Cisco PIX /ASA 防火墙密码恢复
Cisco ASA 防火墙密码恢复
==================
      Cisco ASA的密码恢复过程很像路由器了,也是通过修改配置寄存器的值来实现。就不要密码恢复文件了。
1,密码恢复准备东东
A,PC机
B,ASA配置线
我们需要通过配置线把PC机的COM口与ASA的控制接口相连。
2,密码恢复程序
首先,我们打开PC机的超级终端,然后启动ASA后迅速按ESC或CTRL+BREAK 键进入Rommon状态。
You can press the Esc (Escape) key after "Use BREAK or ESC to interrupt boot" is shown. This will take you into ROMMON mode, as follows:
rommon #0>
然后我们打入命令confreg,进行配置寄存器值的修改,有两种方法,一种是通过输入ConfReg命令一步一步回答菜单如下:
rommon #1> confreg
Current Configuration Register: 0x00000011
Configuration Summary:
boot TFTP p_w_picpath, boot default p_w_picpath from Flash on netboot failure
Do you wish to change this configuration? y/n [n]: y
所有都按照默认回答,在问"disable system configuration?" 的时候,选择y.
这里将0X11启动模式转变到0X41模式.
第二种方法就是直接使用命令ConfReg 0x41修改配置寄存器的值。如下:
rommon #1> confreg 0x41
Update Config Register (0x41) in NVRAM...
修改后,就可以重启
rommon #2> boot
启动成功进入ASA以后,enable密码为空.
ciscoasa> enable
Password:<cr>
ciscoasa# copy startup-config running-config
ciscoasa# configure terminal
设置新的密码
ciscoasa(config)# password PIXPa55
ciscoasa(config)# enable password PIXp455
ciscoasa(config)# username BluShin password Goodp455
修改会原来的配置寄存器的值
ciscoasa(config)# config-register 0x11
保存配置文件,切记,否则新密码无效
ciscoasa(config)# copy running-config startup-config
后记
====================
     有时候我们为了加强安全性,打入了no service password-recovery命令。这时候进行密码恢复时,就不能通过修改配置寄存器的值来实现了,而只能删除所有文件来实现,当然删除的文件会包括配置文件和OS文件。
ciscoasa(config)# no service password-recovery
WARNING: Saving "no service password-recovery" in the startup-config will disable password recovery via the PIX Password Lockout Utility. The only means of recovering from lost or forgotten passwords will be for the PIX Password Lockout Utility to erase all file systems including configuration files and p_w_picpaths.You should make a backup of your configuration and have a mechanism to restore p_w_picpaths from the Monitor Mode command line.
提示两点:
1、恢复的时候会清除所有配置
2、需要保存配置文件,并有一种方式从Monitor Mode command line得到恢复的IMAGES
密码恢复过程:建立物理CONSOLE连接,RELOAD(命令)设备
press the Esc (Escape) key after "Use BREAK or ESC to interrupt boot" is shown
提示:
a new p_w_picpath must be downloaded via ROMMON.
Erase all file systems? y/n [n]: yes
Disk1: is not present.
Enabling password recovery...
rommon #0>
rommon #0> ADDRESS=192.168.10.1
rommon #1> SERVER=192.168.10.250
rommon #3> interface GigabitEthernet0/0
GigabitEthernet0/0
MAC Address: 000f.f775.4b54
rommon #4> file asa702.bin
rommon #5> tftpdnld
tftp  sa702.bin@192.168.10.250 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Note
The security appliance downloads the system p_w_picpath file in memory and boots up the device. However, the downloaded system p_w_picpath is not stored in flash.
这里提示只在MEMORY而不保存到FLASH中。
此时可以进入:
ciscoasa> enable
ciscoasa# copy tftp: running-config
Address or name of remote host []? 192.168.10.250
Source filename []? CiscoASA.conf
需要将以前保存的配置文件载入到设备中然后重设密码,并保存即可
这里有两个安全提高:
1、IMEGE保存在TFTP、备份文件也保存在另外的位置
2、擦除了使用的配置文件
注意:如果TFTP不在同一网段,则:
rommon #2> GATEWAY 192.168.10.100
注意:TFTP的参数是需要预先配置好的,为密码恢复做准备,示例如下:是在rommon中完成的
Example 4-49. Setting Up TFTP Parameters
rommon #0> ADDRESS 192.168.10.1
rommon #1> SERVER 192.168.10.250
rommon #2> interface GigabitEthernet0/0
GigabitEthernet0/0
MAC Address: 000f.f775.4b54
rommon #3> file ASA702.bin
rommon #4> set 检查参数
rommon #5> tftpdnld   开始下载
tftp  ASA702.bin@192.168.10.250 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  
Cisco PIX 防火墙密码恢复
======================
    PIX的密码恢复有两种方式,一种是通过软驱,另一种是无软驱实现。由于新的型号都没有带软驱,所以我只介绍无软驱恢复方法。不管怎样,PIX的密码恢复和路由器稍有不同,都需要用专门的密码恢复文件来进行恢复.不同的PIXos选用的密码恢复文件是不同的,现在大部分的PIXos都是7.0和8.0,所以我们选用这两个版本的密码恢复文件实验。np70.bin (7.0 and 8.0 release)
1,密码恢复准备东东
A,PC机
B,PIX配置线和交叉线,用与PIX连接
C,密码恢复文件( np70.bin)
D,TFTP服务软件
     我们需要把PC机与PIX接口相连,一个通过配置线是PC的COM口与PIX的控制口相连,另一个是PC的网卡与PIX的某一以太接口相连。然后我们在PC机上开启Tftp服务,并且把np70.bin文件放在Tftp目录下。
2,密码恢复程序
首先,开启超级终端,然后在启动PIX的时候快速按ESC或者BREAK,进入Rom Moniter状态.我们会看到如下信息。
CISCO SYSTEMS PIX FIREWALL
Embedded BIOS Version 4.3.207 01/02/02 16:12:22.73
Compiled by morlee
32 MB RAM
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
00 00 00   8086   7192 Host Bridge       
00 07 00   8086   7110 ISA Bridge        
00 07 01   8086   7111 IDE Controller    
00 07 02   8086   7112 Serial Bus         9
00 07 03   8086   7113 PCI Bridge        
00 0D 00   8086   1209 Ethernet           11
00 0E 00   8086   1209 Ethernet           10
Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:35 PST 2001
Platform PIX-506E
System Flash=E28F640J3 @ 0xfff00000
Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Flash boot interrupted.                        
0: i8255X @ PCI(bus:0 dev:14 irq:10)
1: i8255X @ PCI(bus:0 dev:13 irq:11)
Ethernet auto negotiation timed out.
Ethernet port 1 could not be initialized.
Use ? for help.
我们输入"?"查看命令。
monitor> ?
?                        this help message    帮助命令
address   [addr]   set IP address of the PIX interface on which
                    the TFTP server resides 设置PIX与TFTPserver相连接口IP地址
file          [name] set boot file name      配置需要tftp传输的文件名字
gateway   [addr] set IP gateway        配置网关
help                    this help message
interface    [num]   select TFTP interface   进入配置接口模拟
ping        <addr> send ICMP echo
reload                    halt and reload system    重启
server    [addr] set server IP address      指定Tftp服务器地址
tftp                   TFTP download       传输文件
timeout            TFTP timeout
trace                 toggle packet tracing
我们进行密码恢复命令:
monitor> interface 0 #进入到与PC机相连的eth0接口模式下
0: i8255X @ PCI(bus:0 dev:14 irq:10)
1: i8255X @ PCI(bus:0 dev:13 irq:11)
Using 0: i82557 @ PCI(bus:0 dev:14 irq:10), MAC: 000d.bc7e.d97a
monitor>address 192.168.11.11    #设置接口IP地址
address 192.168.11.11
monitor> file np70.bin #指定需要tftp的文件
file np70.bin
monitor> ping 192.168.11.88 #测试tftp sever地址
Sending 5, 100-byte 0x9e5e ICMP Echoes to 192.168.11.88, timeout is 4 seconds:
!!!!!
Success rate is 100 percent (5/5)
monitor> server 192.168.11.88 #设置tftp服务器IP地址
server 192.168.11.88
monitor> tftp #开始传输文件
tftp
np70.bin@192.168.11.88 ..........................................................................
......................................................................
Received 129024 bytes
Cisco Secure PIX Firewall password tool (3.0) #0: Wed Mar 27 11:02:16 PST 2002
System Flash=E28F640J3 @ 0xfff00000
BIOS Flash=am29f400b @ 0xd8000
Do you wish to erase the passwords? [yn] y
The following lines will be removed from the configuration:
        enable password mLbCjoY6Ql1vh0o4 encrypted
        passwd i/Y4R6kWHD6hjJ/v encrypted
Do you want to remove the commands listed above from the configuration? [yn] y
Passwords and aaa commands have been erased.
Rebooting..
CISCO SYSTEMS PIX FIREWALL
Embedded BIOS Version 4.3.207 01/02/02 16:12:22.73
Compiled by morlee
32 MB RAM
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
00 00 00   8086   7192 Host Bridge       
00 07 00   8086   7110 ISA Bridge        
00 07 01   8086   7111 IDE Controller    
00 07 02   8086   7112 Serial Bus         9
00 07 03   8086   7113 PCI Bridge        
00 0D 00   8086   1209 Ethernet           11
00 0E 00   8086   1209 Ethernet           10
Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:35 PST 2001
Platform PIX-506E
System Flash=E28F640J3 @ 0xfff00000
Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Reading 1536512 bytes of p_w_picpath from flash.     
##################################################################################
32MB RAM
System Flash=E28F640J3 @ 0xfff00000
BIOS Flash=am29f400b @ 0xd8000
mcwa i82559 Ethernet at irq 11 MAC: 000d.bc7e.d97b
mcwa i82559 Ethernet at irq 10 MAC: 000d.bc7e.d97a
-----------------------------------------------------------------------
                               ||        ||
                               ||        ||
                              ||||      ||||
                          ..:||||||:..:||||||:..
                        c i s c o S y s t e m s
                    Private Internet eXchange
-----------------------------------------------------------------------
                        Cisco PIX Firewall
Cisco PIX Firewall Version 7.2(2)
                         
Licensed Features:
Failover:           Disabled
×××-DES:            Enabled
×××-3DES:           Disabled
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards:             Enabled
URL-filtering:      Enabled
Inside Hosts:       Unlimited
Throughput:         Limited
IKE peers:          Unlimited
****************Warning ************************
Compliance with U.S. Export Laws and Regulations - Encryption.
This product performs encryption and is regulated for export
by the U.S. Government.
This product is not authorized for use by persons located
outside the United States and Canada that do not have prior
approval from Cisco Systems, Inc. or the U.S. Government.
This product may not be exported outside the U.S. and Canada
either by physical or electronic means without PRIOR approval
of Cisco Systems, Inc. or the U.S. Government.
Persons outside the U.S. and Canada may not re-export, resell
or transfer this product by either physical or electronic means
without prior approval of Cisco Systems, Inc. or the U.S.
Government.
********************* Warning ***********************
Copyright (c) 1996-2002 by Cisco Systems, Inc.
                Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706
.
Cryptochecksum(changed): f72dbc0b 3560939d 6544ff4a 70d7e598
Type help or '?' for a list of available commands.
pixfirewall> en
Password: <cr>
pixfirewall#