TÀI LIỆU GỒM 2 PHẦN : HƯỚNG DẪN PHÁ MẬT KHẨU ROUTER VÀ NÂNG CẤP IOS

Cisco IOS Router Password Recovery
It happens to the best of us, you are doing some labs and forgot what password you set for
enable mode…perhaps another student was working on the router before and you have no
idea what password he picked. Maybe you need to reset the password of a router you didn’t
configure…

Whatever the reason, let me show you how to reset the password of your Cisco router. This
only applies to routers, if you need to reset the password for a switch then you need another
tutorial.
Let’s take a look:
Router>enable
Password:
Password:
Password:
% Bad secrets
Ouch…bad secrets means we didn’t type the correct password. To fix this problem you
need to connect your router to the console port, you can’t do this remotely through telnet or
SSH.

Reboot the router (just hit the power switch) and send the BREAK signal. This tells the
router to ignore loading the IOS (Cisco’s Operating System). If you are using Windows and
Putty you can probably use the CTRL-BREAK combination to send a break signal. If this
doesn’t work you can try some of the other methods that are described here.


When the router accepts your BREAK it will head into ROMMON mode. ROMMON is like a
mini operating system that helps to initialize the hardware and boots the Cisco IOS. Here’s
what it looks like:
Readonly ROMMON initialized

rommon 1 >
This tells us that we are in ROMMON mode. We can only configure a couple of items here,
one of the things we can do is tell the router to ignore it’s startup-configuration when booting
the IOS image. This is exactly what we want because it means it will also not load the
password that we configured (and forgot). Here’s how to do it:
rommon 1 > confreg 0x2142
You must reset or power cycle for new config to take effect
We set the configuration-register to 0x2142 with the confreg command. This tells the router
to ignore the startup-configuration when booting. The router is nice enough to tell us we
should reboot so let’s follow its advice:
rommon 2 > reset
c2811 platform with 786432 Kbytes of main memory
Main memory is configured to 64 bit mode with ECC enabled
Readonly ROMMON initialized
program load complete, entry
program load complete, entry
program load complete, entry
Self decompressing the image

point: 0x8000f000, size: 0xcb80
point: 0x8000f000, size: 0xcb80
point: 0x8000f000, size: 0x38bbd64
: #######################

The router will boot and load its IOS image, once it’s ready you will see the following wizard:
--- System Configuration Dialog --Would you like to enter the initial configuration dialog? [yes/no]:
no


Because the router is not loading its startup-configuration it will show you the wizard that is

shown when there is no configuration. Just type no and you will end up at the commandline. We will now go to enable mode:
Router>enable
Router#
Great! We now have full access to the router and it didn’t prompt for a password. We will
now copy the startup-configuration to the running-configuration ourselves. By doing this
your configuration will be active but we will still be in privileged mode which allows us to
change the password:
Router#copy startup-config running-config
Destination filename [running-config]?
1831 bytes copied in 1.012 secs (1809 bytes/sec)
Your configuration is now active, let's see what the password that we forgot about looks
like:
Router#show run | include enable
enable secret 5 $1$aAHw$ZUJuS7oxPrVfap1ev8YaU.
This router has an "enable secret" which is a hash of our password. There's no way to tell
what the original password was but I change it to something else. If you used the "enable
password" command you will be able to retrieve it because it's clear-text. However saving
clear-text passwords in your configuration is not a good idea. To change the password we
need to go to configuration mode first:
Router#configure terminal
Enter configuration commands, one per line.

End with CNTL/Z.

Now I can set a new password. I'll call mine "mypassword". Also we should not forget to set
the configuration-register to the default value. If you forget this the router will ignore the
startup-configuration again next time you boot:


Router(config)#enable secret mypassword

Router(config)#config-register 0x2102
Now you can exit the configuration mode:
Router(config)#end
Router#
Don't forget to save your configuration:
Router#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...


How to upgrade Cisco IOS Image
Cisco IOS devices typically use their flash memory to store the IOS image. On most
routers, this flash memory can be easily replaced. On some switches, it is integrated in
the device and can’t be replaced.
In this lesson, I’ll show you some different options how to copy a new IOS image to your
Cisco IOS router or switch. I will use a Cisco 2800 IOS router in these examples.
Filename:

Above you can see the file name and MD5 checksum. The checksum can be used to
check if the file that you downloaded is the same or has changed. I’ll show you this
later.
Once you downloaded the IOS image, check if you have enough space left on your
flash memory:


R1#show flash:
-#- --length-- -----date/time------ path
1
1119 Sep 29 2015 11:11:52 +00:00 r1-r2-r3.cfg
2

1184 Dec 3 2014 15:14:06 +00:00 R1-R2-ASA1-ASA2.cfg
3
1125 Dec 23 2014 13:41:32 +00:00 ASA1-R1-R2-R3.cfg
5
76 Jul 17 2014 12:09:10 +00:00 System Volume
Information/IndexerVolumeGuid
6
1060 Aug 11 2015 12:53:50 +00:00 mpls-pe-ce-basicaddressing.cfg
7
1213 Sep 30 2015 15:05:02 +00:00 router-on-a-stick.cfg
8
67926080 Apr 2 2015 14:21:46 +00:00 c2800nm-adventerprisek9mz.151-4.M10.bin
3862364160 bytes available (137428992 bytes used)

On my flash memory, there are a bunch of configuration files and the current IOS
image. There are 3862364160 bytes available (3862 MB) so we have plenty of space.
When we want to copy something to or from this router, we have to use
the copy command:
R1#copy ?
/erase
/error
/noverify
/verify
archive:
cns:
flash:
ftp:
http:
https:
null:

nvram:
pram:
rcp:
running-config
scp:
startup-config
system:
tar:
tftp:
tmpsys:
xmodem:
ymodem:

Erase destination file system.
Allow to copy error file.
Don't verify image signature before reload.
Verify image signature before reload.
Copy from archive: file system
Copy from cns: file system
Copy from flash: file system
Copy from ftp: file system
Copy from http: file system
Copy from https: file system
Copy from null: file system
Copy from nvram: file system
Copy from pram: file system
Copy from rcp: file system
Copy from current system configuration
Copy from scp: file system
Copy from startup configuration

Copy from system: file system
Copy from tar: file system
Copy from tftp: file system
Copy from tmpsys: file system
Copy from xmodem: file system
Copy from ymodem: file system

We have a lot of options. The most common options for copying an IOS image are:






TFTP
FTP
SCP

I will explain all three options to you.
Newer routers also support copying from USB sticks. This will show up as usbflash: in the filesystem
overview.

TFTP
TFTP (Trivial File Transfer Protocol) is similar to FTP but much simpler, like a light
weight version. It doesn’t support authentication or encryption and uses UDP for
transmission. I will use the following topology:

We need a TFTP server application, a great choice here is TFTPD32. You can
download it for free and it’s an executable, no need to install anything.
Once you downloaded TFTPD32, start it:


And you will see the main screen:


Make sure you select the correct directory where you downloaded your IOS image and
if you have multiple network interfaces, select the correct interface.
The copy command works in both directions. I can copy to and from the TFTP server.
Here’s how to copy the current IOS image to the TFTP server:
R1#copy flash: tftp:
Source filename []? c2800nm-adventerprisek9-mz.151-4.M10.bin
Address or name of remote host []? 192.168.1.200
Destination filename [c2800nm-adventerprisek9-mz.151-4.M10.bin]?
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
67926080 bytes copied in 312.508 secs (217358 bytes/sec)

When you use the copy flash: tftp: command, it will ask you for the IP address and
filename. When you see something between [] (brackets), you can just hit the enter
button. For example, since I specified the source name, the router assumes I want to
use the same file name for the destination. Don’t type “y” or “yes” here or that will
become the destination filename.


If you are unable to connect to the TFTPD32 server, check your Windows firewall.

We can see the transfer on our router or you can see it in TFTPD32:


We now have a backup of our current IOS image. Let’s copy the new image to the
router:
R1#copy tftp: flash:
Address or name of remote host []? 192.168.1.200
Source filename []? c2800nm-adventerprisek9-mz.151-4.M12a.bin
Destination filename [c2800nm-adventerprisek9-mz.151-4.M12a.bin]?
Accessing tftp://192.168.1.200/c2800nm-adventerprisek9-mz.1514.M12a.bin...
Loading c2800nm-adventerprisek9-mz.151-4.M12a.bin from
192.168.1.200 (via FastEthernet0/0):
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 67929600 bytes]
67929600 bytes copied in 316.628 secs (214541 bytes/sec)

The transfer has completed, let’s take a look at our flash memory:


R1#show flash: | include .bin
8
67926080 Apr 2 2015 14:21:46 +00:00 c2800nm-adventerprisek9mz.151-4.M10.bin
25
67929600 Nov 4 2016 12:11:22 +00:00 c2800nm-adventerprisek9mz.151-4.M12a.bin

Above we can see the new IOS image.
The copy command also allows you to enter parameters like the IP address of the TFTP
server and filenames. Here is an example:
R1#copy tftp://192.168.1.200/c2800nm-adventerprisek9-mz.1514.M12a.bin flash:
Destination filename [c2800nm-adventerprisek9-mz.151-4.M12a.bin]?


Above you can see that I already entered the IP address and filename. Once I hit enter,
it will only ask me for the destination filename (which I also could have entered). If you
have to upgrade the IOS image on multiple devices, this is more convenient as you can
just copy/paste the above line on all devices.

FTP
Copying to or from an FTP server is also no problem, we can do this with the same
copy command. One thing you might have to deal with is authentication. Most FTP
servers will require a username and password. Here is the topology I will use:

There are two things we can do to supply a username and password. Here is option
one::
R1(config)#ip ftp username admin


R1(config)#ip ftp password cisco

We can globally configure the username and password that we want to use for the FTP
server. When you use the copy command, Cisco IOS will use these values for
authentication.
Personally, I don’t like leaving this information in the running configuration. It’s also
possible to supply a username and password with the copy command. Here is an
example:
R1#copy ftp://admin:/c2800nm-adventerprisek9mz.151-4.M12a.bin flash:
Destination filename [c2800nm-adventerprisek9-mz.151-4.M12a.bin]?
Accessing ftp://*****:*****@192.168.1.201/c2800nm-adventerprisek9mz.151-4.M12a.bin...
Loading c2800nm-adventerprisek9-mz.151-4.M12a.bin from
192.168.1.201 (via FastEthernet0/0):
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 67929600 bytes]
67929600 bytes copied in 884.704 secs (76782 bytes/sec)

Above you can see I embedded the username “admin”, the password “cisco” and the IP
address of my FTP server. This way is also easier, you can copy/paste this line on all
devices that require an IOS image upgrade.

SCP
Last but not least, we have SCP (Secure Copy) which uses SSH. This is a great method
because of two reasons:




It allows you to use your router/switch as an SCP server.
It uses encryption.
You probably already have SSH configured on your router or switch.

I will show you how to configure your router as an SCP server and how to copy files
to/from it. I’m going to use two routers for this:


R1 Configuration
First, we have to configure SSH:
R1(config)#ip domain-name NETWORKLESSONS.LOCAL
R1(config)#line vty 0 4
R1(config-line)#transport input ssh

R1(config-line)#login local
R1(config)#crypto key generate rsa
The name for the keys will be: R1.NETWORKLESSONS.LOCAL
Choose the size of the key modulus in the range of 360 to 4096 for
your
General Purpose Keys. Choosing a key modulus greater than 512 may
take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 3 seconds)
R1(config)#ip ssh version 2

Now we only need two additional commands for SCP. The first one is to enable the
SCP server:
R1(config)#ip scp server enable

And we need a user that has full access to the router:
R1(config)#username admin privilege 15 password cisco

Let’s continue with R2, our SCP client.


R2 Configuration
R2 will be our SCP client. Let’s try the copy command:
R2#copy scp: flash:
Address or name of remote host []? 192.168.1.1
Source username []? admin
Source filename []? c2800nm-adventerprisek9-mz.151-4.M12a.bin
Destination filename [c2800nm-adventerprisek9-mz.151-4.M12a.bin]?

Password:
!!!!!!!!!!!
67929600 bytes copied in 884.704 secs (76782 bytes/sec)

The copy command will ask for the remote IP address, username, password, and
filename.

MD5 Verification
So far we copied a couple of files but how do we know that these files are valid? When
we downloaded the Cisco IOS image, I showed you the MD5 checksum that Cisco
publishes on their website. We can verify this checksum on our router:
R1#verify /md5 flash:c2800nm-adventerprisek9-mz.151-4.M12a.bin
.................Done!
verify /md5 (flash:c2800nm-adventerprisek9-mz.151-4.M12a.bin) =
fcdaeb55b292534e97ecc29a394d35aa

This MD5 checksum is the same as the one we found on the Cisco website. This tells
us that we have the same file as Cisco published and that the file has not been
tampered with. If the checksum fails, maybe someone has added something nasty to
the image.

Boot System
Our router currently has two IOS images:
R1#show flash: | include .bin
8
67926080 Apr 2 2015 14:21:46 +00:00 c2800nm-adventerprisek9mz.151-4.M10.bin
25
67929600 Nov 4 2016 12:11:22 +00:00 c2800nm-adventerprisek9mz.151-4.M12a.bin



Which IOS image will it select when the router boots? Deleting the old IOS image is one
option but there is another way.
Most routers will select the first filename that they find on the flash memory so in our
case, it means it would boot the older IOS image. We can change this with the boot
sytem command:
R1(config)#boot system flash:c2800nm-adventerprisek9-mz.1514.M12a.bin

Let’s reload the router:
R1#reload
System configuration has been modified. Save? [yes/no]: yes
Building configuration...
[OK]

Once the router has reloaded, verify that we are running the new IOS image:
R1#show version
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M),
Version 15.1(4)M12a, RELEASE SOFTWARE (fc1)
Technical Support: />Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Tue 04-Oct-16 03:37 by prod_rel_team
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
R1 uptime is 14 minutes
System returned to ROM by reload at 14:01:00 UTC Fri Nov 4 2016
System image file is "flash:c2800nm-adventerprisek9-mz.1514.M12a.bin"

Above we can see we booted the new Cisco IOS image.

Conclusion
You have now learned how to upgrade your Cisco IOS image through TFTP, FTP and
SCP. You have seen how this can be done from your computer to your router/switch or
between two routers. We also checked how to verify the integrity of the file with the MD5

checksum and how to configure your router to boot the new IOS image.