Enable Password on Cisco 3600 Router

RS_MCPRS_MCP Posts: 352Member
Hi All,

I have forgotten the enable password on my Cisco 3600 Router which is being used as a backup DMVPN Router which means I can not access privileged mode.

The Router is sitting in a real live environment, what can I do to sort this issue without carrying out a password recovery and rebooting the Router?

Thanks in advance for your help :)

Comments

  • notgoing2failnotgoing2fail Posts: 1,138Member
    Bummer....

    I'm not really sure you have any options here....
  • DPGDPG Posts: 780Member
    Do you have SNMP write access?

    Also, check your backup configuration and see if the enable password is encrpyted.

  • networker050184networker050184 Posts: 11,962Mod Mod
    DPG wrote: »
    Do you have SNMP write access?

    Also, check your backup configuration and see if the enable password is encrpyted.


    I think those are about your only options.
    An expert is a man who has made all the mistakes which can be made.
  • laidbackfreaklaidbackfreak Posts: 991Member
    tried any of the online crackers?

    summit like this :-
    IFM - Cisco Password Cracker

    all depends on what encryption type your using, but there are other options out there.
    if I say something that can be taken one of two ways and one of them offends, I usually mean the other one :-)
  • burbankmarcburbankmarc Posts: 460Member
    If you aren't using CiscoWorks/Subversion for config management then you might want to look into something like auto archive. I know it doesn't help you NOW but it may help you in the future:

    [Cisco] Auto Archive Configuration – Save Cisco Config Periodically IP Stories
  • notgoing2failnotgoing2fail Posts: 1,138Member
    speaking of passwords, what passwords do you have for your other routers?


    It may be worth a shot to try them out? Could be the same!!!
  • thehourmanthehourman Posts: 723Member
    Dude, this what I did to my 2600 series and 2600XM routers. I am not sure if this is going to work on your 3600. Anyway it is worth a shot.
    Here's what I did:
    1. reboot your router
    2. interrupt the boot sequence (when you get to the point where there are a bunch of # just interrupt it. I use ALT+B on teraterm.) This should take you in ROMMON mode.
    3. type this command confreg 0x2142 (on 2500 use the o then use o/r 0x2142)
    4. type this command reset. That should reload your router. After that just let your router reload like normal, and you should be able to bypass the nvram settings you have setup. (on 2500 router use i to reload the router.)
    5. Once you get into enable mode, load your startup settings copy startup running
    6. From here if you have enable password you can just do a show run and view your password, but if you used enable secret then go to config mode and change your enable secret by using the enable secret password command. That should overwrite the previous one.
    7. Reset the configuration registry of your router back to normal 0x2102 using this command configure-registry 0x2102.
    8. Then save your settings copy run start then reload the router.

    I hope this will help you.
    Studying:
    Working on CCNA: Security. Start date: 12.28.10
    Microsoft 70-640 - on hold (This is not taking me anywhere. I started this in October, and it is December now, I am still on page 221. WTH!)
    Reading:
    Network Warrior - Currently at Part II
    Reading IPv6 Essentials 2nd Edition - on hold
  • RS_MCPRS_MCP Posts: 352Member
    Does anyone know an Password Cracker for an "enable secret 5" ???
  • DevilWAHDevilWAH Posts: 2,996Member
    RS_MCP wrote: »
    Does anyone know an Password Cracker for an "enable secret 5" ???

    Nope apart from brut force crackers, this is why CISCO use i because its so mauch more secure than the enable password 7.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • chmorinchmorin Posts: 1,446Member
    thehourman wrote: »
    Dude, this what I did to my 2600 series and 2600XM routers. I am not sure if this is going to work on your 3600. Anyway it is worth a shot.
    Here's what I did:
    1. reboot your router
    2. interrupt the boot sequence (when you get to the point where there are a bunch of # just interrupt it. I use ALT+B on teraterm.) This should take you in ROMMON mode.
    3. type this command confreg 0x2142 (on 2500 use the o then use o/r 0x2142)
    4. type this command reset. That should reload your router. After that just let your router reload like normal, and you should be able to bypass the nvram settings you have setup. (on 2500 router use i to reload the router.)
    5. Once you get into enable mode, load your startup settings copy startup running
    6. From here if you have enable password you can just do a show run and view your password, but if you used enable secret then go to config mode and change your enable secret by using the enable secret password command. That should overwrite the previous one.
    7. Reset the configuration registry of your router back to normal 0x2102 using this command configure-registry 0x2102.
    8. Then save your settings copy run start then reload the router.

    I hope this will help you.

    2nd this. A little dangerous in a production environment though. Don't fat finger the configure Registry ;)
    Currently Pursuing
    WGU (BS in IT Network Administration) - 52%| CCIE:Voice Written - 0% (0/200 Hours)
    mikej412 wrote:
    Cisco Networking isn't just a job, it's a Lifestyle.
  • chXchX Posts: 96Member ■■□□□□□□□□
    RS_MCP wrote: »
    Does anyone know an Password Cracker for an "enable secret 5" ???

    As far as I know (and I could be wrong),

    "level 5" passwords are md5 hashes, and hashes are different to encryption.

    You can't directly reverse a hash to replicate the original string, but people employ databases full of string-to-hash mappings in the hope that there's a hash collision (some text which, when ran through the algorithm, ends up being the same hash as the original password they're trying to break).
    2013/2014 Goals:
    CCNP - TSHOOT ROUTE SWITCH
    CCNA Data Centre
    JNCIA
  • notgoing2failnotgoing2fail Posts: 1,138Member
    You might want to look into rainbow tables and give that a shot.
  • thehourmanthehourman Posts: 723Member
    chmorin wrote: »
    2nd this. A little dangerous in a production environment though. Don't fat finger the configure Registry ;)
    I totally missed that part.
    Studying:
    Working on CCNA: Security. Start date: 12.28.10
    Microsoft 70-640 - on hold (This is not taking me anywhere. I started this in October, and it is December now, I am still on page 221. WTH!)
    Reading:
    Network Warrior - Currently at Part II
    Reading IPv6 Essentials 2nd Edition - on hold
  • laidbackfreaklaidbackfreak Posts: 991Member
    To be honest the time it will take to break the MD5 hash it would be quicker and easier to schedule some maintenance down time and go through the recovery procedure.
    IMO a lot less painfull too.
    if I say something that can be taken one of two ways and one of them offends, I usually mean the other one :-)
  • DPGDPG Posts: 780Member
    Do you know the SNMP RW community name?

  • ccnxjrccnxjr Posts: 304Member
    Do you have a backup router?
    Will taking this router offline bring down your network entirely?
    If so the long way around this is configure a backup route, add a little redundancy to your network.
    (Mesh topology anyone? )
    Then once you've configured a backup route with redundant connections, take the problem router offline and begin password recovery sequence.
    Maybe schedule "maintenance" time when you can live with the failover delay.
  • mgeorgemgeorge Posts: 777Member
    RS_MCP wrote: »
    Does anyone know an Password Cracker for an "enable secret 5" ???

    There are no "password crackers" for the "enable secret" password as it's an MD5 hash (one way algorithm) as chX stated.

    The only way you're going to get this password is through a brute force rainbow table.

    Unless you have a backup copy of your config where the enable password is type 7 where you can decrypt it or SNMP RW you're screwed. This is why you should at least use a local user database.
    There is no place like 127.0.0.1
  • HeeroHeero Posts: 486Member
    Try a dictionary attack against the md5 hash. There are also websites that store databases and you can just type in the md5 hash and if they have that hash + input stored, it will return it.

    Whether or not you can break the md5 hash has everything to do with how long/unique the original password is. If you know some characteristics about the original password, that would help a lot too.
  • DevilWAHDevilWAH Posts: 2,996Member
    Heero wrote: »
    Try a dictionary attack against the md5 hash. There are also websites that store databases and you can just type in the md5 hash and if they have that hash + input stored, it will return it.

    Whether or not you can break the md5 hash has everything to do with how long/unique the original password is. If you know some characteristics about the original password, that would help a lot too.


    out of intrest how would you get a copy of the hashed vlaue. (unless you have a back up of the config of course) ;)
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Sign In or Register to comment.