How To Break Into A Cisco ASA If You Do Not Have The Enable Password

From time to time, I get a service call asking me to break into a Cisco router or an ASA or a PIX. In most cases, the device was deployed a long time ago and nobody remembers the password. Or they have a copy of the config but the password was stored in the encrypted format.

If you have the password in encrypted format, you might luck out if it is a commonly-used value such as 8Ry2YjIyt7RRXU24 (password is blank) or 2KFQnbNIdI.2KYOU (password is “cisco”). You can try to brute force it with John the Ripper, or Cain and Abel, or some precomputed rainbow table. The time required to brute force a complex password will depend on the character set used in the password, the length of the password, and the speed of the computer that is running Cain & Abel. Might take an ice age to brute force it. Would it be worth the time?

You might have better luck with a bit of lateral thinking. Just paste the encrypted password into Google and see if anyone has posted their own config in some Google-indexed forum somewhere. If their encrypted password is the same value as your mystery password, they are using that same password. Can you ask the poster what their password is?

Other lateral puzzle approaches include: looking for other places that the password may have been stored. Let’s hope it’s not on a Post-It note underneath the keyboard. On a typical network, the documentation is all stored in the same place; a file share, a local directory, a KeePass archive. Maybe a hard copy in the server room. Some of it may not be encrypted. Many admins will use the same password in different systems. The ASA enable password might be the same as the domain administrator password. Might be in the old admin’s email archive. You never know, the sort of sensitive shit people email unencrypted to themselves. That’s the main reason I have to nuke lost Blackberrys from the corporate BES. No screen lock password on your Blackberry AND you emailed naughty photos to yourself? Dude.

You can try to guess the password. Name of company. Name of admin. Name of admin’s dog/cat/child/soccer team/favorite pornstar.

If you have physical access to the ASA, you can probably reset the password. Pretty painless. Just boot into ROMMON mode, change the configuration register value to 0x41 so that the ASA boots without loading the startup config. This means you’re in without needing a password. Then you can copy the startup config into the running config, and you can change the password.

Step-by-Step Instructions

Reboot the ASA. When you see the following text, press the BREAK or ESC key.

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.

You are now in ROMMON mode, as indicated by the prompt.

rommon #0>

Type confreg.

rommon #0> confreg

Current Configuration Register: 0x00000001
Configuration Summary:
 boot default image from Flash

Take note of the value of the Current Configuration Register. You are going to be prompted to answer several questions, and based on your answers, the ASA’s Configuration Register is going to be changed to a different value. You’ll want to set the Configuation Register back to its original value after you have reset the ASA password.

Do you wish to change this configuration? y/n [n]: y
enable boot to ROMMON prompt? y/n [n]:
enable TFTP netboot? y/n [n]:
enable Flash boot? y/n [n]: y
select specific Flash image index? y/n [n]:
disable system configuration? y/n [n]: y
go to ROMMON prompt if netboot fails? y/n [n]:
enable passing NVRAM file specs in auto-boot mode? y/n [n]:
disable display of BREAK or ESC key prompt during auto-boot? y/n [n]:

Current Configuration Register: 0x00000041
Configuration Summary:
 boot default image from Flash
 ignore system configuration

Update Config Register (0x41) in NVRAM...

Type boot. Now the ASA is going to boot the OS, but it will load the default config instead of the startup config.

rommon #1> boot

Get into privileged EXEC mode and hit ENTER when prompted for the enable password. Then copy the startup config into the running config.

ciscoasa> en
ciscoasa# copy start run

Destination filename [running-config]?

Get into global configuration mode and make the changes that you want, e.g. change the enable password. You have total access now, so you can change anything that you want.

ciscoasa# conf t
ciscoasa(config)# enable password cisco

When you have finished making all the changes to the config, reset the Configuration Register back to its original value and save the config.

ciscoasa(config)# config-register 0x1
ciscoasa(config)# wr mem

What is the Configuration Register?

The Configuration Register value is a hex value that specifies various boot parameters for the ASA, such as which boot image to use, whether or not to boot the startup config, or whether to perform the ROMMON countdown.

You can set it while you are in ROMMON mode with the confreg command. For example, you could type confreg 0x41 and you won’t be prompted to answer all those questions in the instructions above. (Because the questions only serve as a human-friendly way to formulate the value of the Configuration Register. By specifying “0x41”, you have already provided the value.) However, if you just type confreg, it will display the current value of the Configuration Register. This is important if you need to find out the existing value of the Configuration Register.

rommon #0> confreg 0x41

You can also set the value of the Configuration Register while you are in the global configuration mode with the config-register command.

ciscoasa# conf t
ciscoasa(config)# config-register 0x1

Additional Information:

Config-register command in the Cisco ASA 8.4 Command Reference.

Table of hex values for the Configuration Register on the Cisco ASA.

This entry was posted in geek, mecha and tagged , , , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.


  1. Psychedelic Supernova
    Posted September 27, 2011 at 4:06 am | Permalink

    Good article. Do you know what kind of encryption the enable password command uses ? Cant you use enable secret command in ASA ? Is it supported ?

  2. Anonymous
    Posted October 1, 2011 at 8:41 am | Permalink

    The ASA does not support the “enable secret” command. However, the ASA stores the enable password in the config as a MD5-encrypted string, which serves the same purpose as the “enable secret” command on the Cisco IOS.

  3. Alnospam
    Posted July 10, 2012 at 4:54 am | Permalink

    Great article. In the end I had to add a new user to make it work but your instructions saved me a lot of time in having to wipe the whole thing and restart from scratch, Thanks!

  4. Posted September 2, 2015 at 7:21 pm | Permalink

    Great post. I used to be checking constantly
    this weblog and I’m impressed! Extremely helpful info specifically the last part :) I deal
    with such information much. I was seeking this certain info for a long time.
    Thank you and good luck.

  5. Posted September 9, 2015 at 11:01 am | Permalink

    This is my first time visit at here and i am really happy to read
    everthing at alone place.

    Also visit mmy page: Timber Joist Hanger (Jesse)

  6. Posted January 14, 2016 at 9:09 am | Permalink

    Hi, I think your site might be having browser compatibility issues.
    When I look at your blog site in Chrome, it looks fine but
    when opening in Internet Explorer, it has some overlapping.
    I just wanted to give you a quick heads up! Other then that, wonderful

  7. Posted July 18, 2016 at 9:54 am | Permalink

    Apart from these, the holiday makers also let you customize your holidays to Vietnam so that you can enjoy them exactly the way you would like to.
    Despite its awesome appearance, the dragon does not incarnate the spirit of evil, and
    the Vietnamese have always considered the dragon as a symbol of power and nobility.

    Not surprising, a larger international airport
    is being built on the island of Phú Quốc, expected to
    operate within five years.

  8. Posted August 24, 2016 at 1:49 am | Permalink

    Theу may never becоmе fulⅼy comfy աith games
    ⅼike thіs, bᥙt the knwledge pгovides tɦеm control oѵer theіr choices.

  9. Posted September 15, 2016 at 3:39 am | Permalink

    Hi, i read your blog occasionally and i oown a similar oone and i was just curious iff
    you get a lot of spam responses? If soo how do
    you reduce it, any plugin or anything youu can suggest?
    I get soo uch lately it’s driving me cfazy so any assistance
    is very much appreciated.

3 Trackbacks

  • […] Curated from How To Break Into A Cisco ASA If You Do Not Have The Enable Password […]

  • By The seven deadly sins of firewall admins – CSC Blogs on September 25, 2015 at 12:44 am

    […] In later life, I became a security consultant and quickly realised that there was a dearth of consultants with actual firewall experience and so, unable to hide my past sins (thanks LinkedIn), my penance was spending many hours reviewing other people’s firewall implementations. I did this for so long, I would often burst in to manic laughter at the site of a configuration because an access list had not been applied to an interface, or that the password was ‘2KFQnbNIdI.2KYOU.’ […]

  • outsource article writing – revealed – 4 practical outsourcing tips

    How To Break Into A Cisco ASA If You Do Not Have The Enable Password

Post a Comment

Your email is never published nor shared. Required fields are marked *

You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>