ASA5510 Password recovery

2012-04-09 07:55 ASA5510恢复密码在网上找到这段

Step 1　 Connect to the security appliance console port according to the

Step 2 　Power off the security appliance, and then power it on.
Step 3 　During the startup messages, press the Escape key when prompted to enter ROMMON.
Step 4 　To set the security appliance to ignore the startup configuration at reload, enter the following command:
　　　　　rommon #1> confreg
　　　　　The security appliance displays the current configuration register value, and asks if 　　　　　　you want to change　the value:
　　　　　Current Configuration Register: 0x00000011
　　　　　Configuration Summary:
　　　　　boot TFTP image, boot default image from Flash on netboot failure
　　　　　Do you wish to change this configuration? y/n [n]:
Step 5 　Record your current configuration register value, so you can restore it later.
Step 6　 At the prompt, enter Y to change the value.
　　　　　The security appliance prompts you for new values.
Step 7　 Accept the default values for all settings, except for the “disable system　　　　　　configuration?” value; at that　prompt, enter Y.
Step 8　 Reload the security appliance by entering the following command:
　　　　　rommon #2> boot
　　　　　The security appliance loads a default configuration instead of the startup　　　　　configuration.
Step 9 　Enter privileged EXEC mode by entering the following command:
　　　　　hostname> enable
Step 10　 When prompted for the password, press Return.
　　　　　The password is blank.
Step 11 　Load the startup configuration by entering the following command:
　　　　　hostname# copy startup-config running-config
Step 12 　Enter global configuration mode by entering the following command:
　　　　　hostname# configure terminal
Step 13　 Change the passwords in the configuration by entering the following commands, as　　　　 　necessary:
　　　　　hostname(config)# password password
　　　　　hostname(config)# enable password password
　　　　　hostname(config)# username name password password
Step 14　 Change the configuration register to load the startup configuration at the next reload 　　　　　by entering the　following command:
　　　　　hostname(config)# config-register value
　　　　　Where value is the configuration register value you noted in Step 5. 0x1 is the default 　　　　　configuration　register. For more information about the configuration register, see the 　　　　　Cisco Security Appliance　Command Reference.
Step 15 　Save the new passwords to the startup configuration by entering the following command:
　　　　　　hostname(config)# copy running-config startup-config

我的具体做法如下：

Booting system, please wait…

########此时按ESC键

CISCO SYSTEMS

Embedded BIOS Version 1.0(11)5 08/28/08 15:11:51.82

Low Memory: 631 KB

High Memory: 1024 MB

PCI Device Table.

Bus Dev Func VendID DevID Class Irq

00 00 00 8086 2578 Host Bridge

00 01 00 8086 2579 PCI-to-PCI Bridge

00 03 00 8086 257B PCI-to-PCI Bridge

00 1C 00 8086 25AE PCI-to-PCI Bridge

00 1D 00 8086 25A9 Serial Bus 11

00 1D 01 8086 25AA Serial Bus 10

00 1D 04 8086 25AB System

00 1D 05 8086 25AC IRQ Controller

00 1D 07 8086 25AD Serial Bus 9

00 1E 00 8086 244E PCI-to-PCI Bridge

00 1F 00 8086 25A1 ISA Bridge

00 1F 02 8086 25A3 IDE Controller 11

00 1F 03 8086 25A4 Serial Bus 5

00 1F 05 8086 25A6 Audio 5

02 01 00 8086 1075 Ethernet 11

03 01 00 177D 0003 Encrypt/Decrypt 9

03 02 00 8086 1079 Ethernet 9

03 02 01 8086 1079 Ethernet 9

03 03 00 8086 1079 Ethernet 9

03 03 01 8086 1079 Ethernet 9

04 02 00 8086 1209 Ethernet 11

04 03 00 8086 1209 Ethernet 5

Evaluating BIOS Options …

Invalid Key: 001B

Launch BIOS Extension to setup ROMMON

Cisco Systems ROMMON Version (1.0(11)5) #0: Thu Aug 28 15:23:50 PDT 2008

Platform ASA5510

Management0/0

Ethernet auto negotiation timed out.

Interface-4 Link Not Established (check cable).

Default Interface number-4 Not Up

Use ? for help.

rommon #0> confreg

Current Configuration Register: 0x00002000

Configuration Summary:

boot ROMMON

load ROMMON if netboot fails

Do you wish to change this configuration? y/n [n]:y

enable boot to ROMMON prompt? y/n [n]:y

select specific Flash image index? y/n [n]: y

enter Flash image index [1->7]: 1 #此处我没有弄懂什么意思

disable system configuration? y/n [n]: y

go to ROMMON prompt if netboot fails? y/n [n]:y

enable passing NVRAM file specs in auto-boot mode? y/n [n]:y

disable display of BREAK or ESC key prompt during auto-boot? y/n [n]:y

Current Configuration Register: 0x00112042

Configuration Summary:

boot ROMMON, boot command will load index-1 image from Flash

ignore system configuration

load ROMMON if netboot fails

pass NVRAM file specs in auto-bootloader mode

display of BREAK or ESC key prompt during auto-boot disabled

Update Config Register (0x112042) in NVRAM…

rommon #1>boot

Launching BootLoader…

Default configuration file contains 1 entry.

Boot mode is 1. Default entry is 1.

Searching / for images to boot.

Loading /asa842-k8.bin… Booting…

Platform ASA5510

Loading…

IO memory blocks requested from bigphys 32bit: 13008

dosfsck 2.11, 12 Mar 2005, FAT32, LFN

Starting check/repair pass.

Starting verification pass.

/dev/hda1: 134 files, 6278/62462 clusters

dosfsck(/dev/hda1) returned 0

Processor memory 868220928, Reserved memory: 62914560

Total SSMs found: 0

Total NICs found: 7

mcwa i82557 Ethernet at irq 11 MAC: 5475.d0d4.9506

mcwa i82557 Ethernet at irq 5 MAC: 0000.0001.0001

i82547GI rev00 Gigabit Ethernet @ irq11 dev 1 index 05 MAC: 0000.0001.0002

i82546GB rev03 Ethernet @ irq09 dev 2 index 03 MAC: 5475.d0d4.9505

i82546GB rev03 Ethernet @ irq09 dev 2 index 02 MAC: 5475.d0d4.9504

i82546GB rev03 Ethernet @ irq09 dev 3 index 01 MAC: 5475.d0d4.9503

i82546GB rev03 Ethernet @ irq09 dev 3 index 00 MAC: 5475.d0d4.9502

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

                         Boot microcode        : CN1000-MC-BOOT-2.00 

                         SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2.03

                         IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.06

Verify the activation-key, it might take a while…

Running Permanent Activation Key: 0xe30ae376 0x68468285 0x04808d74 0xac70ec70 0x070600aa

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual

Maximum VLANs : 50 perpetual

Inside Hosts : Unlimited perpetual

Failover : Disabled perpetual

VPN-DES : Enabled perpetual

VPN-3DES-AES : Enabled perpetual

Security Contexts : 0 perpetual

GTP/GPRS : Disabled perpetual

AnyConnect Premium Peers : 2 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 250 perpetual

Total VPN Peers : 250 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

UC Phone Proxy Sessions : 2 perpetual

Total UC Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

This platform has a Base license.

Cisco Adaptive Security Appliance Software Version 8.4(2)

****************************** Warning *******************************

This product contains cryptographic features and is

subject to United States and local country laws

governing, import, export, transfer, and use.

Delivery of Cisco cryptographic products does not

imply third-party authority to import, export,

distribute, or use encryption. Importers, exporters,

distributors and users are responsible for compliance

with U.S. and local country laws. By using this

product you agree to comply with applicable laws and

regulations. If you are unable to comply with U.S.

and local laws, return the enclosed items immediately.

A summary of U.S. laws governing Cisco cryptographic

products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by

sending email to export@cisco.com.

******************************* Warning *******************************

Copyright © 1996-2011 by Cisco Systems, Inc.

            Restricted Rights Legend

Use, duplication, or disclosure by the Government is

subject to restrictions as set forth in subparagraph

© of the Commercial Computer Software - Restricted

Rights clause at FAR sec. 52.227-19 and subparagraph

© (1) (ii) of the Rights in Technical Data and Computer

Software clause at DFARS sec. 252.227-7013.

            Cisco Systems, Inc.

            170 West Tasman Drive

            San Jose, California 95134-1706

Ignoring startup configuration as instructed by configuration register.

INFO: MIGRATION - Saving the startup errors to file ‘flash:upgrade_startup_errors_201204081335.log’

Type help or ‘?’ for a list of available commands.

ciscoasa> en

Password: #此处直接回车

ciscoasa#

ciscoasa#copy startup-config running-config

Destination filename [running-config]?#直接回车 con

%Error opening system:con (No such file or directory)

ciscoasa# copy startup-config running-config

Destination filename [running-config]? configure terminal

%Error opening system:configure (No such file or directory)

ciscoasa# copy startup-config running-config

Destination filename [running-config]? y

%Error opening system:y (No such file or directory)

ciscoasa# copy ?

/noconfirm Do not prompt for confirmation

/pcap Raw packet capture dump

capture: Copyout capture buffer

disk0: Copy from disk0: file system

disk1: Copy from disk1: file system

flash: Copy from flash: file system

ftp: Copy from ftp: file system

http: Copy from http: file system

https: Copy from https: file system

running-config Copy from current system configuration

smb: Copy from smb: file system

startup-config Copy from startup configuration

system: Copy from system: file system

tftp: Copy from tftp: file system

ciscoasa# copy str

ciscoasa# copy sta

ciscoasa# copy startup-config ru

ciscoasa# copy startup-config running-config

Destination filename [running-config]? ?

…

Cryptochecksum (unchanged): 2e44c71d a824ed25 7a3273d9 e8a3e089

5026 bytes copied in 0.270 secs

ciscoasa# copy startup-config running-config

Destination filename [running-config]?

WARNING: found duplicate element

WARNING: <101> found duplicate element

…WARNING: Policy map global_policy is already configured as a service policy

Cryptochecksum (unchanged): 2e44c71d a824ed25 7a3273d9 e8a3e089

5026 bytes copied in 0.190 secs

ciscoasa# con

ciscoasa# configure te

ciscoasa#configure terminal

ciscoasa(config)# pas

ciscoasa(config)# passw?

configure mode commands/options:

passwd password

ciscoasa(config)# passwo

ciscoasa(config)# password wxlccsu

ciscoasa(config)# en

ciscoasa(config)# ena

ciscoasa(config)# enable pa

ciscoasa(config)# enable password pa

ciscoasa(config)#enable password wxlccsu

ciscoasa(config)# con

ciscoasa(config)# conf

ciscoasa(config)# config-

ciscoasa(config)# config-register

ciscoasa(config)# config-register 0x01 #此处如果没有改的话就是0X01

ciscoasa(config)# co

ciscoasa(config)# cop

ciscoasa(config)# copy ru

ciscoasa(config)# copy running-config sta

ciscoasa(config)# copy running-config startup-config

Source filename [running-config]? ####此处直接回车

Cryptochecksum: b06d7497 13c8a9ce f9c4a96e 6bfc157a

5481 bytes copied in 3.290 secs (1827 bytes/sec)

ciscoasa(config)# end

ciscoasa# reboot