PIX506防火墙密码的破解

在实际工作中碰到一款PIX 506的防火墙，由于密码设置时间久远，客户公司中已经无人知道设备的密码，查阅CISCO资料及网上资料后，将密码破解，问题得以解决。

以下是破解的准备工作及过程：

准备工作：根据PIX IOS的版本下载以下文件

• The appropriate binary file, depending on the PIX software version you run:

  • np70.bin(7.x and 8.0 release)

  • np63.bin(6.3 release)

  • np62.bin(6.2 release)

  • np61.bin(6.1 release)

  • np60.bin(6.0 release)

  • np53.bin(5.3 release)

  • np52.bin(5.2 release)

  • np51.bin (5.1 release)

  • np50.bin (5.0 release)

  • np44.bin (4.4 release)

  • nppix.bin (4.3 and earlier releases)

    Note: You need to determine what .bin file to use, which depends upon the PIX code that your PIX currently runs irrespective of the BIOS version.

• 具体步骤：（PIX Without a Floppy Drive）

  Complete these steps to recover your password:

1. Install a serial terminal or a PC with terminal emulation software on the PIX console port.

2. Verify that you have a connection with the PIX, and that characters are going from the terminal to the PIX, and from the PIX to the terminal.

   Note: Because you are locked out, you only see a password prompt.

3. Immediately after you power on the PIX Firewall and the startup messages appear, send a BREAK character or press the ESC key. The monitor> prompt is displayed. If needed, type ? (question mark) to list the available commands.

4. Use the interface command to specify which interface the ping traffic should use. For floppiless PIXes with only two interfaces, the monitor command defaults to the inside interface.

5. Use the address command to specify the IP address of the PIX Firewall's interface.

6. Use the server command to specify the IP address of the remote TFTP server containing the PIX password recovery file.

7. Use the file command to specify the filename of the PIX password recovery file. For example, the 5.1 release uses a file named np51.bin.

8. If needed, enter the gateway command to specify the IP address of a router gateway through which the server is accessible.

9. If needed, use the ping command to verify accessibility. If this command fails, fix access to the server before continuing.

10. Use the tftp command to start the download.

11. As the password recovery file loads, this message is displayed:

    Do you wish to erase the passwords? [yn]y Passwords have been erased.

    Note: If there are Telnet or consoleaaa authentication commands in version 6.2, the system also prompts to remove these.

12. The default Telnet password after this process is "cisco." There is no default enable password. Go into configuration mode and issue the passwd your_password command to change your Telnet password and the enable password your_enable_password command to create an enable password, and then save your configuration.

monitor>interface 0

0: i8255X @ PCI(bus:0 dev:13 irq:10)1: i8255X @ PCI(bus:0 dev:14 irq:7 ) Using 0: i82559 @ PCI(bus:0 dev:13 irq:10), MAC: 0050.54ff.82b9

monitor>address 10.21.1.99

address 10.21.1.99

monitor>server 172.18.125.3

server 172.18.125.3

monitor>file np52.bin

file np52.bin

monitor>gateway 10.21.1.1

gateway 10.21.1.1

monitor>ping 172.18.125.3

Sending 5, 100-byte 0xf8d3 ICMP Echoes to 172.18.125.3, timeout is 4 seconds:!!!!!Success rate is 100 percent (5/5)

monitor>tftp

tftp np52.bin@172.18.125.3 via 10.21.1.1...................................Received 73728 bytes Cisco Secure PIX Firewall password tool (3.0) #0: Tue Aug 22 23:22:19 PDT 2000Flash=i28F640J5 @ 0x300BIOS Flash=AT29C257 @ 0xd8000 Do you wish to erase the passwords? [yn] yPasswords have been erased. Rebooting....说明：当我们直连的时候也就不存在网关的概念了。