Theres no real intro needed to this tutorial. This is literally going to be a step by step, just
as the title suggests. However, before I go on, I think it important to know WHY and HOW
this works as well as it can be applied somewhat to other devices/situations.

Cisco routers work like this:
ROM > NVRAM > FLASH > DRAM
lets break it down:

ROM:
This is your Basic IOS. (thats Internetworking Operating System for those who dont know)
Think of it kind of like CMOS with the exception that you cannot flash or alter it. The ROM
contains the /BOOTP as well.

The Bootp has a value which defines how the device will boot.
They are as follows:
0x2102 <-- normal boot sequence
0x2142 <-- skips NVRAM
0x2101 <-- skips FLASH
0x2000 <-- diagnostic mode

NVRAM:
Non Volatile RAM. This is like a hard drive being that the memory is non-volatile meaning
that the info in it stays after a reboot. This contains the startup-config which contains the
PWs to the device.

FLASH:
This is your IOS.

DRAM:
Think of this as RAM, because thats what it is. Its volatile memory that contains the
running-config. Any changes you make to the system are saved to the running config but
being its volatile, once the system is rebooted for whatever reason, those changes are gone.
This is why you "copy run start" to save the changes in the running config to the startup
config so that they are applied if/when the device is rebooted.

(pardon the abbreviation of the commands, but as anyone thats used Ciscos IOS knows,
you can abbreviate any command or subcommand pretty well, so no need to write it all out.
"cop ru st" will so the same thing as "copy run start". Blah blah blah, you get the idea, no
need to get into this now.)

Moving on.
Now that Ive explained all that and you hopefully have an understanding of how the
devices boot sequence works, on to the password recovery.

1. Reboot the device.

2. press control + break within 60 seconds of the reboot.
this brings you to the basic IOS.
Now you can change the value in the BOOTP from 0x2102 to 0x2142, which skips
NVRAM, which contans the startup-config, which contains the password.

3. Reset.
Ok, so now that this point the device will boot up and due to the change in the bootp will
bypass the NVRAM and bring you into the IOS.

4. At the prompt:
Router> enable
Router# copy start run
ROUTERNAME#config t
here is where you either view or change the password. You may be able to view it if the
administrator hasnt encrypted it. If thay have, you can crack it or easier still just assign a
new one.
ROUTERNAME(config)#config 0x2102
this changes the boot sequence back to normal.
ROUTERNAME#copy run start
This copies the DRAM to the NVRAM... thus saving the changes you made.

5. Reboot.
Done. The device will then reboot and prompt you for the password that you just set. Enter
it and its all good.
Hope you enjoyed this tutorial.