Wednesday, 9 April 2014

Weird Problem Running Password Recovery on a PIX 501

Today I dug out an old PIX 501 from the store room to do some testing (don't ask). As expected, it already had a config including some unknown enable password so I was forced to perform a password recovery on it. I've done a million of these on routers and switches but probably only once or twice on a PIX so I wound up on Cisco's how to password recover a PIX page giving myself a quick refresher on how to do it.

The password recovery process on a PIX is version dependent, requiring the right recovery image for the installed PIX software. Fortunately for me the console was not set with a password so I could use "show ver" what was running on the box:

VPN-TEST> show ver

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee


"Great", I thought, and downloaded the 6.3 recovery image. The process itself is pretty straightforward and explained on the Cisco instruction page so I won't go over it in detail. After breaking the boot sequence and firing up the TFTP I was greeted with this:

monitor> tftp
tftp 8529-np63.bin@
Received 92160 bytes

Cisco Secure PIX Firewall password tool (3.0) #0: Thu Jul 17 08:01:09 PDT 2003
Flash=E28F640J3 @ 0x3000000
BIOS Flash=E28F640J3 @ 0xD8000

Do you wish to erase the passwords? [yn]

Of course I pressed "y", only to be told:

▒o passwords or aaa commands were found.


How rude! Following that I returned to trying the default cisco / pix / blank passwords, in case I'd fat-fingered them earlier, but nothing worked. There *was* a password there, dammit!

After a fair bit of searching I soon realised that this was not a common problem. There were only a couple of forum posts quoting the "no passwords or aaa commands were found" message and none of them had a solution.

Out of desperation, as much as anything, I tried the PIX 7/8 recovery image:

monitor> tftp
tftp 8529-np70.bin@
Received 129024 bytes

Cisco PIX Security Appliance password tool (3.0) #0: Thu Jun  9 21:45:44 PDT 2005
This utility is not supported on this platform


Huff. OK, last try. Let's go with the next version down - 6.2 and see if that works:

monitor> tftp
tftp 8529-np62.bin@
Received 73728 bytes

Cisco Secure PIX Firewall password tool (3.0) #0: Wed Mar 27 11:02:16 PST 2002
Flash=E28F640J3 @ 0x3000000
BIOS Flash=E28F640J3 @ 0xD8000

Do you wish to erase the passwords? [yn] 

Well, at least it ran this time. Naturally I typed "y":

The following lines will be removed from the configuration:
        enable password XJEP6/bAhsOZPahK encrypted
        passwd 2KFQnbNIdI.2KYOU encrypted

Do you want to remove the commands listed above from the configuration? [yn] 

Ah, the good old default "cisco" passwd entry (who can forget the "KYOU" on the end?) along with the troublesome unknown enable password. I've mangled it to avoid leaking genuine information. After pressing "y" I got the following promising message:

Passwords and aaa commands have been erased.


This time it actually worked, restoring the enable password to blank!

Out of curiosity I thought I'd check whether the config file was last saved under PIX 6.2 (a long shot, admittedly):

LAB-501# show run
: Saved
PIX Version 6.3(5)

Er, nope. I can only assume that this little runt of a firewall had previously run 6.2 code and had later been upgraded. I vaguely remember upgrading PIXes in the past and being warned about scary, irreversible changes being made to the flash filesystem - perhaps the file system is a little different between 6.2 and 6.3, but it doesn't bother to overwrite the flash for upgrades between minor releases? Either way, the 6.3 recovery image evidently didn't understand it and 6.2 did.

So there you have it. I suppose in theory you could just start high and work backwards until it succeeds. I've grabbed every recovery image on the page while they're still available - I don't expect Cisco to take them down (they are over a decade old now and still up) but you never know.

There you go. Now there is an answer for the 1 other person in the world who may ever have the same problem trying to revive a completely defunct model of firewall. Long live the PIX!

No comments:

Post a Comment