Displaying the Contents of the Cisco ASA Flash Memory

What though the sea with waves continuall
Doe eate the earth, it is no more at all ;
Ne is the earth the lesse, or loseth ought :
For whatsoever from one place doth fall
Is with the tyde unto another brought :
For there is nothing lost, that may be found if sought.
— Edmund Spenser’s The Faerie Queene

Over the weekend, I opened up my pet Cisco ASA 5505 and removed the Compact Flash card. That’s where the ASA stores the boot images and the config files. I mounted the Compact Flash card on a Windows 7 workstation and located the default startup-config file in a hidden directory.

This is the path: disk0:/.private/startup-config

Cisco ASA Compact Flash location of the startup config file

Cisco ASA Compact Flash location of the startup config file

When opened with a text editor in Windows, the startup-config file is readable, as if I’d run a show run command in the privileged EXEC mode. If anything, this demonstrates the importance of physical security of the Cisco ASA. If I had access to an unlocked server cabinet, I could power down the ASA, snaffle the Compact Flash card (and anything else in the cabinet, for that matter) and I’d have the ASA config file. But as soon as the theft is discovered, you can bet the replacement config will take into account all the compromised passwords in the stolen flash card.

If a brief network disruption could go undetected, and you wanted to fully exploit the information in the config file, the craftier attack would be to power down the ASA, physically remove the compact flash card, copy the config files, and quietly replace the card in the ASA. No enable password required, just a Phillips-head screwdriver and a compact flash card reader. Heck, maybe you could edit the config file and give yourself access before you replace the flash card in the ASA.

But I digress. When you run a dir command from the Cisco ASA, the output shows all the files in the top-level directory of the flash card.


ciscoasa# dir

Directory of disk0:/

90     -rwx  8312832     07:28:12 Sep 06 2007  asa722-k8.bin
91     -rwx  1868412     07:28:26 Sep 06 2007  securedesktop-asa-3.1.1.29-k9.pkg
92     -rwx  398305      07:28:40 Sep 06 2007  sslclient-win-1.1.0.154.pkg
93     -rwx  5623108     07:29:48 Sep 06 2007  asdm-522.bin
95     -rwx  8386560     17:52:22 Nov 06 2007  asa723-k8.bin
10     drwx  4096        17:55:48 Nov 06 2007  crypto_archive
96     -rwx  14457072    18:04:44 Sep 29 2010  asdm-632.bin
97     -rwx  15243264    18:06:32 Sep 29 2010  asa823-k8.bin
3      drwx  4096        18:10:14 Sep 29 2010  log
11     drwx  4096        18:10:58 Sep 29 2010  coredumpinfo
98     -rwx  24938496    17:58:30 May 05 2011  asa841-k8.bin

129073152 bytes total (49459200 bytes free)

The /recursive switch shows the contents of the top-level directory as well as the contents of each of the subdirectories in the top-level directory of the flash card.


ciscoasa# dir /recursive

Directory of disk0:/*

90     -rwx  8312832     07:28:12 Sep 06 2007  asa722-k8.bin
91     -rwx  1868412     07:28:26 Sep 06 2007  securedesktop-asa-3.1.1.29-k9.pkg
92     -rwx  398305      07:28:40 Sep 06 2007  sslclient-win-1.1.0.154.pkg
93     -rwx  5623108     07:29:48 Sep 06 2007  asdm-522.bin
95     -rwx  8386560     17:52:22 Nov 06 2007  asa723-k8.bin
96     -rwx  14457072    18:04:44 Sep 29 2010  asdm-632.bin
97     -rwx  15243264    18:06:32 Sep 29 2010  asa823-k8.bin
98     -rwx  24938496    17:58:30 May 05 2011  asa841-k8.bin
Directory of disk0:/crypto_archive

No files in directory

Directory of disk0:/log

No files in directory

Directory of disk0:/coredumpinfo

12     -rwx  43          18:10:58 Sep 29 2010  coredump.cfg

129073152 bytes total (49459200 bytes free)

There’s not much loaded on the flash card. I wonder if the /recursive switch really is recursive, or if it just goes down one level in the directory tree. So I create three nested directories: test, test2 and test3 using the mkdir command. Like a set of little Matryoshka dolls.

Now this is the output of the dir and the dir /recursive commands.


ciscoasa# dir

Directory of disk0:/

92     -rwx  8312832     07:28:12 Sep 06 2007  asa722-k8.bin
93     -rwx  1868412     07:28:26 Sep 06 2007  securedesktop-asa-3.1.1.29-k9.pkg
94     -rwx  398305      07:28:40 Sep 06 2007  sslclient-win-1.1.0.154.pkg
95     -rwx  5623108     07:29:48 Sep 06 2007  asdm-522.bin
97     -rwx  8386560     17:52:22 Nov 06 2007  asa723-k8.bin
10     drwx  4096        17:55:48 Nov 06 2007  crypto_archive
98     -rwx  14457072    18:04:44 Sep 29 2010  asdm-632.bin
99     -rwx  15243264    18:06:32 Sep 29 2010  asa823-k8.bin
3      drwx  4096        18:10:14 Sep 29 2010  log
11     drwx  4096        18:10:58 Sep 29 2010  coredumpinfo
100    -rwx  24938496    17:58:30 May 05 2011  asa841-k8.bin
101    drwx  4096        03:23:52 May 17 2011  test

129073152 bytes total (49446912 bytes free)
ciscoasa# dir /recursive

Directory of disk0:/*

92     -rwx  8312832     07:28:12 Sep 06 2007  asa722-k8.bin
93     -rwx  1868412     07:28:26 Sep 06 2007  securedesktop-asa-3.1.1.29-k9.pkg
94     -rwx  398305      07:28:40 Sep 06 2007  sslclient-win-1.1.0.154.pkg
95     -rwx  5623108     07:29:48 Sep 06 2007  asdm-522.bin
97     -rwx  8386560     17:52:22 Nov 06 2007  asa723-k8.bin
98     -rwx  14457072    18:04:44 Sep 29 2010  asdm-632.bin
99     -rwx  15243264    18:06:32 Sep 29 2010  asa823-k8.bin
100    -rwx  24938496    17:58:30 May 05 2011  asa841-k8.bin
Directory of disk0:/crypto_archive

No files in directory

Directory of disk0:/log

No files in directory

Directory of disk0:/coredumpinfo

12     -rwx  43          18:10:58 Sep 29 2010  coredump.cfg

Directory of disk0:/test

Directory of disk0:/test/test2

Directory of disk0:/test/test2/test3

No files in directory

129073152 bytes total (49446912 bytes free)

I ran both of those command from the top-level directory as the current working directory. The output shows the test3 directory, 2 levels down. So the /recursive switch really is recursive.This means that if I am searching for a file, the dir /recursive command will show everything in the entire directory tree. Except the hidden directories, of course.

Additional Information:

Mkdir command in the Cisco ASA 8.4 Command Reference.

Dir command in the Cisco ASA 8.4 Command Reference.

This entry was posted in geek, mecha and tagged , , , , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

3 Comments

  1. Ozzie
    Posted February 22, 2012 at 8:44 am | Permalink

    On ASA 5505, does “write erase” remove license

  2. Eric Manns
    Posted May 4, 2015 at 2:37 pm | Permalink

    Ozzie,

    The Cisco command “write erase” deletes the start-up config on your device.

    HTH,

    Eric.

  3. Posted July 13, 2018 at 8:04 am | Permalink

    Chinese language money is accepted at most casinos now.

Post a Comment

Your email is never published nor shared. Required fields are marked *

You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*
*