Sunday, March 1, 2020

Cisco ASA 5500 Firewall Password Recovery

Here's a good link in performing a password recovery on a Cisco ASA 5500 first generation firewall . I performed a password recover on a Cisco ASA 5510 firewall below:

Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON

Cisco Systems ROMMON Version (1.0(11)2) #0: Thu Jan 26 10:43:08 PST 2006

Platform ASA5510

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted.                              

Management0/0
Ethernet auto negotiation timed out.
Interface-4 Link Not Established (check cable).


Default Interface number-4 Not Up


Use ? for help.
rommon #0> confreg

Current Configuration Register: 0x00000041
Configuration Summary:
  boot default image from Flash
  ignore system configuration


Do you wish to change this configuration? y/n [n]: y
enable boot to ROMMON prompt? y/n [n]:
enable TFTP netboot? y/n [n]:
enable Flash boot? y/n [n]:
select specific Flash image index? y/n [n]:
disable system configuration? y/n [n]: y
go to ROMMON prompt if netboot fails? y/n [n]:
enable passing NVRAM file specs in auto-boot mode? y/n [n]:
disable display of BREAK or ESC key prompt during auto-boot? y/n [n]:

Current Configuration Register: 0x00000040
Configuration Summary:
  boot ROMMON
  ignore system configuration

Update Config Register (0x40) in NVRAM...

rommon #1> boot
Launching BootLoader...
Boot configuration file contains 2 entries.


Loading disk0:/asa917-9-k8.bin...


<OUTPUT TRUNCATED>


                Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706

Ignoring startup configuration as instructed by configuration register.

INFO: Power-On Self-Test in process.
...........................................................
INFO: Power-On Self-Test complete.

INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201910220639.log'
Type help or '?' for a list of available commands.
ciscoasa> enable
Password:
ciscoasa# configure terminal
ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,

Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later:
ciscoasa(config)# write erase
Erase configuration in flash memory? [confirm]
[OK]
ciscoasa(config)# no config-register
ciscoasa(config)# write memory
Building configuration...
Cryptochecksum: 5c9a33a9 3f5cb4cd 26554b4a efd76652

2225 bytes copied in 3.300 secs (741 bytes/sec)
[OK]

ciscoasa(config)# reload
Proceed with reload? [confirm]
ciscoasa(config)#


***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down License Controller
Shutting down File system


***
*** --- SHUTDOWN NOW ---
Process shutdown finished


<OUTPUT TRUNCATED>


Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON

Cisco Systems ROMMON Version (1.0(11)2) #0: Thu Jan 26 10:43:08 PST 2006

Platform ASA5510

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
                                               
Launching BootLoader...
Default configuration file contains 1 entry.

Searching / for images to boot.

Loading /asa912-k8.bin... Booting...


<OUTPUT TRUNCATED>


                Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706

Reading from flash...
!
Configuration Compatibility Warning:
 The version 9.1(7)9 configuration may contain syntax that is
 not backward compatible with the 9.1(2) image that is loaded.

*** Output from config line 7, "ASA Version 9.1(7)9 "

ssh stricthostkeycheck
     ^
ERROR: % Invalid Hostname
*** Output from config line 65, "ssh stricthostkeycheck"
.
Cryptochecksum (unchanged): 5c9a33a9 3f5cb4cd 26554b4a efd76652

INFO: Power-On Self-Test in process.
...........................................................
INFO: Power-On Self-Test complete.
Type help or '?' for a list of available commands.
ciscoasa> enable
Password: <HIT ENTER>
ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 9.1(2)
Device Manager Version 7.1(1)52

Compiled on Thu 09-May-13 15:37 by builders
System image file is "disk0:/asa912-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 1 min 4 secs

Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz,
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xfff00000, 1024KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x0)
                             Boot microcode        : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2_05
                             IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.08
                             Number of accelerators: 1

 0: Ext: Ethernet0/0         : address is 001e.13f0.3168, irq 9
 1: Ext: Ethernet0/1         : address is 001e.13f0.3169, irq 9
 2: Ext: Ethernet0/2         : address is 001e.13f0.316a, irq 9
 3: Ext: Ethernet0/3         : address is 001e.13f0.316b, irq 9
 4: Ext: Management0/0       : address is 001e.13f0.316c, irq 11
 5: Int: Not used            : irq 11
 6: Int: Not used            : irq 5

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has an ASA 5510 Security Plus license.

Serial Number: JMX12021234
Running Permanent Activation Key: 0xfe3bfc5c 0x0cd4fce4 0x10e2f59c 0x90b03123 0xc2112456
Configuration register is 0x1
Configuration has not been modified since last system restart.

ciscoasa# sh run
: Saved
:
ASA Version 9.1(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!            
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
pager lines 24
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
call-home reporting anonymous prompt 2
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:5c9a33a93f5cb4cd26554b4aefd76652
: end