ROMMON

Most CISCO devices have a ROM Monitor mode, called ROMMON. This is the ultimate debugging, upgrade securing and hacking vector! From the CISCO web site, download “Troubleshooting and Maintenance: Using the ROM Monitor” for the 2900 series routers. Browse through the document and note the main activities you can perform at ROMMON level.

On a regular router, inserting a break during boot drops the router into ROMMON. In Packet Tracer, in can be difficult to get the router into ROMMON. The easiest approach is probably to set the Configuration Register to 0x2100 and reload.

Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#config-register 0x2100
Router(config)#^Z
Router#
%SYS-5-CONFIG_I: Configured from console by console

Router#
Router# reload
Proceed with reload? [confirm]y

System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1)
Copyright (c) 2000 by cisco Systems, Inc.
cisco 2811 (MPC860) processor (revision 0x200) with 60416K/5120K bytes of memory

rommon 1 >

We can now carry out a range of activities in the document you downloaded previously.

Use ? to review the available commands.

Display the contents of the file system.

Reset the Configuration Register to 0x2102 and reload.

rommon 8 > confreg 0x2102
rommon 9 > reset

Now we know we can get in and out of the router! We could use these techniques to copy new IOS images from TFTP servers or do all kinds of other interesting things.

Resetting a Router Password

With most equipment, once we can get physical access, we can hack the equipment! Once we can terminal to a router and force a reboot, we can drop the router to ROMMON and bypass all security. This can be a very useful technique for administrators to recover passwords. It also means that anyone who can access your equipment, even for a few minutes, can sequester the equipment!! Search the CISCO web site for instructions on recovering passwords. Find the right procedure for the device you are using in Packet Tracer. Roughly speaking, you will:

  1. Boot to ROMMON

  2. Set bit 6 of the Configuration Register (0x2142)

  3. Reload

  4. Enter Enable mode

  5. Copy the startup-config file to running-config

  6. Change the password and save the configuration

  7. Reset the configuration register to its original value

  8. Reload You have just completed a hostile takeover of someone else’s router. As a variation on this theme, you could have

  • Changed the firmware for a backdoored version.

  • Left any other backdoor!

  • Made a subtle change.

  • Set up an alternative administrator whilst leaving the original intact.

In short, you have control of the router and a legitimate administrator will never know!!

On any site with more than a handful of devices, we have some sort of version control for the configurations. Devices are checked periodically (midnight?) to see if any configuration change has been made.

The new configuration is backed up.

However, we can also alert on configuration change, so at least the administrator knows after the incident has occurred. Not good! 

PreviousWorking with FlashNextFurther study

Last updated