Cisco PIX – Password Recovery

Blast from the past.

Sunday morning, recreationally rummaging through a box of old equipment, I find a tiny PIX 501. And it still powers up!

This PIX has probably been retired from the field, so there’s a password, of course. On a console connection, the first thing to try is the default username (pix) and the default password (password). Oooh, denied. OK, let’s try to connect over the network via Telnet or SSH with default password of cisco. Nope, you shall not pass, my little Balrog.

Fortunately, the password is easily reset using the PIX Password Lockout Utility which resets passwords, but not the PIX config. Cisco.com has the downloadable utility for all versions of the PIX OS up to version 7.x. The procedure is similar to that of resetting the password on a Cisco ASA.

This is what you need:

  • Computer running terminal emulator software to talk to the PIX
  • Console cable connected from computer to console port of the PIX
  • TFTP server
  • Straight-through Ethernet cable to connect the PIX to the network (or directly to the TFTP server)
  • PIX Password Lockout Utility for the version of the PIX OS that is installed on the PIX

So, first thing to do is find out what version IOS is running on the PIX. On a console connection, you can do a show version command, or power cycle the PIX and look for the version information that appears right after the retro Golden Gate bridge logo.


  -----------------------------------------------------------------------
                               ||        ||
                               ||        ||
                              ||||      ||||
                          ..:||||||:..:||||||:..
                         c i s c o S y s t e m s
                        Private Internet eXchange
  -----------------------------------------------------------------------
                        Cisco PIX Firewall

Cisco PIX Firewall Version 6.3(5)

Now that I know what version of the PIX OS is installed, I go to this page at cisco.com and download the utility file. In my case, I download np63.bin to my laptop.

My laptop has TFTPD32 installed on it, so it can double as the TFTP server.

I give my laptop a static IP address and connect it to one of the Ethernet ports on the PIX.

Then I reboot the PIX and hit the BREAK or ESC key when prompted.

Cisco Secure PIX Firewall BIOS (4.2) #6: Mon Aug 27 15:09:54 PDT 2001
Platform PIX-501
Flash=E28F640J3 @ 0x3000000

Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Flash boot interrupted.
0: i8255X @ PCI(bus:0 dev:17 irq:9 )
1: i8255X @ PCI(bus:0 dev:18 irq:10)

10 years? Jeepers.

I’ve connected my laptop to the inside interface, so that is interface 1.

monitor> interface 1
0: i8255X @ PCI(bus:0 dev:17 irq:9 )
1: i8255X @ PCI(bus:0 dev:18 irq:10)

I configure a temporary IP address for interface 1 on the PIX (6.6.6.1), and tell it that the TFTP server is at 6.6.6.2. I don’t need to specify a gateway since my laptop (the TFTP server) is directly connected to the inside interface of the PIX.

Using 1: i82557 @ PCI(bus:0 dev:18 irq:10), MAC: x0x0.x0x0.x0x0
monitor> address 6.6.6.1
address 6.6.6.1
monitor> server 6.6.6.2
server 6.6.6.2

I tell the PIX that it should retrieve the file np63.bin from the TFTP server, and I test connectivity with a ping.

monitor> file np63.bin
file np63.bin
monitor> ping 6.6.6.2
Sending 5, 100-byte 0xbbf7 ICMP Echoes to 6.6.6.2, timeout is 4 seconds:
!!!!!
Success rate is 100 percent (5/5)

The tftp command tells the PIX to download the np63.bin file from my laptop. Then I am prompted to pick which passwords I want removed.

monitor> tftp
tftp np63.bin@6.6.6.2.....................................................................................................................................................................................
Received 92160 bytes

Cisco Secure PIX Firewall password tool (3.0) #0: Thu Jul 17 08:01:09 PDT 2003
Flash=E28F640J3 @ 0x3000000
BIOS Flash=E28F640J3 @ 0xD8000

Do you wish to erase the passwords? [yn] y
The following lines will be removed from the configuration:
        enable password blahblahblah encrypted
        passwd blahdeblahblah encrypted
        aaa authentication serial console LOCAL
        aaa authentication telnet console LOCAL
        aaa authentication ssh console LOCAL
        aaa authentication http console LOCAL
        aaa authentication enable console LOCAL
        aaa authorization command LOCAL

Do you want to remove the commands listed above from the configuration? [yn] y
Passwords and aaa commands have been erased.

Rebooting....

Upon reboot, there is no Username prompt, and I can get into enable mode with a blank password.

BranchPix501> en
Password:
BranchPix501# 502103: User priv level changed: Uname: enable_1 From: 1 To: 15
111008: User 'enable_1' executed the 'enable' command.

Additional Information:

Cisco.com: Password Recovery and AAA Configuration Recovery Procedure for the PIX.

gom jabbar: How To Break Into A Cisco ASA If You Do Not Have The Enable Password.

The Cisco PIX Firewall Command Reference, Version 6.3.

TFTPD32, a free TFTP/DHCP/Syslog server for Windows.

This entry was posted in geek, mecha, v4vendetta and tagged , , , , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

3 Comments

  1. Nick
    Posted July 31, 2014 at 7:30 pm | Permalink

    This worked perfectly, thank you.

  2. James W
    Posted February 3, 2015 at 9:08 pm | Permalink

    Thank you for the info 🙂 works perfect my 501 is no longer a brick

  3. Daniel
    Posted August 1, 2017 at 1:05 pm | Permalink

    Hi, Congratulation very nice!

    Do you have the binary utility? I try do download on Cisco page but they no longer support
    this appliance.

Post a Comment

Your email is never published nor shared. Required fields are marked *

You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*
*