Thursday, May 22, 2014

Cisco ASA: How To Break Into The ASA And Do A Password Recovery Procedure

For some reason, one of my customer's ASA would not let us log into it.  Now maybe someone deliberately went in and changed all the passwords.  I dont know for sure.  But what I do know is how to break into it and change it back.
First, interrupt the boot to go into ROMMON mode.  Here is what I did when I stopped the boot process below.  Notice that the original boot config register ends in "01".  I dont want that next time it boots.  I want it to be "41".  You can see that after I changed the config register, I rebooted the ASA.
rommon #0> confreg

Current Configuration Register: 0x00000001
Configuration Summary:
  boot default image from Flash

Do you wish to change this configuration? y/n [n]: n

rommon #1> confreg 0x41

Update Config Register (0x41) in NVRAM...

rommon #2>boot

Next, I booted the ASA normally.  However, it acts like its never been configured.  Notice below, I get the original config back in place by doing the copy start run.  Then, I change my enable password and my username password.  Then I change the config register back to the way it was before ("01").
ciscoasa> en
ciscoasa# copy startup-config running-config

Destination filename [running-config]?

..INFO: outside interface address added to PAT pool
INFO: Global will be Port Address Translated
Cryptochecksum (unchanged): 04a475a6 81a5f851 a6e7af85 85317660

10169 bytes copied in 4.180 secs (2542 bytes/sec)
ASA# config t
ASA(config)# enable password newpassword
ASA(config)# username shane pass shane pri 15
ASA(config)# config-register 0x01
ASA(config)# exit

Before I reload the ASA, notice I do a show version.  Notice the highlighted piece of it, just FYI.
ASA# show ver

Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 7.1(3)

Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-config"

ASA up 1 min 34 secs

Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
...edited for brevity...
This platform has a Base license.

Serial Number: JMXXXXXX
Configuration register is 0x41 (will be 0x1 at next reload)
Configuration last modified by enable_15 at 11:28:17.629 UTC Wed May 14 2014


No comments:

Post a Comment

Your comment will be reviewed for approval. Thank you for submitting your comments.