在实际工作中碰到一款PIX 506的防火墙,由于密码设置时间久远,客户公司中已经无人知道设备的密码,查阅CISCO资料及网上资料后,将密码破解,问题得以解决。
以下是破解的准备工作及过程:
准备工作:根据PIX IOS的版本下载以下文件
-
The appropriate binary file, depending on the PIX software version you run:
-
np70.bin(7.x and 8.0 release)
-
np63.bin(6.3 release)
-
np62.bin(6.2 release)
-
np61.bin(6.1 release)
-
np60.bin(6.0 release)
-
np53.bin(5.3 release)
-
np52.bin(5.2 release)
-
np51.bin (5.1 release)
-
np50.bin (5.0 release)
-
np44.bin (4.4 release)
-
nppix.bin (4.3 and earlier releases)
Note: You need to determine what .bin file to use, which depends upon the PIX code that your PIX currently runs irrespective of the BIOS version.
-
-
具体步骤:(PIX Without a Floppy Drive)
Complete these steps to recover your password:
-
Install a serial terminal or a PC with terminal emulation software on the PIX console port.
-
Verify that you have a connection with the PIX, and that characters are going from the terminal to the PIX, and from the PIX to the terminal.
Note: Because you are locked out, you only see a password prompt.
-
Immediately after you power on the PIX Firewall and the startup messages appear, send a BREAK character or press the ESC key. The monitor> prompt is displayed. If needed, type ? (question mark) to list the available commands.
-
Use the interface command to specify which interface the ping traffic should use. For floppiless PIXes with only two interfaces, the monitor command defaults to the inside interface.
-
Use the address command to specify the IP address of the PIX Firewall's interface.
-
Use the server command to specify the IP address of the remote TFTP server containing the PIX password recovery file.
-
Use the file command to specify the filename of the PIX password recovery file. For example, the 5.1 release uses a file named np51.bin.
-
If needed, enter the gateway command to specify the IP address of a router gateway through which the server is accessible.
-
If needed, use the ping command to verify accessibility. If this command fails, fix access to the server before continuing.
-
Use the tftp command to start the download.
-
As the password recovery file loads, this message is displayed:
Do you wish to erase the passwords? [yn]y Passwords have been erased.
Note: If there are Telnet or consoleaaa authentication commands in version 6.2, the system also prompts to remove these.
-
The default Telnet password after this process is "cisco." There is no default enable password. Go into configuration mode and issue the passwd your_password command to change your Telnet password and the enable password your_enable_password command to create an enable password, and then save your configuration.
monitor>interface 0
0: i8255X @ PCI(bus:0 dev:13 irq:10)1: i8255X @ PCI(bus:0 dev:14 irq:7 ) Using 0: i82559 @ PCI(bus:0 dev:13 irq:10), MAC: 0050.54ff.82b9
monitor>address 10.21.1.99
address 10.21.1.99
monitor>server 172.18.125.3
server 172.18.125.3
monitor>file np52.bin
file np52.bin
monitor>gateway 10.21.1.1
gateway 10.21.1.1
monitor>ping 172.18.125.3
Sending 5, 100-byte 0xf8d3 ICMP Echoes to 172.18.125.3, timeout is 4 seconds:!!!!!Success rate is 100 percent (5/5)
monitor>tftp
tftp np52.bin@172.18.125.3 via 10.21.1.1...................................Received 73728 bytes Cisco Secure PIX Firewall password tool (3.0) #0: Tue Aug 22 23:22:19 PDT 2000Flash=i28F640J5 @ 0x300BIOS Flash=AT29C257 @ 0xd8000 Do you wish to erase the passwords? [yn] yPasswords have been erased. Rebooting....说明:当我们直连的时候也就不存在网关的概念了。