Friday, May 24, 2013

How To Break Into A Cisco ASA If You Do Not Have The Enable Password

From time to time, I get a service call asking me to break into a Cisco router or an ASA or a PIX. In most cases, the device was deployed a long time ago and nobody remembers the password. Or they have a copy of the config but the password was stored in the encrypted format.
If you have the password in encrypted format, you might luck out if it is a commonly-used value such as 8Ry2YjIyt7RRXU24 (password is blank) or 2KFQnbNIdI.2KYOU (password is “cisco”). You can try to brute force it with John the Ripper, or Cain and Abel, or some precomputed rainbow table. The time required to brute force a complex password will depend on the character set used in the password, the length of the password, and the speed of the computer that is running Cain & Abel. Might take an ice age to brute force it. Would it be worth the time?
You might have better luck with a bit of lateral thinking. Just paste the encrypted password into Google and see if anyone has posted their own config in some Google-indexed forum somewhere. If their encrypted password is the same value as your mystery password, they are using that same password. Can you ask the poster what their password is?
Other lateral puzzle approaches include: looking for other places that the password may have been stored. Let’s hope it’s not on a Post-It note underneath the keyboard. On a typical network, the documentation is all stored in the same place; a file share, a local directory, a KeePass archive. Maybe a hard copy in the server room. Some of it may not be encrypted. Many admins will use the same password in different systems. The ASA enable password might be the same as the domain administrator password. Might be in the old admin’s email archive. You never know, the sort of sensitive shit people email unencrypted to themselves. That’s the main reason I have to nuke lost Blackberrys from the corporate BES. No screen lock password on your Blackberry AND you emailed naughty photos to yourself? Dude.
You can try to guess the password. Name of company. Name of admin. Name of admin’s dog/cat/child/soccer team/favorite pornstar.
If you have physical access to the ASA, you can probably reset the password. Pretty painless. Just boot into ROMMON mode, change the configuration register value to 0×41 so that the ASA boots without loading the startup config. This means you’re in without needing a password. Then you can copy the startup config into the running config, and you can change the password.

Step-by-Step Instructions

Reboot the ASA. When you see the following text, press the BREAK or ESC key.
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
You are now in ROMMON mode, as indicated by the prompt.
rommon #0>
Type confreg.
rommon #0> confreg

Current Configuration Register: 0x00000001
Configuration Summary:
 boot default image from Flash
Take note of the value of the Current Configuration Register. You are going to be prompted to answer several questions, and based on your answers, the ASA’s Configuration Register is going to be changed to a different value. You’ll want to set the Configuation Register back to its original value after you have reset the ASA password.
Do you wish to change this configuration? y/n [n]: y
enable boot to ROMMON prompt? y/n [n]:
enable TFTP netboot? y/n [n]:
enable Flash boot? y/n [n]: y
select specific Flash image index? y/n [n]:
disable system configuration? y/n [n]: y
go to ROMMON prompt if netboot fails? y/n [n]:
enable passing NVRAM file specs in auto-boot mode? y/n [n]:
disable display of BREAK or ESC key prompt during auto-boot? y/n [n]:

Current Configuration Register: 0x00000041
Configuration Summary:
 boot default image from Flash
 ignore system configuration

Update Config Register (0x41) in NVRAM...
Type boot. Now the ASA is going to boot the OS, but it will load the default config instead of the startup config.
rommon #1> boot
Get into privileged EXEC mode and hit ENTER when prompted for the enable password. Then copy the startup config into the running config.
ciscoasa> en
ciscoasa# copy start run

Destination filename [running-config]?
Get into global configuration mode and make the changes that you want, e.g. change the enable password. You have total access now, so you can change anything that you want.
ciscoasa# conf t
ciscoasa(config)# enable password cisco
When you have finished making all the changes to the config, reset the Configuration Register back to its original value and save the config.
ciscoasa(config)# config-register 0x1
ciscoasa(config)# wr mem

What is the Configuration Register?

The Configuration Register value is a hex value that specifies various boot parameters for the ASA, such as which boot image to use, whether or not to boot the startup config, or whether to perform the ROMMON countdown.
You can set it while you are in ROMMON mode with the confreg command. For example, you could type confreg 0×41 and you won’t be prompted to answer all those questions in the instructions above. (Because the questions only serve as a human-friendly way to formulate the value of the Configuration Register. By specifying “0×41″, you have already provided the value.) However, if you just type confreg, it will display the current value of the Configuration Register. This is important if you need to find out the existing value of the Configuration Register.
rommon #0> confreg 0x41
You can also set the value of the Configuration Register while you are in the global configuration mode with the config-register command.
ciscoasa# conf t
ciscoasa(config)# config-register 0x1
found at 

No comments:

Post a Comment


Internet Storm Center Infocon Status

Internet Storm Center Infocon Status
Internet Storm Center Infocon Status