在实际工作中碰到一款PIX
506的防火墙,由于密码设置时间久远,客户公司中已经无人知道设备的密码,查阅CISCO资料及网上资料后,将密码破解,问题得以解决。
以下是破解的准备工作及过程:
准备工作:根据PIX IOS的版本下载以下文件
-
The appropriate binary file, depending on the PIX software
version you run:-
np70.bin(7.x and 8.0 release)
-
np63.bin(6.3 release)
-
np62.bin(6.2 release)
-
np61.bin(6.1 release)
-
np60.bin(6.0 release)
-
np53.bin(5.3 release)
-
np52.bin(5.2 release)
-
np51.bin (5.1
release) -
np50.bin (5.0
release) -
np44.bin (4.4
release) -
nppix.bin (4.3
and earlier releases)Note: You need to determine what .bin file to
use, which depends upon the PIX code that your PIX currently runs
irrespective of the BIOS version.
-
-
具体步骤:(PIX Without a Floppy Drive)
Complete these steps to recover your password:
-
Install a serial terminal or a PC with terminal emulation
software on the PIX console port. -
Verify that you have a connection with the PIX, and that
characters are going from the terminal to the PIX, and from the PIX
to the terminal.Note: Because you are locked out, you only see
a password prompt. -
Immediately after you power on the PIX Firewall and the startup
messages appear, send a BREAK character or press
the ESC key. The monitor> prompt is
displayed. If needed, type ? (question mark) to
list the available commands. -
Use the interface command to specify which
interface the ping traffic should use. For floppiless PIXes with
only two interfaces, the monitor command defaults
to the inside interface. -
Use the address command to specify the IP
address of the PIX Firewall’s interface. -
Use the server command to specify the IP
address of the remote TFTP server containing the PIX password
recovery file. -
Use the file command to specify the filename of
the PIX password recovery file. For example, the 5.1 release uses a
file named np51.bin. -
If needed, enter the gateway command to specify
the IP address of a router gateway through which the server is
accessible. -
If needed, use the ping command to verify
accessibility. If this command fails, fix access to the server
before continuing. -
Use the tftp command to start the download.
-
As the password recovery file loads, this message is
displayed:Do you wish to erase the passwords? [yn]y Passwords have been erased.
Note: If there are Telnet or consoleaaa authentication commands in version 6.2, the
system also prompts to remove these. -
The default Telnet password after this process is “cisco.” There
is no default enable password. Go into configuration mode and issue
the passwd your_password command to change your
Telnet password and the enable password
your_enable_password command to create an enable password,
and then save your configuration.
monitor>interface 0
0: i8255X @ PCI(bus:0 dev:13
irq:10)1: i8255X @ PCI(bus:0 dev:14 irq:7 ) Using 0: i82559 @
PCI(bus:0 dev:13 irq:10), MAC:
0050.54ff.82b9
monitor>address 10.21.1.99
address
10.21.1.99
monitor>server 172.18.125.3
server
172.18.125.3
monitor>file np52.bin
file
np52.bin
monitor>gateway 10.21.1.1
gateway
10.21.1.1
monitor>ping 172.18.125.3
Sending 5,
100-byte 0xf8d3 ICMP Echoes to 172.18.125.3, timeout is 4
seconds:!!!!!Success rate is 100 percent
(5/5)
monitor>tftp
tftp np52.bin@172.18.125.3 via
10.21.1.1……………………………..Received 73728 bytes
Cisco Secure PIX Firewall password tool (3.0) #0: Tue Aug 22
23:22:19 PDT 2000Flash=i28F640J5 @ 0x300BIOS Flash=AT29C257 @
0xd8000 Do you wish to erase the passwords? [yn] yPasswords have
been erased. Rebooting….说明:当我们直连的时候也就不存在网关的概念了。
