Wednesday, August 2, 2017

Password Recovery on a Cisco ASA 5525-X

To perform a password recovery on a Cisco ASA 5500-X series firewall, you'll need to console to the ASA, do a reboot and press either the BREAK or ESCAPE key when you see this output.

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot in            10 seconds



When in rommon mode, type confreg 0x41 and it will bypass the ASA startup-config.

rommon #1> confreg 0x41

Update Config Register (0x41) in NVRAM...


Type confreg to verify the configuration register value.

rommon #1> confreg

Current Configuration Register: 0x00000041
Configuration Summary:
  boot default image from Flash
  ignore system configuration

Do you wish to change this configuration? y/n [n]: n      // TYPE n SINCE CONFREG IS 0x41


Type boot to reload the ASA using the new configuration register setting.

rommon #2> boot
Launching BootLoader...
Boot configuration file contains 1 entry.

Loading disk0:/asa913-smp-k8.bin... Booting...
Platform ASA5525


<OUTPUT TRUNCATED>


ciscoasa> enable
Password:<ENTER>

ciscoasa# show run
: Saved
:
ASA Version 9.1(3)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address            
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
pager lines 24
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 27
  subscribe-to-alert-group configuration periodic monthly 27
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:00000000000000000000000000000000
: end

ciscoasa#

ciscoasa# conf igure terminal
ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve

the product? [Y]es, [N]o, [A]sk later:

ciscoasa(config)# copy startup-config running-config    // LOAD THE EXISTING CONFIG FROM FLASH/NVRAM TO ACTIVE RAM; NOTICE THE HOSTNAME AND OTHER CONFIG HAVE CHANGED
COMPANY-ASA(config)# passwd cisco      // SSH/TELNET PASSWORD
COMPANY-ASA(config)# enable password cisco        // ENABLE PASSWORD
COMPANY-ASA(config)# username admin password cisco privilege 15     // LOCAL USER PASSWORD
COMPANY-ASA(config)# no config-register    // REVERT BACK TO confreg 0x1
COMPANY-ASA(config)# show version

Cisco Adaptive Security Appliance Software Version 9.1(3)
Device Manager Version 7.1(4)

Compiled on Mon 16-Sep-13 16:07 PDT by builders
System image file is "disk0:/asa913-smp-k8.bin"
Config file at boot was "startup-config"

COMPANY-ASA up 2 mins 46 secs

Hardware:   ASA5525, 8192 MB RAM, CPU Lynnfield 2393 MHz, 1 CPU (4 cores)
            ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
                             Boot microcode        : CNPx-MC-BOOT-2.00
                             SSL/IKE microcode     : CNPx-MC-SSL-PLUS-T020
                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0026
                             Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4


 0: Int: Internal-Data0/0    : address is fc5b.39aa.5164, irq 11
 1: Ext: GigabitEthernet0/0  : address is fc5b.39aa.5169, irq 5
 2: Ext: GigabitEthernet0/1  : address is fc5b.39aa.5165, irq 5
 3: Ext: GigabitEthernet0/2  : address is fc5b.39aa.516a, irq 10
 4: Ext: GigabitEthernet0/3  : address is fc5b.39aa.5166, irq 10
 5: Ext: GigabitEthernet0/4  : address is fc5b.39aa.516b, irq 5
 6: Ext: GigabitEthernet0/5  : address is fc5b.39aa.5167, irq 5
 7: Ext: GigabitEthernet0/6  : address is fc5b.39aa.516c, irq 10
 8: Ext: GigabitEthernet0/7  : address is fc5b.39aa.5168, irq 10
 9: Int: Internal-Data0/1    : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2    : address is 0000.0001.0003, irq 0
12: Ext: Management0/0       : address is fc5b.39aa.5164, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 200            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 750            perpetual
Total VPN Peers                   : 750            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
IPS Module                        : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has an ASA5525 VPN Premium license.

Serial Number: FCH1834JABC
Running Permanent Activation Key: 0x363bee4d 0xcc858b80 0xe5d21db4 0xf1d49123 0xcb04c456
Configuration register is 0x41 (will be 0x1 at next reload)
Configuration last modified by enable_15 at 22:47:52.619 UTC Mon Jun 5 2017
COMPANY-ASA(config)#
COMPANY-ASA(config)# write memory
Building configuration...
Cryptochecksum: 9575d46c dc5b5272 60c68174 195bd73d

2641 bytes copied in 0.650 secs
[OK]

COMPANY-ASA(config)# reload
Proceed with reload? [confirm]
COMPANY-ASA(config)#

***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down sw-module
Shutting down License Controller
Shutting down File system


***
*** --- SHUTDOWN NOW ---
Process shutdown finished
Rebooting.....
Cisco BIOS Version:9B2C109A
Build Date:05/15/2013 16:34:44


<OUTPUT TRUNCATED>


COMPANY-ASA# show version

Cisco Adaptive Security Appliance Software Version 9.1(3)
Device Manager Version 7.1(4)

Compiled on Mon 16-Sep-13 16:07 PDT by builders
System image file is "disk0:/asa913-smp-k8.bin"
Config file at boot was "startup-config"

COMPANY-ASA up 33 secs

Hardware:   ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
            ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
                             Boot microcode        : CNPx-MC-BOOT-2.00
                             SSL/IKE microcode     : CNPx-MC-SSL-PLUS-T020
                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0026
                             Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4


 0: Int: Internal-Data0/0    : address is fc5b.39aa.5164, irq 11
 1: Ext: GigabitEthernet0/0  : address is fc5b.39aa.5169, irq 5
 2: Ext: GigabitEthernet0/1  : address is fc5b.39aa.5165, irq 5
 3: Ext: GigabitEthernet0/2  : address is fc5b.39aa.516a, irq 10
 4: Ext: GigabitEthernet0/3  : address is fc5b.39aa.5166, irq 10
 5: Ext: GigabitEthernet0/4  : address is fc5b.39aa.516b, irq 5
 6: Ext: GigabitEthernet0/5  : address is fc5b.39aa.5167, irq 5
 7: Ext: GigabitEthernet0/6  : address is fc5b.39aa.516c, irq 10
 8: Ext: GigabitEthernet0/7  : address is fc5b.39aa.5168, irq 10
 9: Int: Internal-Data0/1    : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2    : address is 0000.0001.0003, irq 0
12: Ext: Management0/0       : address is fc5b.39aa.5164, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 200            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 750            perpetual
Total VPN Peers                   : 750            perpetualShared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
IPS Module                        : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has an ASA5525 VPN Premium license.

Serial Number: FCH1834JABC
Running Permanent Activation Key: 0x363bee4d 0xcc858b80 0xe5d21db4 0xf1d49123 0xcb04c456
Configuration register is 0x1
Configuration has not been modified since last system restart.

COMPANY-ASA# show run
: Saved
:
ASA Version 9.1(3)
!
hostname COMPANY-ASA
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 123.45.6.7
!
interface GigabitEthernet0/1
 nameif INSIDE
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address  
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/6
 shutdown
 no nameif
 no security-level
 no ip address        
!
interface GigabitEthernet0/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
dns domain-lookup INSIDE
dns server-group DefaultDNS
 name-server 8.8.8.8
 domain-name local.net
pager lines 24
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password f3UhLvUj1QsXsuK7 encrypted privilege 15
!
!
prompt hostname context
call-home reporting anonymous prompt 2
call-home profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 27
  subscribe-to-alert-group configuration periodic monthly 27
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9575d46cdc5b527260c68174195bd73d
: end

No comments:

Post a Comment