Password Management – 2000Trainers.com

Cisco Router Password Recovery

If one thing is for certain, it’s that at some point you’ll forget the password that you assigned to a router, or be asked to configure a router whose password you cannot be provided with. The good news is that with physical access to the console port, you’re in luck. Now that you know about configuration register settings, you know that you can change its setting to ignore the startup configuration file on a router, thus allowing you to bypass any passwords. Once you reboot the router, you can then change (and save) new passwords.

For the purpose of this example, let’s assume that we’re using a Cisco 2600 router. The steps on a Cisco 2500 are similar, with the exception of the ROM Monitor mode commands.

The first step is to access ROM Monitor mode and changing the configuration register setting to 0x2142, such that the router will ignore the contents of the startup configuration file. After rebooting the router, issue the break sequence, and then enter the confreg and reset commands.

rommon 1>confreg 0x2142 rommon 2>reset

The router should now reload, ignoring the contents of the startup configuration file. Press Enter to access user mode, and then enter privileged mode using the enable command. Notice that no password is required.

Press RETURN to get started. Router>enable Router#

Now that we’ve accessed privileged mode, the next step is to overwrite the current running configuration with the information stored in the startup configuration. Loading this configuration into RAM will allow us to change the password, as well as to save it.

Router#copy star run

Be very careful not to mistakenly issue the copy run start command – that would cause you to lose all configuration settings stored in the startup configuration file.

Even though we’ve copied the startup configuration into RAM, all of the interfaces are still shutdown. To verify this, use the show run command. As such, your last steps will be to access all interfaces and issue the no shutdown command. Our main goal is still to change the enable secret password, so that’s our next step.

Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#enable secret cisco

After setting our new enable secret password (and any other passwords that we may need changed), issue the no shutdown command for all interfaces, and then change the configuration register back to the default value (or whichever value you require) using the config-register command. In this case, we’ll set the register back to 0x2102, and then issue the all-important copy run star command to save our changes.

Router(config)#config-register 0x2102 Router(config)#^Z Router#copy run star>/code>

And there you have it. You don’t even require a reboot at this point (assuming that you remembered to issue the no shutdown command for all necessary interfaces). The next time the router does reboot, its configuration register will be set to 0x2102. This means that it will not ignore the startup configuration file, allowing you complete and normal access using our newly configured password.

Router Troubleshooting and Password Recovery

It’s a fact of life that no matter how carefully you manage your equipment, something is bound to go wrong at some point. While Cisco has a great track record of providing stable equipment with a solid operating system, there are still times when something will go wrong. When problems do occur, fixes are usually issued by Cisco as an updated IOS release.
On a day-to-day basis, especially while studying, many of the problems that you will come across will be related to managing the IOS image and passwords. For example, it’s important to be familiar with how to gain access to a router when you’ve forgotten (or perhaps were never told) one of the required passwords. Along the same lines, you will need to know what to do in cases where your router’s IOS image is corrupted or missing.

Troubleshooting and password recovery of a Cisco router requires an understanding of the different working environments provided by the router, and how to reach them. In order to successfully access these environments, you’ll need to be familiar with what is known as the configuration register and how it impacts the operation of your router. Not only does this setting control how a router boots, but also the ability to issue break sequences, configure console port speeds, and so forth.

The topics that we’ll cover in this chapter include:

The Cisco router boot process
Router environments
Understanding configuration register values
Changing configuration register values from different environments
Password recovery on Cisco routers
Restoring missing or corrupted IOS images

Assigning Enable Passwords

The first important step in configuring your Cisco router is setting a password to control access to privileged mode. Without one, your router’s configuration is fair game to anyone with a rollover cable and only a tiny bit of know-how. Recall that the enable secret password always takes precedence over the unencrypted and less secure enable password. In fact, Cisco recommends not using the enable password command at all.

All Cisco passwords are configured from global configuration mode, although the console, auxiliary, and vty ports are configured at the line level. To set the enable password on your Cisco router, simply issue the enable password command.

toronto-1(config)#enable password cisco99

Obviously, this will set the enable password to cisco99. To set the enable secret password, use the enable secret command:

toronto-1(config)#enable secret cisco100

Configuring Router Passwords

At the beginning of this chapter we configured our initial passwords using the System Configuration Dialog. In both real-life and on the exams, however, you will need to know how to configure passwords from the command line. Remember that by default, a router will usually have no passwords associated with it (some models do ship with default factory passwords, usually cisco), so this is something that you’ll definitely want to change. There are 5 main passwords associated with a Cisco router. These include:

Enable password. The enable password is used to restrict access to privileged EXEC mode on a Cisco router. Recall that enable passwords are not encrypted, meaning that they can be read in plain text via the configuration files from privileged EXEC mode. The enable password was used by older IOS versions, but has been superceded by the enable secret password, which is encrypted.

Enable secret password. The enable secret password also provides access to privileged EXEC mode on a Cisco router, but is stored in encrypted form using the Message Digest 5 (MD5) algorithm. On any Cisco router beyond IOS version 10.3, the enable secret password should always be used. In fact, you should probably ignore the enable password completely in favor of enable secret password. Again, when both are configured, only the enable secret password can be used to access privileged mode.

Console password. A console password is used to restrict access to a router’s physical console port. If a password is not associated with the console port, anyone can walk up to the router, plug in a rollover cable and create a session, gaining access to at least user EXEC mode.

Auxiliary password. Much like the console port, a password can also be used to restrict access to the auxiliary port, which may be configured to allow access via an external modem. Whether you’re using it or not, it’s always a good idea to set a password on this port.

Telnet password. As mentioned earlier, a Cisco router allows telnet sessions via what it considers to be virtual terminals. On a Cisco router running Standard Edition IOS software, a maximum of 5 virtual terminals are provided, named vty 0 through 4. On Enterprise Edition IOS versions, the number of possible virtual terminals is much higher, depending upon the version and platform.

Although the enable secret password is the only one encrypted by default, any of the passwords above can be encrypted as required. We’ll explore this after we learn how to assign passwords to interfaces.

Logging In and Logging Out with a Cisco Router

For the time being, we’re going to continue to access the router via a console connection. We’ll get into the details of connecting via a telnet session a little later in the chapter. After connecting, you’ll be presented with the message below.

toronto-1 con0 is now available Press RETURN to get started!

The message makes us aware that we are connected to the console port, also known as con0. After pressing Enter, we’ll be in what is known as user EXEC mode. You can always identify the mode you are in by the prompt you are presented with. In this case, the prompt appears as:

toronto-1>

Notice that the prompt displays the hostname that we configured when walking through the extended setup. In this case, it ends with a > sign, which designates that we’re in user EXEC mode (or just “user mode” for short). Your capabilities in user mode are fairly limited, allowing you to view information such as statistics, issue pings, show system hardware and software status, and so forth. In order to get at the configuration of the router, we’ll need to be in what is known as privileged EXEC mode (also known as “privileged mode”). To access privileged mode, you need to issue the enable command.

toronto-1>enable Password: toronto-1#

Because we set the enable secret password to cisco, this is the password that we enter to access privileged mode. The password does not appear on the screen while you are typing, nor are characters designated with asterisks – this is for security purposes. Notice how the prompt has changed. Instead of the > character, the privileged mode prompt is designation by the # sign.

Tip: Don’t forget that the > prompt signifies user EXEC mode, while the # prompt signifies privileged EXEC mode.

Once you have finished configuring your router, you will want to exit privileged mode. Doing this is quite intuitive; the command you need to enter is simply disable.

toronto-1#disable toronto-1>

Notice that issuing the disable command returns us to user mode, as shown by the > prompt. In order to log out of the router completely, you have the choice of issuing either the logout or exit command. These commands can also be issued directly from privileged mode, allowing you to log out of the router in a single step.

toronto-1>logout toronto-1 con0 is now available Press RETURN to get started!

Using the logout or exit command brings us right back to where we started.

Windows Password Recovery and Reset Tool

It’s your first day on the job and you’re rearing to go. The previous administrator left two weeks ago so the servers have been running on their own with no administrative maintenance. Microsoft decides that today is also the day they are going to release a number of critical update patches to the Windows Server platform. You head into the server room ready to update the servers but realize that you don’t know the administrative password to log on to the machines. To make matters even more interesting, it appears that no one else in the office does either and the previous admin didn’t document them. Thankfully, you are a dedicated reader of the articles on the 2000 Trainers site and have a solution.

Note – The following utility is not supported by Microsoft and does pose the remote possibility of permanently damaging the registry. Use at your own risk and please read all the online material before attempting. In addition, while this utility can be used maliciously, it is meant to be a “save the day” tip for administrators. Please use it responsibly.

The “Offline NT Password and Registry Editor” is located at http://home.eunet.no/~pnordahl/ntpasswd/ and can be used to reset the local administrator password on Windows platforms from Windows 3.51 to Windows 2003. The first thing you want to do is download either the floppy image or the ISO image for a CD-ROM depending on your preference. If you download the floppy image, be sure to grab the SCSI drivers if your boot partition is located on SCSI drives. For this high level walkthrough I used the floppy image.

Once you’ve unzipped the binaries, put a floppy in the drive and run the install.bat file. It will create the floppy image using the included rewrite utility. Place the floppy in the server and restart the server. After the linux kernel loads you will see the following screen:

In our example, we only have a single partition to select so we will choose device number one. The next prompt will be for the location of the registry. Just accept the default and press Enter. Since we want to reset the local administrator password, select option one at the next prompt.

At the next prompt, select option one again as we are editing user data and passwords. Notice how the local administrator account appears as an editable account at the next screen. Select the appropriate option for the administrator.

At the next screen we can change the password to whatever we want or use the asterisk wildcard to blank out the current password. Save your changes and write it back to the registry. Eject the floppy, restart the machine and log on as the administrator using the password you selected when modifying the account.

Using CSVDE and LDIFDE to Create User Accounts

Creating user accounts in Active Directory is simply enough, seeing as a wizard walks you through the process. Simply right-click in Active Directory User and Computers, choose New – User, and you’re off to the races. The wizard only sets up basic account properties, such as names, logon names, passwords, and so forth. To get at the majority of the settings (such as group membership, home directory info, etc), you must access the properties of the user after creating it. In smaller environments, creating all user accounts one at a time may be reasonable. In larger environments, you might create a template account, and then copy that account (and common settings) in order to more quickly create new accounts. However, you should also be aware that Windows 2000 includes 2 utilities that exist for the purpose of bulk-import of user accounts and associated properties:

Csvde: This tool does bulk import to AD of comma-separated source files. Note that Csvde can only be used to import accounts – it cannot be used to delete or change information. The file used in a simply text file, with values separated by commas. The first line of the file defines the structure. For example, if I wanted to create a .csv text file to be imported that would import 2 user accounts, it might look like the one below:

dn, displayname, objectClass, sAMAccountName, userPrincipalName, telephoneNumber
“cn=dan dinicolo, cn=users, dc=2000trainers, dc=com”, Dan DiNicolo, user, dinicolo, dan@2000trainers.com, 416-555-5555
“cn=john doe, cn=users, dc=2000trainers, dc=com”, John Doe, user, doe, doe@2000trainers.com, 416-555-5556

Note that basically any user settings can be imported, as long as the file is structured correctly and the attribute names are properly defined. For a list of available attributes, click here. http://support.microsoft.com/support/kb/articles/q257/2/18.asp

Ldifde: this tool does bulk-import to AD using LDIF, the LDAP Interchange Format. It can be used to add, delete, or modify objects in Active Directory. LDIF files use a line-separated format, meaning that each attribute has its own line, and records are separated by a blank line. For example, if I wanted to create the users from the previous example using ldifde, I would create a text file with the entries shown below:

Dn: cn= dan dinicolo, cn=users, dc=win2000trainer, dc=com
DisplayName: Dan DiNicolo
ObjectClass: user
SAMAccountName: dinicolo
UserPrincipalName: dan@2000trainers.com
TelephoneNumber: 416-555-5555

Dn: cn= jown doe, cn=users, dc=2000trainers, dc=com
DisplayName: John Doe
ObjectClass: user
SAMAccountName: doe
UserPrincipalName: doe@2000trainers.com
TelephoneNumber: 416-555-5556

Note that all accounts created with these utilities are disabled by default, and that you cannot include passwords in the bulk-import process (they are left blank be default).
Of course, after user accounts have been created, a number of common management tasks may need to be performed. Note that while many of these involve setting up information relating to a particular user (phone numbers, addresses, etc), some have father-reaching implications in terms of security. Note that the most important account settings are found on the Account tab in the properties of a user account. It is from here that you can require that a user change their password at next logon, disable an account, set logon hour restrictions, account expiry, account lockout, and so forth.

Note that passwords are reset in Windows 2000 by right clicking on an account and choosing the Reset Password option. In big environments (especially ones with many OUs) you may have trouble remembering where you created an account. To quickly find the user (or other objects), right click the domain name and choose Find in Active Directory Users and Computers.

A couple of additional notes on user accounts:

Remember that an account can be renamed, without affecting the resources that the account has access to. As such, if Bob quits and Mark replaces him, simply rename the Bob’s account (and change the personal information obviously) and Mary will be a have access to everything that Bob previously did.

Deleting an account is a big deal. When you delete an account, the SID associated with the account is also deleted. As such, if you were to recreate an account with the same username, it would not have access to whatever the original account has been granted access to, since the SID would be different. Note that a deleted account can be restored using an authoritative restore (discussed later in the series).

User Accounts and Logon Names

Since the basics of this topic have already been covered in previous articles, I will keep this part short. Just as a review, remember that 3 main types of user accounts exist in a Windows 2000 Active Directory environment:

Local User Accounts: These accounts exist in the local Security Accounts Manager (SAM) database on each Windows 2000 system (with the exception of domain controllers). These accounts are created using the Local Users and Groups tool in Computer Management. Note that in order to log on with a local account, the account must exist in the SAM database of the system you are logging in from. This makes local accounts impractical for large environments, due to the administrative overhead involved.

Domain User Accounts: These accounts are stored in Active Directory, and can be used to log on to systems and access resources throughout an AD forest. Accounts are configured centrally using Active Directory Users and Computers.

Built-in Accounts: These accounts are created by the system and cannot be deleted. By default, both standalone systems and domains will have two accounts, Administrator and Guest. The guest account will be disabled by default.

Since this portion of the series covers Active Directory, we will concentrate on domain user accounts. These accounts are stored on domain controllers, which carry a copy of the Active Directory database. You will need to be familiar with the different formats in which user logon names exist, because there are differences to allow for backwards compatibility with ‘downlevel’ clients (such as Windows 95, 98, NT). The two main types of names are the User Principal Name (referred to as the user logon name in the interface) and user logon name (pre-Windows 2000).

A User Principal Name (UPN) is formatted much like an email address. It lists a logon name followed by the ‘@’ sign and domain name. By default, the domain name of the root domain will appear selected in the dropdown box, regardless of the domain in which the account is being created (the drop down list with also contain the domain name of the domain in which you are creating the account). It is also possible to create additional domain suffixes that can appear in the dropdown box and be used in the UPN if you so choose (this is done using Active Directory Domains and Trusts). The only requirement is that all UPNs in the forest be unique. When a user logs on to a Windows 2000 system using a UPN, they need only specify the UPN and the password – there is no longer a need to input or remember the domain name. Another benefit would be having UPNs map to user email addresses, again simplifying the amount of information users need to remember.

The User logon name (pre-Windows 2000) is provided for backwards compatibility with Microsoft systems not running Windows 2000. These systems still rely on traditional Netbios-based authentication, where a username, password, and domain name (in Netbios format) need to be provided. These downlevel logon user names must be unique within a domain. Note that the username portion of both the downlevel logon name and UPN need not be identical.

Logon and Authentication

In order for a user to use a Windows 2000 Professional system, they must be authenticated. Authentication occurs when a user provides a valid username and password combination for the system or domain they are logging into. If logging into a Windows 2000 system locally, the user must provide a username and password from the local SAM database on that system. When logging on to a domain, a valid domain username, password and domain name (from the drop-down list) must be provided. Alternatively, you can also log in with something called a User Principal Name (UPN), which looks like an email address in the format user@domainname.com. If a UPN is provided, the user does not need to choose a domain name from the drop-down box (this will actually be disabled automatically when a UPN is used). When a user is logging on by sitting in front of a system, this is referred to as an interactive logon. In the same manner as NT 4, if you want a system to lock automatically after being idle for a period of time, set up a screensaver – the system will lock automatically after the interval you specify.

One last possibility that you should be aware of in Windows 2000 is the ability to automate the logon process. That is, you can set Windows 2000 up such that is does not require that a user provide a username and password to log in. Instead, the system will login automatically using the credentials you supply. You can control this behavior (which is obviously not recommended on systems that require security, but may be useful on, say, a kiosk system) by using the Users and Passwords applet in Control panel. You must specify the user account that the automated logon should use. Note that authentication is still taking place, but everyone is automatically being authenticated as the same user.