Recover lost passwords using Cisco configuration registers

While Cisco configuration registers have several uses, admins use them most often to recover lost passwords. In this edition of Cisco Router and Switches, David Davis tells you what you need to know about config-registers, and he tells you how to use them to find forgotten passwords.

Configuration registers aren't the most exciting part of networking, and they're not something you use every day. But if you're a network engineer or if you're studying for Cisco's CCNA exam, you need to be familiar with them.

You'll often hear administrators refer to the Cisco configuration register as config-register because that's the command used to configure one. A config-register is a hexadecimal value that tells the router what to do when it boots up. From this single value, the router can determine which specific steps it should take when powered on.

The config-register is similar to a PC's BIOS settings. These settings determine which hard disk to boot from, the boot order, and other important pre-boot settings.

Here's a look at what you can configure with the config-register:

  • Use the console baud rate to speed up the transfer of a XMODEM file to a router with a corrupted IOS or just speed up your console access rate.
  • Determine where the router should look for its boot IOS (e.g., Flash, TFTP, or the limited ROM IOS).
  • Specify what to do if the primary boot source fails.
  • Indicate whether to use the startup-configuration file stored in the NVRAM.

For more information, as well as the values for these different settings, check out Cisco's "Use of the Configuration Register on All Cisco Routers" documentation.

Once you begin reading up on configuration registers, you'll notice that there's a great variety of different options, which can easily become overwhelming. But don't worry: Trying to memorize all of the various config-registers or how to calculate them isn't necessary. Instead, let's focus on the two most important registers you need to know.

About 99 percent of the time someone uses a config-register, it's more than likely because of a lost router password. The two config-registers for recovering passwords are 0x2102 and 0x2142.

The first config-register, 0x2102, is the normal config-register if you boot the router from internal Flash. You can see this config-register by using the show version command. Listing A offers an example of this command's output.

In this output, you'll notice the last line says, "Configuration register is 0x2102." This is normal.

But let's say you forgot the router's password. To recover this password (as long as it's unencrypted), boot the router and bypass the startup-config using config-register 0x2142; you should then be able to see the password in the startup-config.

You can use the same method for encrypted passwords, but you'll need to overwrite the original password with a new one. To change the configuration register, enter the following:

Router(config)# config-register 0x2142

Then, reload the router's configuration. Listing B offers an example of the output.

In the output, you'll notice that when the router rebooted, it asked if you want to enter the initial configuration. This tells you that the router has no startup-config file or has bypassed it. (It's the latter for this example.) After answering No, you should be able to view or replace the password.

As you can see in the output, I was able to go right into Privileged Mode and enter show startup-config. It returned the following line, displaying the encrypted password:

enable secret 5 $1$Tde5$qCheBIgD/VoIaWm.YOtCE/

Since this is a Level 5 password, I can't decode it. Instead, I could either erase the startup-config, or I could load it into the running configuration, set a new password, save it back to startup-config, set back the config-register, and reboot the router. (But don't forget to reset the config-register after making changes so the router uses the startup-config file when it reloads!)

But what if the password in question is a regular enable password (not enable secret) or a regular user password (encrypted with Level 7)? There are several available programs you can use to decrypt it, including:

For more information on password recovery for all Cisco devices, check out Cisco's "Password Recovery Procedures" documentation.

Miss a column?

Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

Editor's Picks