PIX525 - Part I.

PIX525 - ASA Firewall

Password recovery howto step-by-step

This platform has an Unrestricted (UR) license.
  --------------------------------------------------------------------------
                                 .            .                            
                                 |            |                            
                                |||          |||                           
                              .|| ||.      .|| ||.                         
                           .:||| | |||:..:||| | |||:.                      
                            C i s c o  S y s t e m s                       
  --------------------------------------------------------------------------

Turn on just ONE of the devices - choose which is going to be primary. 

When logged in issue command:

write erase

reload

 

When boot up again, let's configure it! 

As one of the devices still had a configuration i had to perform a Password Recovery - if you are used from other Cisco devices like Switches and Routers -- not so easy.
Special file is needed with Password Tool and also connection to TFTP server.

So first, let's run our TFTP server from C2811 router:

tftp-server file usbflash0:8529-np70.bin
 

When you have TFTP ready, prepare interface for connection to PIX. I set-up 172.17.17.17 as IP address and connected Fa0/1 to Ethernet 0 on PIX.

Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Flash boot interrupted.                        
0: i8255X @ PCI(bus:0 dev:14 irq:10)
1: i8255X @ PCI(bus:0 dev:13 irq:11)

Ethernet auto negotiation timed out.
Ethernet port 1 could not be initialized.
Use ? for help.
monitor>
monitor>
monitor> ?
?                 this help message
address   [addr]  set IP address of the PIX interface on which
                  the TFTP server resides
file      [name]  set boot file name
gateway   [addr]  set IP gateway
help              this help message
interface [num]   select TFTP interface
ping      <addr>  send ICMP echo
reload            halt and reload system
server    [addr]  set server IP address
tftp              TFTP download
timeout           TFTP timeout
trace             toggle packet tracing
monitor>
monitor> address ?
address 0.0.0.0
monitor>
monitor> interface 0
0: i8255X @ PCI(bus:0 dev:14 irq:10)
1: i8255X @ PCI(bus:0 dev:13 irq:11)

Using 0: i82557 @ PCI(bus:0 dev:14 irq:10), MAC: 0013.60e2.bbb6
monitor>
monitor> address 172.17.17.18 255.255.0.0
address 0.0.0.0

monitor> address 172.17.17.18
address 172.17.17.18
monitor>
monitor> gateway 172.17.17.17
gateway 172.17.17.17
monitor>
monitor>
monitor> ping 172.17.17.17   --- for testing purposes, no ping / no tftp;)
Sending 5, 100-byte 0xe1ab ICMP Echoes to 172.17.17.17, timeout is 4 seconds:
!!!!!
Success rate is 100 percent (5/5)
monitor>
monitor>
monitor> server 172.17.17.17
server 172.17.17.17
monitor>
monitor> file 8529-np70.bin
file 8529-np70.bin
monitor>
monitor>
monitor> tftp
tftp 8529-np70.bin@172.17.17.17 via 172.17.17.17.............................................................................................................................................................................................................................................................
Received 129024 bytes

Cisco PIX Security Appliance password tool (3.0) #0: Thu Jun  9 21:45:44 PDT 2005

Initializing flashfs...
flashfs[0]: 7 files, 3 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 16128000
flashfs[0]: Bytes used: 14300160
flashfs[0]: Bytes available: 1827840
flashfs[0]: Initialization complete.
Using the default startup configuration

Do you wish to erase the passwords? y/n [n]: y
The following lines will be removed from the configuration:
        enable password H75KO93BH/Ur8Ksg encrypted
        passwd H75KO93BH/Ur8Ksg encrypted
        aaa authentication enable console LOCAL
        aaa authentication ssh console LOCAL
        aaa authorization command LOCAL

Do you want to remove the commands listed above from the configuration? y/n [n] y
Passwords and aaa commands have been erased.

And so that's it - we have an access to enable mode and into config terminal on PIX-525 ASA Firewall.

New issue: 
- one device is with Active/Active license and second with Active/Standby

   

Virtualization

Memories for first virtualizations
(during 2001/2002)

     Today i was going through one older backup hard disk, which has started to fail and i wanted to quickly dig out as much data as it is going to allow me. Before it dies definitely. 

      I found copies of first websites, which i started to made around years '97 - '98 for friends of my father, which by the way worked and is still working as network engineer for large French enterprise company.

The website if compared with modern site designs just sucks. Really, terrible easy design! Like the one you can get for free from these "web creators"

I couldn't believe that i've even liked some of them before :D But later popped out a Folder with screenshots, gifs and also javascripts(!) named "2Avoid" Whheeeee!
     Do you remember that crazy, blinking and moving stuff? Quite a lot of people used it - for text, picz or just all around.
-- I hated it and i do even more today. I prefer clean, newspapers-like design or photo album. Decent style that is not taking an attention from subject.
   For programming that sites i remember using some combination of Wysiwyg editor and standard LaunchPad, before i moved later to plain-text editor. These memories are not the important ones yet. 

    On the same disk, my patient reader i found a few of a bit-later projects.
Now please be honest with me and yourself --- Since when you know about Virtualization really? When was the first-time you heard about it?
Let me guess - four or five years back? Heey, that was a big-bada-boom already. Less? Ok, fair enough - most of the people do. Not me, tho...

     Portable applications are around quite a long while. And basically they were made thanks to "virtualization". My father came once in 2002 after the work and like a small boy was speaking and almost singing about "New Future": "...wonderful new Sun which is able to do unbelievable things with everything..." His company paid a fortune to Sun Microsystems then. And they get it delivered 2 months later anyway because U.S. government/military didn't want to approve the sale. Because thanks to it you were able to run different Operating Systems on one computer/server. And not only - you were able to run them in other window. It allowed you to create small mainframe/backplane needed for the app to run out without any installation, only from USB disk. It was using a software called VmWare...

Oh yeah, just a little while later - year and half >> within IT terms -- after the monkeys << this same company released that software in striped-down version to public for free. VMWare Player meant definite change to the world how we know it and how we knew it. In the beginnings you could really only "play" the Virtual Machines - but you were not able to create one... If i just would knew what will come out of it all - i wouldn't support it that much. My father already saw that we are returning back to 70's with this. One central computer brain under complete control and user just being left with "remote terminal". So we just spent 40yrs of development to return back on the beginning.

     Nevermind, in the middle of 2007 i started to sale "Remote Website and Application, controlled via GUI " and by the end of 2009 ther were virtual Shared Servers resources x Dedicated Physical Server resources

Win 7 in a Windows

VmWare deployment under Ubuntu&derivates

IPv6 tunnelling

IPv6 Tunnelling
w/Cisco Router 2811

telnet 64.62.142.154

*************************************************************************
*****                      route-server.he.net                      *****
*****              Hurricane Electric IP Route Monitor              *****
*****                           AS 6939                             *****
*************************************************************************

This router maintains peering sessions with some of the core routers in
Hurricane Electric's network. Hurricane Electric operates an international
Internet Backbone and offers transit, colocation, and dedicated servers.

Location                  IPv4                  IPv6
---------------------     ----------------      ------------------------
North America
 Equinix Seattle          216.218.252.176       2001:470:0:3d::1
 Equinix Palo Alto        216.218.252.165       2001:470:0:1b::1
 Equinix San Jose         216.218.252.164       2001:470:0:1a::1
 Hurricane Fremont 1      216.218.252.161       2001:470:0:23::1
 One Wilshire Los Angeles 216.218.252.178       2001:470:0:6c::1
 Equinix Chicago          216.218.252.168       2001:470:0:16::1
 Equinix Dallas           216.218.252.167       2001:470:0:1d::1
 Equinix Toronto          216.218.252.147       2001:470:0:99::1
 Equinix New York         216.218.252.171       2001:470:0:13::1
 Equinix Ashburn          216.218.252.169       2001:470:0:17::1
 NOTA Miami               216.218.252.177       2001:470:0:4a::1
 CoreSite Denver          216.218.252.157       2001:470:0:155::1
 1102 Grand Kansas City   216.218.252.190       2001:470:0:22b::1
 Cologix Montreal         216.218.252.193       2001:470:0:224::1
Europe
 Telecity London          216.218.252.211       2001:470:0:2cc::1
 NIKHEF Amsterdam         216.218.252.173       2001:470:0:e::1
 Interxion Frankfurt      216.218.252.174       2001:470:0:2a::1
 Telehouse Paris          216.218.252.184       2001:470:0:1ae::1
 Equinix Zurich           216.218.252.153       2001:470:0:10c::1
 TeleCity Stockholm       216.218.252.154       2001:470:0:10f::1
 PLIX/LIM Warsaw          216.218.252.189       2001:470:0:215::1
Asia
 Mega-I Hong Kong         216.218.252.180       2001:470:0:c2::1
 Equinix Tokyo            216.218.252.151       2001:470:0:10a::1
 Equinix Singapore        216.218.252.179       2001:470:0:169::1

Configuration of IPv6 Tunnelling

(The IP addresses had been change for security reasons)

#ipv6 unicast-routing
#conf t
!        
interface Tunnel0
 description Hurricane Electric IPv6 Tunnel Broker
 no ip address
 ipv6 address 2001:220:6E:218::2/64
 ipv6 enable
 tunnel source 28.10.16.15
 tunnel mode ipv6ip
 tunnel destination 216.66.86.12
!(The IP addresses had been change for security reasons)

FreeRadius with Raspberry Pi

RADIUS Authentication Server on RaspberryPi

BAD TEST:
test@raspberryPi:~ $ radtest kralvesmiru test123 127.0.0.1 0 testing123
Sending Access-Request of id 114 to 127.0.0.1 port 1812
    User-Name = "kralvesmiru"
    User-Password = "test123"
    NAS-IP-Address = 127.0.1.1
    NAS-Port = 0
    Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=114, length=20
test@raspberryPi:~ $
Changes were done:


sudo nano /etc/freeradius/users
sudo nano /etc/freeradius/clients.conf
sudo nano /etc/freeradius/radiusd.conf

FreeRadius restarted:


 sudo service freeradius stop
sudo service freeradius start

Live debug log output turned on:

sudo tail -f /var/log/freeradius/radius.log

And voila! Radius is working now with basic configuration.

test@raspberryPi:~ $ radtest kralvesmiru test123 127.0.0.1 0 testing123
Sending Access-Request of id 36 to 127.0.0.1 port 1812
    User-Name = "kralvesmiru"
    User-Password = "test123"
    NAS-IP-Address = 127.0.1.1
    NAS-Port = 0
    Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=36, length=20
test@raspberryPi:~ $

Tacacs+ Server for Cisco Devices Authentication

TACACS+ Server for Cisco Devices

(Linux Raspbian / Raspberry Pi)

PayozonLAB-RT01#test aaa group tacacs+ new-code
Sending password
User successfully authenticated

USER ATTRIBUTES

username             "user01"
reply-message        "Password: "
PayozonLAB-RT01#

PayozonLAB-RT01#
PayozonLAB-RT01#test aaa group tacacs+ payozon tacacs legacy          
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.

PayozonLAB-RT01#

And how to do it? In Raspi start terminal and install tacacs+

sudo apt install tacacs+
sudo service tacacs_plus status

 sudo nano /etc/tacacs+/tac_plus.conf 

Now we need to add auth_key, users and passwords - prepend the text below to the end of the file tac_plus.conf and comment all above:

# This is the key that clients have to use to access Tacacs+
key = test@Key123

# User - Basic Settings
 user = root {
default service = permit
name = “Administrator”
login = cleartext admin
service = exec {
priv-lvl = 15
}
}

  sudo service tacacs_plus restart

tail /var/log/tac_plus.acct

Then you can switch to your Cisco switch or router and test it!

test aaa group tacacs+ admin admin legacy

ssh -c aes256-cbc admin@172.16.255.103 

Everythin' OK? Let's continue...

In global configuration mode issue the commands below:

aaa new-model
aaa authentication login default local group tacacs+
aaa authentication enable default group tacacs+ enable
aaa accounting commands 15 default
action-type start-stop
group tacacs+

tacacs-server host 192.168.15.62
tacacs-server key test@Key123

So, above is older method. The new one:

 tacacs server TACACS+

address ipv4 192.168.1.38

timeout 15

aaa authentication login TACACS+ group tacacs+

login authentication TACACS+

aaa authentication password-prompt TACACS+Password:

aaa authentication attempts login 5

aaa authentication username-prompt TACACS+Username:

And the last begginer's task is to configure TACACS+ banner and password / user prompt.

(config)#aaa authentication banner X
Enter TEXT message.  End with the character 'X'.
*****************************************************************
*                                                               *
*      PRIVATE PROPERTY -- YOU ARE MONITORED! LEAVE NOW!        *
* ------------------------------------------------------------- *
*    THIS COMPUTER SYSTEM, INCLUDING ALL RELATED EQUIPMENT,     *
*                 NETWORKS AND NETWORK DEVICES                  *
*           (SPECIFICALLY INCLUDING INTERNET ACCESS)            *
*   ARE PROVIDED ONLY FOR AUTHORIZED USE. USE OF THIS SYSTEM    *
* AUTHORIZED OR UNAUTHORIZED, CONSTITUTES CONSENT TO MONITORING *
*                                                               *
*    UNAUTHORIZED USE MAY SUBJECT YOU TO CRIMINAL PROSECUTION   *
* EVIDENCE OF UNAUTHORIZED USE COLLECTED DURING MONITORING MAY  *
* BE USED FOR ADMINISTRATIVE, CRIMINAL OR OTHER ADVERSE ACTION  *
*                                                               *
*    USE OF THIS SYSTEM CONSTITUTES CONSENT TO MONITORING.      *
*                                                               *
*****************************************************************
                                                                
X
(config)#


-- for more secure usage use tac_pwd
to generate a DES encrypted password

-- in tac_plus.conf use
login = des 8L/6PsZWYZzjk 

MagLab-phys-R01#test aaa group tacacs+ admin admin legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.

 

 

MD5 password cracking

MD5 password cracking

Jack The Ripper

vs.

Cisco's enable secret

$ sudo apt install john

Selecting previously unselected package john.
Preparing to unpack .../john_1.8.0-2_armhf.deb ...
Unpacking john (1.8.0-2) ...
Processing triggers for man-db (2.7.0.2-5) ...
Setting up john-data (1.8.0-2) ...
Setting up john (1.8.0-2) ...

# sh run | s secret

enable secret $1$sSWq$CGWilSWbR821tNBqcnFTo.

$ echo '$1$sSWq$CGWilSWbR821tNBqcnFTo.' > /home/pi/md5_hash

$ john /home/pi/md5_hash

Created directory: /home/pi/.john
Loaded 1 password hash (md5crypt [MD5 32/32])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:16 11% 2/3 0g/s 1008p/s 1008c/s 1008C/s miamimiami
0g 0:00:00:24 16% 2/3 0g/s 1014p/s 1014c/s 1014C/s CHARLIE

cisco            (?)
1g 0:00:03:28 3/3 0.004807g/s 972.3p/s 972.3c/s 972.3C/s cisco
Use the "--show" option to display all of the cracked passwords reliably
Session completed

$ john /home/netmag/md5_hash
Created directory: /home/netmag/.john
Loaded 1 password hash (md5crypt [MD5 32/64 X2])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 15% 2/3 0g/s 11887p/s 11887c/s 11887C/s 1chad..1chainsaw
cisco            (?) -- easy password done in 15secs
1g 0:00:00:15 3/3 0.06485g/s 13116p/s 13116c/s 13116C/s cisco..cisca
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Comparing JackCracking on Raspberry Pi and Laptop 

-- Raspberry Pi 2 B+ is much slower than a laptop (i7 3.6GHz, 8GB RAM)
-- 15secs on laptop against 03mins28s on RPi

-- With more difficult / longer passwords it is taking even more -- up to 25hrs comparing to 13.5hrs on laptop

$ echo '$1$lzxg$Ny2blL8TiisWpTP6I//9f/' > /home/pi/md5_hash

RPi
0g 0:01:56:20 3/3 0g/s 1019p/s 1019c/s 1019C/s ashmer7
0g 0:01:56:24 3/3 0g/s 1019p/s 1019c/s 1019C/s aspladi

-- 10hrs and still running on Raspberry Pi

0g 0:10:35:38 3/3 0g/s 1010p/s 1010c/s 1010C/s booy6h
0g 0:11:01:19 3/3 0g/s 1010p/s 1010c/s 1010C/s mb48sp
0g 0:11:10:05 3/3 0g/s 1010p/s 1010c/s 1010C/s lugs35

-- and finally after 18hrs i gave up... need to use Tacacs server :D

0g 0:16:42:11 3/3 0g/s 1011p/s 1011c/s 1011C/s b1a37d
0g 0:16:43:15 3/3 0g/s 1011p/s 1011c/s 1011C/s jrji1y
0g 0:17:47:19 3/3 0g/s 1012p/s 1012c/s 1012C/s rsl4lg
0g 0:17:49:00 3/3 0g/s 1012p/s 1012c/s 1012C/s hgiros
0g 0:17:49:59 3/3 0g/s 1012p/s 1012c/s 1012C/s noudir
0g 0:18:05:44 3/3 0g/s 1013p/s 1013c/s 1013C/s cd1buy
0g 0:18:05:47 3/3 0g/s 1013p/s 1013c/s 1013C/s cdm74s
Session aborted 

E1/T1 RJ45 (RJ48) back-to-back with 2MFT-TE1

E1/T1 RJ45 (RJ48) back-to-back with 2MFT-TE1

Cabling T1/E1 crossover for back-to-back connection

So proposition is to have a Multiflex Trunk card (1 or 2MFT).

Set it up on the router

card type t1 0 2  

or
card type e1 0 2

And connect both cards with T1/E1 crossover cable

Than configure the controller T1 or E1 -- one has to be DCE (clock source internal independent) and the other one DTE (clock source line)
(depends on HWIC slot - mine is in Slot 2)

Router1

controller T1 0/2/0

cablelength long 0db

framing esf
clock source internal independent
linecode b8zs
channel-group 0 timeslots 1-24 speed 64

Router2

controller T1 0/2/0

cablelength long 0db

framing esf
clock source line
linecode b8zs
channel-group 0 timeslots 1-24 speed 64

This will create a logical Serial interfaces on both routers (0/2/0:0).

Configure them an IP address (point-to-point /30 .252 subnet)

Verify with CDP and ping commands.

Running over T1 / E1 now! :)