Password Recovery 重設密碼

前言

忘記密碼這回事,總會出現;又或是一隻被遺下已久的網絡儀器,想用時又不知道是誰設了密碼,這些時候就要重設密碼了。網上很容易找到一些 Cisco Router 或 Switch 重設密碼的方法,卻沒有詳細解釋箇中原理,只顧跟著做的話,很快又忘記了。本文嘗試從了解開機步驟來帶出重設密碼的原理。

890/1900/2900 系列 Router 開機步驟

現在先了解一下 Router 的開機步驟,從按下開機制開始,Console 畫面就會出現一大堆訊息,過程有點像一般個人電腦剛開機時那樣。

  1. POST (Power On Self Test) – 首先 Router 會自我檢查一下。
    Initializing Hardware ...
    
    Checking for PCIe device presence...done
    System integrity status: 0x610
    Rom image verified correctly
    
  2. 載入 Bootstrap – 然後會載入一個叫 Bootstrap 的程式,就是一個很基本的系統,用作稍後載入 OS (即 IOS) 之用。
    System Bootstrap, Version 16.7(1r), RELEASE SOFTWARE
    Copyright (c) 1994-2017  by cisco Systems, Inc.
    
  3. 讀取 Configuration Register – 重要!這時 Bootstrap 會讀取一個 16Bits 叫 Configuration Register 的值,預設為 0x2102,即二進數 0010 0001 0000 0010,每個位元有不同的作用,一般情況下不會更改,詳情可參考 Cisco 文檔。但要重設密碼最重要的是看第 6 Bit (最右面數起是第 0 Bit): 0010 0001 0000 0010,這個 Bit 可控制 Router 要不要跳過讀取 Startup Configuration,預設 0 是不跳過 (即讀取),設成 1 則是跳過 (即不讀取)。但開機時是看不到 Configuration Register 的值,只有在開機後用 Show Version 才可看到。
    Router>show version
    Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.0(1)M1, 
         RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2009 by Cisco Systems, Inc.
    Compiled Wed 02-Dec-09 15:23 by prod_rel_team
    
    ROM: System Bootstrap, Version 15.0(1r)M1, RELEASE SOFTWARE (fc1)
    
    <--Output Omitted-->
    
    Technology Package License Information for Module:'c2900'
    
    ----------------------------------------------------------------
    Technology    Technology-package          Technology-package
                  Current       Type          Next reboot
    -----------------------------------------------------------------
    ipbase        ipbasek9      Permanent     ipbasek9
    security      securityk9    Permanent     securityk9
    uc            uck9          Permanent     uck9
    data          datak9        Permanent     datak9
    
    Configuration register is 0x2102
    
    Router>
    
  4. 載入 IOS – 依 Flash、TFTP 和 ROM 的次序載入 IOS,即是我們常常看見很多 # 號那個時刻。
    IOS Image Load Test 
    ___________________ 
    Digitally Signed Production Software 
    
    Self decompressing the image : ################################################
    ###############################################################################
    ###############################################################################
    ###############################################################################
    ###############################################################################
    ###############################################################################
    ###############################################################################
    ###############################################################################
    ###############################################################################
    ###############################################################################
    
  5. 載入 Startup Configuration – 跟據 Configuration Register 的值決定是否載入 Startup Configuration。如果沒有載入或 Startup Configuration 不存在,就會詢問是否進行 Initial Configuration,就像打開一台新機一樣。
             --- System Configuration Dialog ---
    
    Enable secret warning
    ----------------------------------
    In order to access the device manager, an enable secret is required
    If you enter the initial configuration dialog, you will be prompted for the enable secret
    If you choose not to enter the intial configuration dialog, or if you exit setup without setting the enable secret,
    please set an enable secret using the following CLI in configuration mode-
    enable secret 0 
    ----------------------------------
    Would you like to enter the initial configuration dialog? [yes/no]:
    

無論是 Console 密碼、Enable 密碼都是儲存在 Startup Configuration 之中,然後被載入至 Running Configuration。然而修改 Configuration 需要 Enable 密碼,重設密碼的哲學在於「如何在不用密碼的情況下進入 Enable Mode (或稱 Privilege Mode)?」

891/1950/2901 Router 重設密碼步驟

所以,重設密碼的策略在於開機時需跳過載入 Startup Configuration,在沒有任何密碼的情況下進入 Enable Mode,然後手動載入 Configuration 並修改密碼,詳細步驟如下:

  1. 啟動 Router,於 IOS 被載入時按鍵盤 Ctrl-Break (如 Mac 可按 Ctrl-Delete) 中斷載入,並進入 rommon 模式。
    System Bootstrap, Version 15.4(1r)T1, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 2014 by cisco Systems, Inc.
    
    Total memory size = 512 MB
    Field Upgradeable ROMMON Integrity test 
    _______________________________________ 
    
    ROM: Digitally Signed Production Software
    C891F-K9           
    platform with 524288 Kbytes of main memory
    Main memory is configured to 32 bit mode 
    
    Upgrade ROMMON initialized
    
    
    IOS Image Load Test 
    ___________________ 
    Digitally Signed Production Software 
    
    Self decompressing the image : ###########################
    
    monitor: command "boot" aborted due to user interrupt
    
    rommon 1 >
    
  2. rommon 是一個 Debug Tool,平時很少使用,可以做一些檔案管理和修改參數,按 ? 再按 <ENTER> 可以看到可用的指令。而我們想要做的是修改 Configuration Register,由 0x2102 改成 0x2142,指令是 confreg 2142,然後用指令 reset 重新開機。
    rommon 1 > ?
    alias               set and display aliases command
    boot                boot up an external process
    confreg             configuration register utility
    dev                 list the device table
    dir                 list files in file system
    help                monitor builtin command help
    history             monitor command history
    meminfo             main memory information
    repeat              repeat a monitor command
    reset               system reset
    set                 display the monitor variables
    showmon             display currently selected ROM monitor
    sync                write monitor environment to NVRAM
    token               display board's unique token identifier
    unalias             unset an alias
    unset               unset a monitor variable
    rommon 2 > confreg 2142
    
    You must reset or power cycle for new config to take effect
    rommon 3 > reset
    
    Resetting .......
    
  3. 這次開機讓它載入 IOS,最後因為沒有載入 Startup Configuration 而出現 Initial Configuration Dialog 模式,輸入 no 跳過,這時不用密碼也可進入 Enable Mode 了。
             --- System Configuration Dialog ---
    
    Enable secret warning
    ----------------------------------
    In order to access the device manager, an enable secret is required
    If you enter the initial configuration dialog, you will be prompted for the enable secret
    If you choose not to enter the intial configuration dialog, or if you exit setup without setting the enable secret,
    please set an enable secret using the following CLI in configuration mode-
    enable secret 0 
    ----------------------------------
    Would you like to enter the initial configuration dialog? [yes/no]: no
    
    Router>
    Router>enable
    Router#
    
  4. 由於剛才跳過了載入 Startup Configuration,現在手動把 Startup Configuration 抄寫至 Running Configuration,現在可以修改密碼了,最後別忘記 write memory 把 Configuration 儲存至 Startup Configuration。
    Router#copy startup-config running-config
    Destination filename [running-config]?
    Router#configure terminal
    Router(conf)#
    Router(config)#enable secret cisco
    Router(config)#end
    Router#
    Router#write memory 
    Building configuration...
    
    [OK]
    
  5. 重新開機,再次按鍵盤 Ctrl-Break (如 Mac 可按 Ctrl-Delete) 進入 rommon 模式,把 Configuration Register 回復至 0x2102 並重新開機,重設密碼的步驟便完成了。
    rommon 1 > confreg 2102
    
    You must reset or power cycle for new config to take effect
    rommon 2 > reset
    
    Resetting .......
    

2900/3500 系列 Switch 開機步驟

傳統 2900 及 3500 系列,沒有 Configuration Register 概念,開機步驟如下:

  1. POST (Power On Self Test) – 自我檢查一下。
  2. flash_init – 載入一個叫 flash_init 的小程式,用作讀取 flash 裡的檔案。
    Initializing Flash...
    mifs[2]: 12 files, 1 directories
    mifs[2]: Total bytes     :    1806336
    mifs[2]: Bytes used      :     831488
    mifs[2]: Bytes available :     974848
    mifs[2]: mifs fsck took 0 seconds.
    mifs[3]: 0 files, 1 directories
    mifs[3]: Total bytes     :    3870720
    mifs[3]: Bytes used      :       1024
    mifs[3]: Bytes available :    3869696
    mifs[3]: mifs fsck took 1 seconds.
    mifs[4]: 5 files, 1 directories
    mifs[4]: Total bytes     :     258048
    mifs[4]: Bytes used      :       8192
    mifs[4]: Bytes available :     249856
    mifs[4]: mifs fsck took 0 seconds.
    mifs[5]: 5 files, 1 directories
    mifs[5]: Total bytes     :     258048
    mifs[5]: Bytes used      :       8192
    mifs[5]: Bytes available :     249856
    mifs[5]: mifs fsck took 0 seconds.
    mifs[6]: 5 files, 2 directories
    mifs[6]: Total bytes     :   57931776
    mifs[6]: Bytes used      :   16562688
    mifs[6]: Bytes available :   41369088
    mifs[6]: mifs fsck took 9 seconds.
    ...done Initializing Flash.
    
  3. 載入 IOS – 依 Flash、TFTP 和 ROM 的次序載入 IOS。
  4. 載入 Startup Configuration – 如 Flash 中有 config.text 這個檔案則載入,否則進入 System Configuration Dialog 模式。

由於 2900 及 3500 系列的 Switch 沒有 Configuration Register,要跳過載入 Startup Configuration 只需在 flash 把 config.text 檔名改掉便可。

2950/2960/3550/3560 Switch 重設密碼步驟

  1. Switch 沒有開關按鈕,一插電制便開機了,在插電制的同時按著面版上的 Mode 按鈕,直至 Switch 進入 Password-recovery 模式。password-recovery

    圖片來源

    Using driver version 3 for media type 1
    Base ethernet MAC Address: aa:aa:aa:aa:aa:aa
    Xmodem file system is available.
    The password-recovery mechanism is enabled.
    
    The system has been interrupted prior to initializing the
    flash filesystem.  The following commands will initialize
    the flash filesystem, and finish loading the operating 
    system software:
    
        flash_init
        boot
    
    
    switch:
    
  2. 輸入 flash_init 掛載 flash 檔案系統,然後輸入 dir flash: 應可看到 flash 裡面的檔案列表。
    switch: flash_init
    Initializing Flash...
    mifs[2]: 12 files, 1 directories
    mifs[2]: Total bytes     :    1806336
    mifs[2]: Bytes used      :     831488
    mifs[2]: Bytes available :     974848
    mifs[2]: mifs fsck took 0 seconds.
    mifs[3]: 0 files, 1 directories
    mifs[3]: Total bytes     :    3870720
    mifs[3]: Bytes used      :       1024
    mifs[3]: Bytes available :    3869696
    mifs[3]: mifs fsck took 1 seconds.
    mifs[4]: 5 files, 1 directories
    mifs[4]: Total bytes     :     258048
    mifs[4]: Bytes used      :       8192
    mifs[4]: Bytes available :     249856
    mifs[4]: mifs fsck took 0 seconds.
    mifs[5]: 5 files, 1 directories
    mifs[5]: Total bytes     :     258048
    mifs[5]: Bytes used      :       8192
    mifs[5]: Bytes available :     249856
    mifs[5]: mifs fsck took 0 seconds.
    mifs[6]: 5 files, 2 directories
    mifs[6]: Total bytes     :   57931776
    mifs[6]: Bytes used      :   16562688
    mifs[6]: Bytes available :   41369088
    mifs[6]: mifs fsck took 9 seconds.
    ...done Initializing Flash.
    
    switch:
    
    
    switch: dir flash:
    Directory of flash:/
    
        2  -rwx  1492      <date>               config.text
        3  -rwx  16353536  <date>               c2960s-universalk9-mz.152-1.E.bin
        4  -rwx  5         <date>               private-config.text
        5  -rwx  3096      <date>               multiple-fs
        6  drwx  512       <date>               dc_profile_dir
    
    41369088 bytes available (16562688 bytes used)
    
  3. 把 flash 裡面的 config.text 更改檔案名成 config.bak,然後用指令 boot 開始載入 IOS。
    switch: rename flash:config.text flash:config.bak
    
    switch: boot
    Loading "flash:c2960s-universalk9-mz.152-1.E.bin"...@@@@@@@@@@@@@@@@@@@@@@@@
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    
  4. 由於系統找不到 config.text,因而沒法載入 Startup Configuration 而出現 Initial Configuration Dialog 模式,輸入 no 跳過,這時不用密碼也可進入 Enable Mode 了。
             --- System Configuration Dialog ---
    
    Enable secret warning
    ----------------------------------
    In order to access the device manager, an enable secret is required
    If you enter the initial configuration dialog, you will be prompted for the enable secret
    If you choose not to enter the intial configuration dialog, or if you exit setup without setting the enable secret,
    please set an enable secret using the following CLI in configuration mode-
    enable secret 0 
    ----------------------------------
    Would you like to enter the initial configuration dialog? [yes/no]: no
    
    Switch>
    Switch>enable
    Switch#
    
  5. 把 flash:config.bak 改回 flash:config.text,然後把 startup-config 抄至 running-config,現在可以修改密碼了,最後別忘記 write memory 把 Configuration 儲存至 Startup Configuration。重設密碼步驟完成。
    Switch#rename flash:config.bak flash:config.text
    Switch#copy startup-config running-config
    Switch#configure terminal
    Switch(conf)#
    Switch(config)#enable secret cisco
    Switch(config)#end
    Switch#
    Switch#write memory 
    Building configuration...
    [OK]
    

3650/3850 Switch 重設密碼步驟

從 3650 開始,Switch 的 IOS 改用 Linux Base,重設密碼方法又有點不同,步驟如下:

  1. 在插電制時先按著面版上的 Mode 去中斷正常開機程序。
  2. 輸入指令 SWITCH_IGNORE_STARTUP_CFG=1 (全大寫),這樣就會跳過載入 Startup Configuration。
    Booting...
    Interface GE 0 link down***ERROR: PHY link is down
    
    The system has been interrupted prior to initializing some
    filesystems and loading the operating system software.
    Console will be reset to 9600 baud rate, need to change terminal setting first.
    The following commands will initialize the remaining filesystems, 
    and finish loading the operating system software:
    
        flash_init
        boot
    
    
    switch: SWITCH_IGNORE_STARTUP_CFG=1
    
  3. 輸入指令 flash_initboot 把 IOS 載入。
  4. 系統進入 Initial Configuration Dialog 模式,輸入 no 跳過,這時不用密碼也可進入 Enable Mode 了。
             --- System Configuration Dialog ---
    
    Enable secret warning
    ----------------------------------
    In order to access the device manager, an enable secret is required
    If you enter the initial configuration dialog, you will be prompted for the enable secret
    If you choose not to enter the intial configuration dialog, or if you exit setup without setting the enable secret,
    please set an enable secret using the following CLI in configuration mode-
    enable secret 0 
    ----------------------------------
    Would you like to enter the initial configuration dialog? [yes/no]: no
    
    Switch>
    Switch>enable
    Switch#
    
  5. 由於剛才跳過了載入 Startup Configuration,所以手動把 Startup Configuration 抄寫至 Running Configuration,現在可以修改密碼了,最後別忘記 write memory 把 Configuration 儲存至 Startup Configuration。
    Switch#copy startup-config running-config
    Destination filename [running-config]?
    Switch#configure terminal
    Switch(conf)#
    Switch(config)#enable secret cisco
    Switch(config)#end
    Switch#
    Switch#write memory 
    Building configuration...
    
    [OK]
    
  6. 重新開機,再次按住 mode 按鈕去中斷正常開機程序,把 SWITCH_IGNORE_STARTUP_CFG 的值改回 0,然後輸入指令 flash_initboot 繼續開機程序。重設密碼步驟完成。
    Booting...
    Interface GE 0 link down***ERROR: PHY link is down
    
    The system has been interrupted prior to initializing some
    filesystems and loading the operating system software.
    Console will be reset to 9600 baud rate, need to change terminal setting first.
    The following commands will initialize the remaining filesystems, 
    and finish loading the operating system software:
    
        flash_init
        boot
    
    
    switch: SWITCH_IGNORE_STARTUP_CFG=0

相關主題

2019-05-18

Posted In: 基本網絡知識 Basic Concept