So, you've got a router but you've forgotten the password. Follow these instructions to break in to it. Follow these steps exactly and you'll be able to break in without wiping out the configuration. Follow these steps incorrectly, and you'll be able to break in but you'll accidentally delete all of the other configs. So be careful.

This techinque will work on most Cisco routers running "classic" IOS, assuming they have boot-ROMS with at least IOS 10.0, which yours will if your router was made after mid-1994. (Earlier routers, like the AGS+, required physically moving a jumper on the processor board).

• Connect a console cable to the router and a PC, and run HyperTerminal in Windows' "Accessories" directory. (If you're using a Mac, a good Terminal Emulation tool is ZTerm, from www.homepage.mac.com/dalverson/zterm ). The console settings are 9600 baud, 8 databits, 1 stopbit, no parity.

• Type "show version" and note the setting of the Configuration Register at the very bottom of the output. It will usually be either 0x2102 or 0x102.

• Turn the router off, then on again.

• Wait for 60 seconds, then hit the Break key on your keyboard. (This will be Ctrl-Break in HyperTerminal).
  • If your PC's copy of HyperTerminal is giving you trouble (older versions used a different keymap, making the Break sequence hard to find) download the current version, which is now free, from www.hilgraeve.com

• You will either see a > prompt with no router name after it, or you will see an RMON> prompt. If you don't see these you didn't hit the Break key right, or you waited too long. Try again.

• You now need to change the Configuration Register to let the router boot up in password-less mode. Do it with either one of these 2 methods, depending on which prompt you see:
  • If you see just the > prompt, then type o/r0x42 (the first character is the letter "o", and the fourth character is the number zero). This will boot from the IOS image in FLASH. If there is a problem with the FLASH you can alternately boot from the boot-ROMs by typing o/r0x41 at the prompt. Boot from FLASH whenever possible, since the boot-ROM option only allows you to view the password, not change it, which won't be fun if the password is encrypted. Then type i and hit Return to reboot the router.

  • If you see the RMON> prompt, then type confreg 0x42, or confreg 0x41, depending on if you want to boot from FLASH or the boot-ROMs. (See above paragraph) Then type reset and hit Return to reboot the router. (If the commands aren't working, type ? to see a list of supported RMON commands.)

• As the router boots up, answer No to all questions. If you answer Yes, you will wipe out the configuration and cause the router to go into initial "first-time user" Setup mode.

• When the reboot is complete and you see the Router> prompt, type enable. You won't be asked for any password, and the prompt will change to Router#. Then choose one of these options:
  • To just VIEW the password, type show config. If the router was not configured with the "service password-encryption" option then you will see the enable password listed in the config. If it is encrypted then you will need to change it.

  • To CHANGE the password, do this:
    • Type config mem, which will copy the contents of NVRAM into memory.
    • Then change the password by typing enable secret logic, or whatever password you want.
    • Hit Ctrl-z to escape back out to the main prompt and type write mem to save the change.
      • Keep in mind that when you save the configuration in this mode you are doing so while booted from a bare-bones version of IOS. You need to save the change in order for the password to work after rebooting, but any commands that are part of a more current IOS (since the IOS in FLASH is usually more current than what is in the boot ROMs) you will loose any commands not understood by the simpler IOS.
        You may need to re-configure some of these after booting back from FLASH. Check your config when you're done to make sure no commands got lost. (Or copy and paste the config into a text file now, so you can copy and paste them back in later).

• Then change the Configuration Register back to it's original value, in order to reboot from the saved configuration. Do this by typing config term, then typing config-register 0x2102, or whatever the original value was when you checked in the Second step when you began.

• Hit Ctrl-z to escape back out to the main prompt and DO NOT save the config this time, even if you are asked.

• Type reload and the router will reboot, and you now know the password. Double-check the value of the Processor Configuration register by typing show version again and make sure the value at the bottom is the same as it was originally.