-encryption

 

Router(config)# no service password-recovery

WARNING:

Executing this command will disable password recovery mechanism.

Do not execute this command without another plan for

password recovery.

 

Are you sure you want to continue? [yes/no]: y

Router(config)#

Linien service password-recovery  vises i køreklar konfiguration på dette punkt. Kommandoen selv er noget ejendommeligt: det vil vare ved på tværs genindlæses uden at blive skrevet til startkonfigurationen men vises i køreklar konfiguration uanset.

På næste reload, kan en meddelelse om disabled password recovery service ses.

System Bootstrap, Version 12.3(8r)YH8, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 2006 by cisco Systems, Inc.

C1800 platform with 131072 Kbytes of main memory with parity disabled

 

Upgrade ROMMON initialized

PASSWORD RECOVERY FUNCTIONALITY IS DISABLED

program load complete, entry point: 0x80012000, size: 0xc0c0

 

Initializing ATA monitor library…….

program load complete, entry point: 0x80012000, size: 0xc0c0

Gendan routeren uden Password Recovery Service

At this point, you may be wondering what recourse you’re left with should password recovery need to be performed. Fortunately, even with password recovery disabled, a forgotten password won’t turn your router into a brick. Although you won’t be able to access rommon, you do have the option of erasing the startup configuration by sending a break signal during boot.

På dette tidspunktpunkt, kan du spekulerer på, hvaddu skal stille op når du ikke kan bruge Password Recovery. Heldigvis selv med Password Recovery deaktiveret, vil en glemt adgangskode ikke gøre din router ubrugelig. Selvom du ikke vil være i stand til at få adgang rommon, har du mulighed for at slette startkonfigurationen ved at sende et break signal under boot.

System Bootstrap, Version 12.3(8r)YH8, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 2006 by cisco Systems, Inc.

C1800 platform with 131072 Kbytes of main memory with parity disabled

 

Upgrade ROMMON initialized

PASSWORD RECOVERY FUNCTIONALITY IS DISABLED

program load complete, entry point: 0x80012000, size: 0xc0c0

 

Initializing ATA monitor library…….

program load complete, entry point: 0x80012000, size: 0xc0c0

 

Initializing ATA monitor library…….

 

program load complete, entry point: 0x80012000, size: 0x167e724

Self decompressing the image : #################################################

################################################################################

################################################################ [OK]

 

Restricted Rights Legend

 

Use, duplication, or disclosure by the Government is

subject to restrictions as set forth in subparagraph

(c) of the Commercial Computer Software – Restricted

Rights clause at FAR sec. 52.227-19 and subparagraph

(c) (1) (ii) of the Rights in Technical Data and Computer

Software clause at DFARS sec. 252.227-7013.

 

cisco Systems, Inc.

170 West Tasman Drive

San Jose, California 95134-1706

 

Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(24)T,

RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2009 by Cisco Systems, Inc.

Compiled Thu 26-Feb-09 03:22 by prod_rel_team

 

[ Send break signal her ]

 

PASSWORD RECOVERY IS DISABLED.

Do you want to reset the router to factory default

configuration and proceed [y/n] ? y

Reset router configuration to factory default.

 

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

 

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

 

If you require further assistance please contact us by sending email to

export@cisco.com.

 

Installed image archive

Cisco 1811W (MPC8500) processor (revision 0x400) with 118784K/12288K bytes of me

mory.

Processor board ID FHK110913UQ, with hardware revision 0000

 

10 FastEthernet interfaces

1 Serial interface

1 terminal line

125440K bytes of ATA CompactFlash (Read/Write)

[OK][OK]

SETUP: new interface FastEthernet0 placed in “shutdown” state

SETUP: new interface FastEthernet1 placed in “shutdown” state

 

Press RETURN to get started!

 

*Oct 10 04:41:15.971: %SYS-5-RESTART: System restarted —

Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(24)T,

RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2009 by Cisco Systems, Inc.

Compiled Thu 26-Feb-09 03:22 by prod_rel_team

*Oct 10 04:41:18.503: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3, changed state to down

*Oct 10 04:41:18.503: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2, changed state to down

Router> enable

Router# show startup-config

Using 5 out of 196600 bytes

End

 

På dette punkt er du i stand til at gendanne enhedens konfiguration (minus de glemte legitimationsoplysninger) fra en sikkerhedskopi.

En sidste bemærkning: at forsøge at bestemte områder i konfigurationen , mens Password Recovery er deaktiveret, vil resultere i en fejl.

 

Router(config)# config-register 0x2142

Password recovery is disabled, cannot enable diag or ignore configuration.

 

Router(config)# service password-recovery

Router(config)# config-register 0x2142

Router(config)#

 

Skriv et svar

Din e-mailadresse vil ikke blive publiceret. Krævede felter er markeret med *

This site uses Akismet to reduce spam. Learn how your comment data is processed.