packetfu.org

• Home
• Bookshelf
• Images
• About

Password recovery on a Cisco PIX 501

Posted by creining | Filed under Security

I found myself with a couple Cisco PIX 501s that were pulled from production awhile ago and needed to be redeployed. The passwords were unknown. So, I used the document Password Recovery and AAA Configuration Recovery Procedure for the PIX in order to reset the password. I needed to download the binary file available on that webpage for the version of the PIX software that was installed as well a TFTP server. Working from a Windows machine I chose SolarWinds TFTP server. I followed the steps under the section “PIX Without a Floppy Drive”. This involved going into monitor mode on the PIX by booting it up and hitting ESC, setting the interface to use by issuing ‘interface 0′, setting the IP address of the 0 interface with the ‘address’ command, setting the filename to retrieve from the server with the command ‘file np63.bin’ (the binary file I downloaded), and setting the server with the command ‘server’ (the IP of the TFTP server):

monitor> interface 0
0: i8255X @ PCI(bus:0 dev:17 irq:9 )
1: i8255X @ PCI(bus:0 dev:18 irq:10)

Using 0: i82557 @ PCI(bus:0 dev:17 irq:9 ), MAC: 000e.83b2.e0a4
monitor> address 10.3.10.24
address 10.3.10.24
monitor> file np63.bin
file np63.bin
monitor> server 10.3.10.25
server 10.3.10.25

At this point it was possible to ping the TFTP server and retrieve the binary file with the command ‘tftp’:

monitor> ping 10.3.10.25
Sending 5, 100-byte 0x891a ICMP Echoes to 10.3.10.25, timeout is 4 seconds:
!!!!!
Success rate is 100 percent (5/5)
monitor> tftp
tftp np63.bin@10.3.10.25........................................................
................................................................................
.............................................
Received 92160 bytes

Cisco Secure PIX Firewall password tool (3.0) #0: Thu Jul 17 08:01:09 PDT 2003
Flash=E28F640J3 @ 0x3000000
BIOS Flash=E28F640J3 @ 0xD8000

Do you wish to erase the passwords? [yn] y

The default telnet password after this is “cisco” and there is no enable password. Pretty painless.

Permalink | January 27th, 2005

Comments are closed.

Topics

• Financial Independence (4)
• Flying (6)
• Food (18)
• Linux/BSD (27)
• Personal (11)
• Photography (5)
• Security (131)
• Travel (17)
• Uncategorized (33)

Histories Forgotten

• January 2012
• December 2011
• November 2011
• July 2011
• June 2011
• May 2011
• March 2011
• February 2011
• January 2011
• December 2010
• November 2010
• October 2010
• May 2010
• April 2010
• January 2010
• November 2009
• July 2009
• February 2009
• January 2009
• November 2008
• October 2008
• September 2008
• April 2008
• March 2008
• February 2008
• December 2007
• November 2007
• October 2007
• September 2007
• July 2007
• June 2007
• May 2007
• April 2007
• October 2006
• May 2006
• April 2006
• March 2006
• February 2006
• January 2006
• December 2005
• November 2005
• October 2005
• September 2005
• August 2005
• July 2005
• May 2005
• March 2005
• February 2005
• January 2005
• December 2004
• November 2004
• October 2004
• September 2004
• August 2004
• July 2004
• June 2004
• May 2004
• April 2004
• March 2004
• February 2004
• January 2004
• December 2003
• November 2003
• October 2003
• September 2003
• August 2003
• July 2003
• June 2003
• May 2003
• April 2003