What though the sea with waves continuall
Doe eate the earth, it is no more at all ;
Ne is the earth the lesse, or loseth ought :
For whatsoever from one place doth fall
Is with the tyde unto another brought :
For there is nothing lost, that may be found if sought.
— Edmund Spenser’s The Faerie Queene
Over the weekend, I opened up my pet Cisco ASA 5505 and removed the Compact Flash card. That’s where the ASA stores the boot images and the config files. I mounted the Compact Flash card on a Windows 7 workstation and located the default startup-config file in a hidden directory.
This is the path: disk0:/.private/startup-config

When opened with a text editor in Windows, the startup-config file is readable, as if I’d run a show run command in the privileged EXEC mode. If anything, this demonstrates the importance of physical security of the Cisco ASA. If I had access to an unlocked server cabinet, I could power down the ASA, snaffle the Compact Flash card (and anything else in the cabinet, for that matter) and I’d have the ASA config file. But as soon as the theft is discovered, you can bet the replacement config will take into account all the compromised passwords in the stolen flash card.
If a brief network disruption could go undetected, and you wanted to fully exploit the information in the config file, the craftier attack would be to power down the ASA, physically remove the compact flash card, copy the config files, and quietly replace the card in the ASA. No enable password required, just a Phillips-head screwdriver and a compact flash card reader. Heck, maybe you could edit the config file and give yourself access before you replace the flash card in the ASA.
But I digress. When you run a dir command from the Cisco ASA, the output shows all the files in the top-level directory of the flash card.
ciscoasa# dir Directory of disk0:/ 90 -rwx 8312832 07:28:12 Sep 06 2007 asa722-k8.bin 91 -rwx 1868412 07:28:26 Sep 06 2007 securedesktop-asa-3.1.1.29-k9.pkg 92 -rwx 398305 07:28:40 Sep 06 2007 sslclient-win-1.1.0.154.pkg 93 -rwx 5623108 07:29:48 Sep 06 2007 asdm-522.bin 95 -rwx 8386560 17:52:22 Nov 06 2007 asa723-k8.bin 10 drwx 4096 17:55:48 Nov 06 2007 crypto_archive 96 -rwx 14457072 18:04:44 Sep 29 2010 asdm-632.bin 97 -rwx 15243264 18:06:32 Sep 29 2010 asa823-k8.bin 3 drwx 4096 18:10:14 Sep 29 2010 log 11 drwx 4096 18:10:58 Sep 29 2010 coredumpinfo 98 -rwx 24938496 17:58:30 May 05 2011 asa841-k8.bin 129073152 bytes total (49459200 bytes free)
The /recursive switch shows the contents of the top-level directory as well as the contents of each of the subdirectories in the top-level directory of the flash card.
ciscoasa# dir /recursive Directory of disk0:/* 90 -rwx 8312832 07:28:12 Sep 06 2007 asa722-k8.bin 91 -rwx 1868412 07:28:26 Sep 06 2007 securedesktop-asa-3.1.1.29-k9.pkg 92 -rwx 398305 07:28:40 Sep 06 2007 sslclient-win-1.1.0.154.pkg 93 -rwx 5623108 07:29:48 Sep 06 2007 asdm-522.bin 95 -rwx 8386560 17:52:22 Nov 06 2007 asa723-k8.bin 96 -rwx 14457072 18:04:44 Sep 29 2010 asdm-632.bin 97 -rwx 15243264 18:06:32 Sep 29 2010 asa823-k8.bin 98 -rwx 24938496 17:58:30 May 05 2011 asa841-k8.bin Directory of disk0:/crypto_archive No files in directory Directory of disk0:/log No files in directory Directory of disk0:/coredumpinfo 12 -rwx 43 18:10:58 Sep 29 2010 coredump.cfg 129073152 bytes total (49459200 bytes free)
There’s not much loaded on the flash card. I wonder if the /recursive switch really is recursive, or if it just goes down one level in the directory tree. So I create three nested directories: test, test2 and test3 using the mkdir command. Like a set of little Matryoshka dolls.
Now this is the output of the dir and the dir /recursive commands.
ciscoasa# dir Directory of disk0:/ 92 -rwx 8312832 07:28:12 Sep 06 2007 asa722-k8.bin 93 -rwx 1868412 07:28:26 Sep 06 2007 securedesktop-asa-3.1.1.29-k9.pkg 94 -rwx 398305 07:28:40 Sep 06 2007 sslclient-win-1.1.0.154.pkg 95 -rwx 5623108 07:29:48 Sep 06 2007 asdm-522.bin 97 -rwx 8386560 17:52:22 Nov 06 2007 asa723-k8.bin 10 drwx 4096 17:55:48 Nov 06 2007 crypto_archive 98 -rwx 14457072 18:04:44 Sep 29 2010 asdm-632.bin 99 -rwx 15243264 18:06:32 Sep 29 2010 asa823-k8.bin 3 drwx 4096 18:10:14 Sep 29 2010 log 11 drwx 4096 18:10:58 Sep 29 2010 coredumpinfo 100 -rwx 24938496 17:58:30 May 05 2011 asa841-k8.bin 101 drwx 4096 03:23:52 May 17 2011 test 129073152 bytes total (49446912 bytes free) ciscoasa# dir /recursive Directory of disk0:/* 92 -rwx 8312832 07:28:12 Sep 06 2007 asa722-k8.bin 93 -rwx 1868412 07:28:26 Sep 06 2007 securedesktop-asa-3.1.1.29-k9.pkg 94 -rwx 398305 07:28:40 Sep 06 2007 sslclient-win-1.1.0.154.pkg 95 -rwx 5623108 07:29:48 Sep 06 2007 asdm-522.bin 97 -rwx 8386560 17:52:22 Nov 06 2007 asa723-k8.bin 98 -rwx 14457072 18:04:44 Sep 29 2010 asdm-632.bin 99 -rwx 15243264 18:06:32 Sep 29 2010 asa823-k8.bin 100 -rwx 24938496 17:58:30 May 05 2011 asa841-k8.bin Directory of disk0:/crypto_archive No files in directory Directory of disk0:/log No files in directory Directory of disk0:/coredumpinfo 12 -rwx 43 18:10:58 Sep 29 2010 coredump.cfg Directory of disk0:/test Directory of disk0:/test/test2 Directory of disk0:/test/test2/test3 No files in directory 129073152 bytes total (49446912 bytes free)
I ran both of those command from the top-level directory as the current working directory. The output shows the test3 directory, 2 levels down. So the /recursive switch really is recursive.This means that if I am searching for a file, the dir /recursive command will show everything in the entire directory tree. Except the hidden directories, of course.
Additional Information:
Mkdir command in the Cisco ASA 8.4 Command Reference.
Dir command in the Cisco ASA 8.4 Command Reference.