Here's a nice link in performing a password recovery on a Cisco Catalyst 3750-X switch.
Using driver version 3 for media type 2
Base ethernet MAC Address: 78:da:6e:5c:12:34
Xmodem file system is available.
The password-recovery mechanism is enabled.
The system has been interrupted prior to initializing the
flash filesystem. The following commands will initialize
the flash filesystem, and finish loading the operating
system software:
flash_init
boot
switch: flash_init // TYPE flash_init
Initializing Flash...
mifs[2]:
12 files, 1 directories
mifs[2]: Total bytes : 2097152
mifs[2]: Bytes used : 755200
mifs[2]: Bytes available : 1341952
mifs[2]: mifs fsck took 1 seconds.
mifs[3]: 0 files, 1 directories
mifs[3]: Total bytes : 4194304
mifs[3]: Bytes used : 1024
mifs[3]: Bytes available : 4193280
mifs[3]: mifs fsck took 2 seconds.
mifs[4]: 5 files, 1 directories
mifs[4]: Total bytes : 524288
mifs[4]: Bytes used : 10240
mifs[4]: Bytes available : 514048
mifs[4]: mifs fsck took 1 seconds.
mifs[5]: 5 files, 1 directories
mifs[5]: Total bytes : 524288
mifs[5]: Bytes used : 10240
mifs[5]: Bytes available : 514048
mifs[5]: mifs fsck took 0 seconds.
switch: dir flash: // VIEW FLASH MEMORY
Directory of flash:/
2 -rwx 1048 <date> multiple-fs
3 -rwx 41080 <date> config.text.backup
4 -rwx 1636 <date> vlan.dat
5 -rwx 1943 <date> private-config.text.backup
6 -rwx 10897 <date> config.text
switch: rename flash:config.text flash:config.text.old // RENAME config.text TO BYPASS STARTUP-CONFIG
switch: boot // RELOAD SWITCH
Loading "flash:/c3750e-universalk9-mz.122-55.SE5/c3750e-universalk9-mz.122-55.SE5.bin"...@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
<OUTPUT TRUNCATED>
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
File "flash:/c3750e-universalk9-mz.122-55.SE5/c3750e-universalk9-mz.122-55.SE5.bin" uncompressed and installed, entry point: 0x3000
executing...
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 12.2(55)SE5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Thu 09-Feb-12 18:14 by prod_rel_team
Image text-base: 0x00003000, data-base: 0x02800000
Initializing flashfs...
Using driver version 1 for media type 2
mifs[3]: 12 files, 1 directories
mifs[3]: Total bytes : 2097152
mifs[3]: Bytes used : 755200
mifs[3]: Bytes available : 1341952
mifs[3]: mifs fsck took 0 seconds.
mifs[3]: Initialization complete.
mifs[4]: 0 files, 1 directories
mifs[4]: Total bytes : 4194304
mifs[4]: Bytes used : 1024
mifs[4]: Bytes available : 4193280
mifs[4]: mifs fsck took 0 seconds.
mifs[4]: Initialization complete.
mifs[5]: 5 files, 1 directories
mifs[5]: Total bytes : 524288
mifs[5]: Bytes used : 10240
mifs[5]: Bytes available : 514048
mifs[5]: mifs fsck took 0 seconds.
mifs[5]: Initialization complete.
mifs[6]: 5 files, 1 directories
mifs[6]: Total bytes : 524288
mifs[6]: Bytes used : 10240
mifs[6]: Bytes available : 514048
mifs[6]: mifs fsck took 0 seconds.
mifs[6]: Initialization complete.
mifs[7]: 505 files, 11 directories
mifs[7]: Total bytes : 57671680
mifs[7]: Bytes used : 35700736
mifs[7]: Bytes available : 21970944
mifs[7]: mifs fsck took 1 seconds.
mifs[7]: Initialization complete.
...done Initializing flashfs.
Checking for Bootloader upgrade.. not needed
POST: CPU MIC register Tests : Begin
POST: CPU MIC register Tests : End, Status Passed
POST: MA BIST : Begin
POST: MA BIST : End, Status Passed
POST: TCAM BIST : Begin
POST: TCAM BIST : End, Status Passed
POST: SF ASIC BIST : Begin
POST: SF ASIC BIST : End, Status Passed
POST: Switch Fabric Memory Tests : Begin
POST: Switch Fabric Memory Tests : End, Status Passed
POST: CPU MIC interface Loopback Tests : Begin
POST: CPU MIC interface Loopback Tests : End, Status Passed
POST: PortASIC RingLoopback Tests : Begin
POST: PortASIC RingLoopback Tests : End, Status Passed
extracting front_end/front_end_ucode_info (309 bytes)
Waiting for Stack Master Election...
POST: Inline Power Controller Tests : Begin
POST: Inline Power Controller Tests : End, Status Passed
POST: Thermal, Fan Tests : Begin
POST: Thermal, Fan Tests : End, Status Passed
POST: PortASIC Port Loopback Tests : Begin
POST: PortASIC Port Loopback Tests : End, Status Passed
POST: EMAC Loopback Tests : Begin
POST: EMAC Loopback Tests : End, Status Passed
Election Complete
Switch 2 booting as Master
Waiting for Port download...Complete
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
cisco WS-C3750X-48P (PowerPC405) processor (revision M0) with 262144K bytes of memory.
Processor board ID FDO17411234
Last reset from power-on
1 Virtual Ethernet interface
1 FastEthernet interface
52 Gigabit Ethernet interfaces
2 Ten Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 78:DA:6E:5C:12:34
Motherboard assembly number : 73-12553-10
Motherboard serial number : FDO17415678
Model revision number : M0
Motherboard revision number : B0
Model number : WS-C3750X-48P-S
Daughterboard assembly number : 800-32727-03
Daughterboard serial number : FDO17414567
System serial number : FDO1741P23R
Top Assembly Part Number : 800-31324-08
Top Assembly Revision Number : C0
Version ID : V05
CLEI Code Number : COMJZ00ABC
Hardware Board Revision Number : 0x05
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 2 54 WS-C3750X-48P 12.2(55)SE5 C3750E-UNIVERSALK9-M
Press RETURN to get started!
<OUTPUT TRUNCATED>
--- System Configuration Dialog ---
Enable secret warning
----------------------------------
In order to access the device manager, an enable secret is required
If you enter the initial configuration dialog, you will be prompted for the enable secret
If you choose not to enter the intial configuration dialog, or if you exit setup without setting the enable secret,
please set an enable secret using the following CLI in configuration mode-
enable secret 0 <cleartext password>
----------------------------------
Would you like to enter the initial configuration dialog? [yes/no]: no
Switch>enable
Switch#
*Mar 1 00:01:39.740: %LINK-5-CHANGED: Interface Vlan1, changed state to administratively down
*Mar 1 00:01:39.748: %LINK-5-CHANGED: Interface FastEthernet0, changed state to administratively down
Switch#rename flash:config.text.old flash:config.text // REVERT BACK THE ORIGINAL CONFIG NAME
Destination filename [config.text]?
Switch#copy flash:config.text system:running-config // DUMP STARTUP-CONFIG TO RUNNING-CONFIG
Destination filename [running-config]?
10897 bytes copied in 3.272 secs (3330 bytes/sec)
MY_SW01# // NOTICE THE DEFAULT HOSTNAME CHANGED
*Mar 1 00:02:09.360: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan60, changed state to down
*Mar 1 00:02:09.360: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan61, changed state to down
*Mar 1 00:02:09.645: %LINK-5-CHANGED: Interface GigabitEthernet1/0/7, changed state to administratively down
*Mar 1 00:02:09.645: %LINK-5-CHANGED: Interface GigabitEthernet1/0/8, changed state to administratively down
*Mar 1 00:02:09.645: %LINK-5-CHANGED: Interface GigabitEthernet1/0/9, changed state to administratively down
<OUTPUT TRUNCATED>
The password recover
(overwrite passwords) doesn't work when AAA is configured. You'll need to re-configure the switch from scratch and skip the AAA config first. Once you can remotely access the switch either via Telnet or SSH, then apply AAA.
MY_SW01#configure terminal
% Authorization failed.
You can view the start-up config by issuing a more flash:/config.text command.
Switch#more flash:/config.text
!
! Last configuration change at 05:49:13 UTC Sat Apr 18 2020 by admin
! NVRAM config last updated at 05:49:28 UTC Sat Apr 18 2020 by admin
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MY_SW01
<OUTPUT TRUNCATED>
aaa new-model
!
aaa group server tacacs+ MY_GROUP
server 10.11.6.4
<OUTPUT TRUNCATED>
Once you've bypassed the startup-config (config.text) can now overwrite the passwords and save the config.
Switch(config)#hostname MY_SW01
MY_SW01(config)#enable secret cisco123
MY_SW01(config)#
MY_SW01(config)#username admin privilege 15 secret cisco123
MY_SW01(config)#line con 0
MY_SW01(config-line)# password cisco123
MY_SW01(config-line)#login
MY_SW01(config-line)#line vty 0 4
MY_SW01(config-line)# password cisco123
MY_SW01(config-line)#login
MY_SW01(config-line)#transport input all
