So I was reading Ivan’s blog yesterday morning and came across a post he had in regards to recovering from disabling the ability to perform password recovery and the moral that particular post was to test the feature prior to just implementing it because as was his case, he was running into issues…So that got me thinking…how many people have never attempted to recover from enabling the command? How many people would like to enable the command but have never seen it done? How many people have enabled this on their corporate routers and left the company only to take with them the enable passwords for all the network equipment?

Well I figured I would walk everyone through enabling the command as well as recovering a router that has the command enabled with a forgotten enable password.

***Note***
If you have never performed password recovery on a Cisco device prior to attempting this, please visit the following page for detailed explainations of how it is performed for your particular platform:

http://www.cisco.com/warp/public/474/index.shtml

In particular the document most relevant to this discussion is located here:

ISR 2800 Series Password Recovery Procedure

Anyway to get started, I’m going to be using a 2811 from my lab that has 12.4(18) Advanced Enterprise IOS loaded and 12.4(13r)T ROMMON. This can be seen from the image below:

Next I need to actually enable the ‘no service password-recovery’ command so I move to config mode. Now notice that in my case the command is not listed, it’s deemed a ‘hidden’ command…I have tested with a great # of different IOS images and some list the command yet others don’t however have no fear, I assure you the command is actually there
 

…Notice I will input the command even though the parser doesn’t present it to me as an option and upon inputting it I get a very stern warning stating that enabling this will disable the ability to perform password recovery on the device. The router gives me option to enable the command by typing Yes or not by typing No.

After enabling the command I will actually configure an enable password because I had forgotten to do that earlier (Hey their lab routers…it’s easier to just run them without having to type all those pesky passwords in). Now the password here is just to show you that the router actually has one enabled…..in your case you may not know what this password actually is….now if I perform what I am attempting to do correctly, this password I just typed in will be irrelevant because remember in the real world the router has an enable password configured but we don’t know what it is….We could just password recover the router but Oh Yeah….they disabled the ability to do that too with the above command!!! So I enter ‘CCIE6200′ as the enable password, this is shown below:

I next need to write my configuration to memory thus saving my enable password but also the ‘no service password-recovery’ command. So now let’s exit from the router and try and enter back into enable mode….Since I know the password I simply type it in here…In your case if you don’t know the password no big deal because we are about to reload the router anyway…I’m simply showing you that the router actually took the enable command I entered above.

So for the sake of this post I have a fairly basic configuration loaded on my router but none the less, it’s not a default configuration. Let’s take a look at the running configuration prior to trying to reloading the router….Why we are examining the running-configuration will become evident a little later when we attempt to disable the’no password recovery’ feature:

Notice that the router has the ‘no service password-recovery’ command enabled and an enable secret password listed. Let’s go ahead and reload the router from the CLI…in your case you can turn the power off and back on if you like if you do not have access to the CLI.

Now after the router begins to boot notice the message that it displays on the screen, “PASSWORD RECOVERY FUNCTIONALITY IS DISABLED” so if you were attempting to recover the password using the method listed in the ***NOTE*** section, you would be unable to do so. So how are we able to get into the router?? We don’t know the enable password to the router and we are unable to perform password recovery. Well even though the output message tells us we are unable perform password recovery….it’s not entirely true…If we allow the router to continue booting we can simply enter the break sequence at a different time. In our case we need to let the router continue to boot until we see a line that says:

Image text-base: <hex>, data-base <hex>

After this line appears on your screen you can hit the break sequence as shown below:

Now after hitting the break sequence, the router is very explict in regards to your options for gaining access to the router….There are some upsides here and the are some downsides…You can get access to router however you are going to do it at the expense of resetting the router back to its factory default settings!!! In our hypothectical case we have no choice because we have no access to the router we will pick Yes and the router begins to set itself back to the state we shipped it to you from our factory….now after a bit the router will be fully booted and we will be back at the Router> prompt…at this point I have the ability to enter into enable mode without entering a password:

Now remember earlier we looked at the running configuration of the router prior to reloading it…Here is why we did that….a couple of screenshots above the router told use that it was setting itself back to its default configuration…we now have full access to the router and if we examine the running configuration now you can see that it is not the same as it was before we circumvented to ’no password recovery’ feature:

So just as Ivan’s post had a moral…so does this one….The moral here is you can’t have your cake and eat it too!! You certainly can get into a router that has the ‘no service password-recovery’ command enabled, but don’t expect that your going to get your old configuration back….At best you could hope that someone saved the config to flash or a tftp server or CiscoWorks had an archived version of the config saved somewhere for you…..